oneclicksearches.com added itself to allowed host entries!!

  • Thread starter Thread starter Paul Walker
  • Start date Start date
P

Paul Walker

I got an alert stating the following from Microsoft AntiSpyware at 8/10/2005
11:32 PM and again at 8/15/2005 3:06 PM .

"The entry oneclicksearches.com pointing to IP address 127.0.0.1 has been
automatically allowed to be added to the Windows Hosts file. This Hosts file
change was allowed based on your previous input."

I do not remember ever allowing this setting but sure enough, there was an
entry in the Manage Allowed/Blocked Host Entrys (n.b. s/b spelt "Entries")
listing this host. I also got another one stating.

"The user Dad, has decided to block the entry letsroll911.org pointing to IP
address 127.0.0.1 from being added to the Windows Hosts file." 20 minutes
later on 8/15/2005

Is anyone aware of any exploits which target the hosts file. I am running
the latest and greatest security patches for XP SP 2.

I am especially interested in how it could have altered my allowed hosts
settings.
 
I'd be more inclined to blame bugs or oddities of interaction, perhaps,
between the two products.

Can you try some tests--where you intentionally add something to hosts?

Any chance that SpySweeper adds items to the hosts file?

--
 
To the OP:
The loopback address 127.0.0.1 in the hosts file prevents
that web site from loading. Have you run SpyBot S&D or some
other program that immunizes you from hijackers?


--
The people think the Constitution protects their rights;
But government sees it as an obstacle to be overcome.
some support
http://www.usdoj.gov/olc/secondamendment2.htm



message
| I'd be more inclined to blame bugs or oddities of
interaction, perhaps,
| between the two products.
|
| Can you try some tests--where you intentionally add
something to hosts?
|
| Any chance that SpySweeper adds items to the hosts file?
|
| --
|
|
| > Yes... I think I was running SpySweeper also. (You can
never be to safe.)
| >
| > "Bill Sanderson" <[email protected]>
wrote in message
| >
| >> Is there other antispyware active on your machine?
| >>
| >> --
| >>
| >>
| >>>I got an alert stating the following from Microsoft
AntiSpyware at
| >>>8/10/2005 11:32 PM and again at 8/15/2005 3:06 PM .
| >>>
| >>> "The entry oneclicksearches.com pointing to IP address
127.0.0.1 has
| >>> been automatically allowed to be added to the Windows
Hosts file. This
| >>> Hosts file change was allowed based on your previous
input."
| >>>
| >>> I do not remember ever allowing this setting but sure
enough, there was
| >>> an entry in the Manage Allowed/Blocked Host Entrys
(n.b. s/b spelt
| >>> "Entries") listing this host. I also got another one
stating.
| >>>
| >>> "The user Dad, has decided to block the entry
letsroll911.org pointing
| >>> to IP address 127.0.0.1 from being added to the
Windows Hosts file." 20
| >>> minutes later on 8/15/2005
| >>>
| >>> Is anyone aware of any exploits which target the hosts
file. I am
| >>> running the latest and greatest security patches for
XP SP 2.
| >>>
| >>> I am especially interested in how it could have
altered my allowed hosts
| >>> settings.
| >>>
| >>>
| >>
| >>
| >
| >
|
|
 
I checked the hosts file immediately after the alert and it oddly enough
only contained an entry for localhost as it should so neither Spy Sweeper or
anything else appears to have gotten to my hosts file.

Spy Sweeper also contains a hosts file shield (i.e., monitor) and it had the
errors below in its logs from that time (and lots of others as well) so you
may be right about them tripping over each other. I don't recall
downloading anything around then or doing anything else which could have
introduced an exploit into my machine unless there is an exploit for a fully
patched XP SP2 machine which does this via a web page/Javascript. Perhaps I
assumed incorrectly that spyware was causing this error instead of
antispyware! I would think they could play more nicely together instead of
one blowing up and the other scaring the crap out of me with seemingly real
hosts name in its warning message.

3:05 PM: Warning: Hosts File Shield unable to read from hosts file. Access
violation at address 7C910370 in module 'ntdll.dll'. Read of address
00000058
3:06 PM: Warning: Hosts File Shield unable to read from hosts file. Access
violation at address 7C910370 in module 'ntdll.dll'. Read of address
00000058
3:06 PM: Warning: Hosts File Shield unable to read from hosts file. Access
violation at address 7C910370 in module 'ntdll.dll'. Read of address
00000058
3:06 PM: Warning: Hosts File Shield unable to read from hosts file. Access
violation at address 7C910370 in module 'ntdll.dll'. Read of address
00000024
3:06 PM: Warning: Hosts File Shield unable to read from hosts file. Invalid
pointer operation
3:06 PM: Warning: Hosts File Shield unable to read from hosts file. Access
violation at address 7C910370 in module 'ntdll.dll'. Read of address
00000024
3:06 PM: Warning: Hosts File Shield unable to read from hosts file. Invalid
pointer operation
 
This does sound like two antispyware apps tripping over each other. Thanks
for posting the details.

--
 
Back
Top