Interpreting Results . . .

  • Thread starter Thread starter Bob T
  • Start date Start date
B

Bob T

For the first time, this morning, MSAS reported a "suspect"
file. It turned out to be a "hosts" file and was
apparently altered at or near sign-on this morning. I
opened the file and it LOOKS absolutely normal with
everything apparently pointing toward 127.1.1.1 (it is of a
size -- 1.3 meg -- that I'm really not interested in doing
a line-by-line examination). Could anyone speculate on
what's going on?? Is the "problem" simply that the file
may have been changed?

Bob
 
-----Original Message-----
For the first time, this morning, MSAS reported a "suspect"
file. It turned out to be a "hosts" file and was
apparently altered at or near sign-on this morning. I
opened the file and it LOOKS absolutely normal with
everything apparently pointing toward 127.1.1.1 (it is of a
size -- 1.3 meg -- that I'm really not interested in doing
a line-by-line examination). Could anyone speculate on
what's going on?? Is the "problem" simply that the file
may have been changed?

Bob
.
Click to expand...
MORE INFORMATION AND A CORRECTION:

I can only plead that it's morning and the coffee hasn't
started working yet. Sorry . . .

The MSAS version involved is 615 and the 5739 update is
installed. Windows XP SP2. The "destination" in the hosts
file is 127.0.0.1 -- I should learn not to try to work from
memory in the morning.

Bob
 
The virgin Windows HOSTS file has just one entry, for "localhost".

If you have more, it is because you have used a third-party application to
install all the extra entries. Some anti-spyware applications do this.
 
For the first time, this morning, MSAS reported a "suspect"
file. It turned out to be a "hosts" file and was
apparently altered at or near sign-on this morning. I
opened the file and it LOOKS absolutely normal with
everything apparently pointing toward 127.1.1.1 (it is of a
size -- 1.3 meg -- that I'm really not interested in doing
a line-by-line examination). Could anyone speculate on
what's going on?? Is the "problem" simply that the file
may have been changed?

Bob
Click to expand...

Some trojans and viruses insert lines in the hosts file, redirecting
websites of antivirus/antitrojan (and similiar dangerous for them
applications) to localhost (i.e. IP address 127.0.0.1), preventing this way
those anti-something applications from updates and preventing the user from
accessing such tools.

So, such large file usually (but not always!) means, that some nasty
application resides (or resided) in the system.

Sometimes, however, the same method (redirecting websites to localhost
through hosts file) is used to block popups and advertisements - so you have
to check what exactly this file contains.
 
The host file was definitely modified by SpyBlocker and is,
as a result, quite large. Am I correct in assuming that as
long as all of the entries refer to 127.0.0.1 there is
nothing going on of any importance?? Let me check . . .
 
You'd be correct as long as each entry denoted a reference that you'd want
to block.

Malware can just as easily do the same thing--say www.symantec.com
127.0.0.1.

Consequently, my preference is to keep the hosts file as close to the
default as possible in your environment. For many users, that's just the
single active entry: localhost 127.0.0.1

This may also make some operations on your system faster.

--
 
Back
Top