windows host file

[gary]

under advanced tools, systems explorer, window host file i
used to have just the local host listed to 127.0.0.1 this
morning when looking i have hundreds of web sites listed
now all showing the 127.0.0.1 i dont know how this
happened or how to fix it?? my computer is working fine
ran spyware programs and they all showed zero issues. can
someone please help? thank you

 

[JohnF.]

These entries are actually protective and prevent your computer from going
to the real site to download who knows what, instead the browser is lied to
and looks locally for the data.

Several programs will make these entries for you, not sure if MSAS does
though.

 

[AndyManchesta]

Hi Gary ,


Download Hoster 1.6

http://andymanchesta.com/Downloads2/hoster.zip

Save it to desktop,extract and run

Close any open windows except hoster then press 'Restore
Original Hosts ' To reset it to microsofts default
file.If you think these have been added as a result of
malware please press copy to clipboard before pressing
restore hosts.This way you can paste back the host file
that has been created and it will make it easier to see
if a virus has added this.



If its been added by malware run a online scan at any of
these sites:

Trend Micro

http://housecall.antivirus.com/

Panda

http://www.pandasoftware.com/activescan/

Bitdefender

http://www.bitdefender.com/scan/Msie/index.php

Symantecs Security Check & Virus scanner

http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym

Trojan Scanner

http://www.windowsecurity.com/trojanscan/trojanscan.asp


You may need to disable system restore if malware is
found.Goto start then right click my computer then goto
properties,choose system restore , once on this page
press ' turn off system restore ' and press apply (you
can re-enable system restore by following the above and
unchecking the box 'turn off system restore' then press
apply again) ,but reboot first before turning it back on.



Regards Andy Manc

 

[Linuxgirl]

under advanced tools, systems explorer, window host file i
used to have just the local host listed to 127.0.0.1 this
morning when looking i have hundreds of web sites listed
now all showing the 127.0.0.1 i dont know how this
happened or how to fix it?? my computer is working fine
ran spyware programs and they all showed zero issues. can
someone please help? thank you

If you sre running Spybot-S&D check under tools "hosts file" If you have
enabled that feature, these are blocked servers.

 

[AndyManchesta]

Hi Again im not sure how John F knows these are all
protective host entries but if he's correct running
hoster will remove them.

Ive heard of spybot and spyware blaster and similar
programs creating hosts files that protect your system
and block sites that spread malware but with you saying
these have all been created without your knowledge i
assumed they may be malicious,I dont use MS Antispy so im
not sure if this will create a host file in the same way
to protect you.

pressing copy to clipboard with the program i sent you
would help show if its protecting you or not,once you
press that you can then paste the hosts file back on here,

If JohnF is sure these are protecting you then i may of
missed something because up to now i have no way of
knowing if the entries are genuine or malicious,With me
not using MS Antispy though im not sure whats created
this host file,unless you use spybots immunize or spyware
blaster or similar programs but even these would not
update your windows hosts file which is located in :

c:\Windows\system32\drivers\etc


Andy

 

[Andre Da Costa]

This is from Plun and I think its as easy as 123:
Answer:

- You can open your hosts file with Notepad.

- C:/Windows/System32/Drivers/etc/hosts.file

- Delete everything EXCEPT 127.0.0.1 Localhost

- Choose "save as" and overwrite hosts.file

- MSAS then protect your hosts file.

By Plun
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Jim Byrd]

Hi Gary - As others have told you, there are several ways to reset the HOSTS
file to its default condition. You may find some additional information of
use.


First, you should understand that the original purpose of the HOSTS file
(BTW, it should always be named this way - all caps, no extension) was to
provide a local (therefore fast) translation from URLs to IP addresses for
frequently visited sites (typically your Favorites). It can still be used
this way (I do so, for example - there are utilities available such as CIP,
http://dl.winsite.com/bin/downl?500000007704 which will convert your
Favorites to IP's which you can then saveas and then copy into your HOSTS
file), but has also come to be used to block ad/malware servers by
redirecting them to your local machine instead of their servers using this
same mechanism. See here for some good info about this use:
http://www.mvps.org/winhelp2002/hosts.htm This site also has downloads for
some utility programs which you will find useful if you decide to use a
HOSTS file such as RenHosts.bat,
http://www.mvps.org/winhelp2002/RenHosts.bat, and lockhosts.bat and
unlockhosts.bat, http://www.mvps.org/winhelp2002/lockhost.bat, and
http://www.mvps.org/winhelp2002/unlockhost.bat. The lock and unlock files
can be used to protect the HOSTS file in between UPDATES so that it doesn't
get hijacked by malware, while the rename hosts program will allow you to
easily enable or disable the HOSTS file (while keeping the correct naming
convention). As to size/performance - with any relatively modern computer
the delay added by the HOSTS lookup overhead should be negligable for even
moderately large HOSTS files (typically 250KB to 500KB) used for ad/malware
blocking. If you use it also for DNS-to-IP caching as I refered to above,
the time saved over going out to the net for DNS lookups will offset this
many times. If fact you may notice some speedup in "normal" address
browsing.

 

[AndyManc]

Hi andre ,


I agree with your solution but im still abit confused how
JohnF identified them as being protective entries.If
thats correct then my advise and your advise would remove
them ?

I agree its easy to delete all the entries and save the
new file but whats added them is my concern.My initial
advise would be reset the hosts file but with the reply
saying they are protecting the pc its confused it abit.

Its hard to comment more really without seeing the
hostfile that has been created if the host file contains
ad sites and entries like coolweb etc.. then i agree its
helpfull but if it contains any security site such as
symantec or Trend then its malicious

Andy

 

[Andre Da Costa]

Andy, you said if it contains security sites such as Trend or Symantec its
malicious, why? And yes, I would like to know how the unwanted stuff got in
their in the first place.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[AndyManc]

What i mean Andre is if it contains any security sites
then its probably been added by a virus or worm.

If the host file looks like this then its malicious :

127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com


If it doesnt contain anything like the above and contains
these type type of entries below then i agree with JohnF
its in place to protect them ****NOTE these are all
dangerous sites that are blocked when you use spybot's
immunize feature:


127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
127.0.0.1 www.wazzupnet.com
127.0.0.1 gueb.com
127.0.0.1 kabex.com
127.0.0.1 www.hityou.com
127.0.0.1 miosearch.com
127.0.0.1 wazzupnet.com
127.0.0.1 213.131.225.2
127.0.0.1 www.blue-elefant.com
127.0.0.1 babeweb.de
127.0.0.1 start-seite.com
127.0.0.1 777search.com
127.0.0.1 ace-webmaster.com
127.0.0.1 aifind.info
127.0.0.1 amateurliveshow.com
127.0.0.1 approvedlinks.com
127.0.0.1 cantfind.com
127.0.0.1 dialerclub.com
127.0.0.1 exit.megago.com
127.0.0.1 fastmetasearch.com
127.0.0.1 findwhatevernow.com


(do not visit any of these sites as they have all been
blocked for a reason)



Regards

Andy

 

[Linuxgirl]

As I said earlier.....that is an option in Spybot.

 

[AndyManc]

Hi Linuxgirl i did notice your post but the spybot hosts
file is not located in the windows host file,Spybots
hosts file is located in c:\programfiles\Spybot search &
destroy\Includes\Hosts.sbs so im not sure its been added
as a result of spybot i use spybot myself & spyware
blaster/spysweeper and i do not have any entries in the
windows host file except the 127.0.0.1 localhost line .

Andy

 

[Linuxgirl]

Hi Linuxgirl i did notice your post but the spybot hosts
file is not located in the windows host file,Spybots
hosts file is located in c:\programfiles\Spybot search &
destroy\Includes\Hosts.sbs so im not sure its been added
as a result of spybot i use spybot myself & spyware
blaster/spysweeper and i do not have any entries in the
windows host file except the 127.0.0.1 localhost line .

Andy

I beg to differ, Andy. If you go to Spybot/tools/host file that is your
windows host file. You have the option of adding Spybot's "host list" or
removing it.

 

[AndyManc]

Hi Again :

As far as i know these are not the same hosts file.if i
open my windows host file it is empty except for the
localhost line if i open the spybots host file i get 6541
blocked sites, but i can use the hoster program i posted
and press restore original hosts many times over and this
will not effect the spybot hosts file but just reset the
windows file which doesnt need resetting as its already
empty.I think spybot blocks the sites as part of the
program and i do not agree these are also added to the
windows hosts file but we all have different opinions so
thats whats makes these forums usefull.

Ive just opened my windows file and its empty except for
the localhost so then opened immunize on spybot and its
saying im protected again 6541 sites so if what you are
saying is correct these 6541 sites would also be added to
my windows hosts file and by me pressing restore original
hosts on the hoster program it would delete these entries
but thats not the case as they are not in my windows
hosts file they are in spybots folder.


Andy

I beg to differ, Andy. If you go to Spybot/tools/host

file that is your

 

[AndyManc]

I forgot to add this in my last post , i agree if you use
spybot then open tools and press hosts file then choose
to adds spybots hosts file then this will add the 6541
entries to the windows host file but if he did all that
im sure he wouldnt be suprised where all the entries came
from.Without pressing add spybots hosts file on the tools
menu it will not effect the windows host file,so to say
its the same hosts file isnt correct, you have to
manually add the entries to the windows hosts file for
them to appear.

Regards
AndyManc

 

[JohnF.]

Shouldn't we ask the original poster to post a few entries from his host
file before making a final decision? He didn't say that he was unable to go
to any anti-virus websites and did not indicate that his antivirus program
was not updating itself. I would guess the hosts file has been protected by
SpywareBlaster or Spybot or some other program that uses this method.

 

[JohnF.]

Why would most of these folks know how Spybot protects them?

He also indicates that he ran spyware "programs" and that "they" all
reported clean.

 

[AndyManchesta]

Thanks for your feedback JohnF but it was your original
post that caused the confusion, Spybot doesnt add entries
to the windows host file unless the user adds them
neither does Spyware blaster .If the user added them he
wouldnt be asking where they came from

Malware does add entries so i was questioning if the
entries are genuine or malicious.I would of left it with
just the first post except you said they were all
protecting him without you even seeing the hosts file,Its
good you can be so confident of that as ive never heard a
legitimate program updating the hosts file that the user
isnt aware about.

I didnt say they couldnt get updates or couldnt access
certain sites i was just giving a example on the
difference between a helpfull hosts file or a malicious
one,If he had a worm or virus that had added the entries
then this wouldnt show in a spyware scan so could give
the impression he is clean,he didnt mention even having a
antivirus software so for you to know instantly they are
all protective is alot more than i can do without seeing
them so i was just trying to be helpfull incase they are
not protective,


Time to call it a night though so goodnight MS


Andy

 

[JohnF.]

Thanks Andy.

Until we get a post of what was in his file we really won't know - I based
my comments on his report - clean after scanning with antispyware programs,
no popup barrage, no hijackings, no inability to get to certain website.
ALL this symptoms would be present had those entries been malicious -
usually.

What users don't say is more valuable than what they do say.

 

[JRosenfeld]

Andy,

Do not confuse Spybot's immunize function with the HOSTS
file. If you use the immunize function it writes the
necessary entries to the registry a) to put specified
domains in IE's restricted zone; b) to put specified
domains so that cookies from that site are always blocked
and c) to block specified active X components. This
function is essentially the same as Spywareblaster's (but
they have only partially overlapping databases). When done
that's where you see the message 'xxxx bad products
blocked'. Nothing to do with the hosts file.

If in advanced mode, tools tab you click on Hosts file
that does display your actual hosts file; there you can
also choose to add the entries from the Hosts file
included in Spybot to your Hosts file. Unless you do
choose to add them Spybot's hosts file does not get used.