Host file manipulation

[Murali Krishna]

My system runs on windows 2003 and since last week i
could not access any microsoft sites and anti virus
sites. I ran deep scan with anti spyware and
it showed that the system is ok.

But i have found that my "hosts" file has been
manipulated and all famous sites and anti virus sites
were defined as 127.0.0.1 in my hosts file.

This particular problem is not being detected by MS Anti
Spyware. If possible you can address this in future.

 

[AndyManchesta]

This is common with alot of viruses these days , trying
to restrict your access to security sites so its harder
for you to fix the problem

A good tool to use for this is hoster,You can view the
hosts file and if there is any entries under 127.0.0.1
localhost that you didnt add yourself you can
press 'Restore Original Hosts' which resets them to
Microsoft's default.


You can get hoster from here:

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=2654.0;id=285



Regards Andy

 

[Guest]

how do you find out if your host has been manipulated?
where can i see my host file?

 

[Mikolaj]

how do you find out if your host has been manipulated?

where can i see my host file?

For example using hijackthis application - it's a good tool to check and
clean the system (hijackthis log can be checked on http://www.hijackthis.de
web page or send to Ron Kinner, who is kind enough to verify it).
Sending the log to Ron Kinner put Hijack in the subject so he'll know it's
not a spam (his email is (e-mail address removed) ).

And the hosts file usually can be found here:
C:\WINDOWS\system32\drivers\etc
(in case of windows 2000 it is C:\WINNT\system32\drivers\etc)
Usually it contains only the comment, example and one address line:
127.0.0.1 localhost
(however in a company environment it may contain additional information).

 

[plun]

Hi

Another way is to use MSAS for this, start MSAS
Advanced Tools - System Explorers - Windows hosts file.

My personal opinion is that let MSAS protect the hosts file and
delete all entries except 127.0.0.1 Localhost.

I think this this way is better for most users then to have long
blocklists with
127.0.0.1 loopbacks for malware sites.

--
plun



Mikolaj presented the following explanation :

 

[Andre Da Costa]

Here is some more info on protecting your HOST from Plun:
http://spaces.msn.com/members/adacosta/Blog/cns!1ppieQf0aF6k7J0XYrJfhfMQ!1101.entry

 

[Bill Sanderson]

You've got a virus.

Microsoft Antispyware is not a substitute for using a good Antivirus
application.

Scan with a competent antivirus with current definitions ASAP.

You'll probably need to wipe out the rogue hosts file first, then use an
online scanner, perhaps:

http://housecall.trendmicro.com

for example.