Hosts file confusion

mezzroll · 07-31-2005, 12:22 PM

I was told to delete every entry below 127.0.0.1 localhost by a Trend Micro tech. The Hosts file I have is an MVPS file. Because of my mad desire to tinker, I have duplicates as follows:Hosts file folder, Hosts file in a Temp. file folder, 2 Hosts files not in a folder all of course in C:\Windows and all 299KB which opens in Wordpad. I believe I saw IE:Spyad and Ad-Aware in there. I can download Ad-Aware but it won't complete a scan. Spyblaster and Winpatrol claim they can't detect any Hosts file. I can't access IE/Spyad site.

Okay, can I safely delete all entries below 127:0.0.1 localhost? I would think that I should delete the duplicate files. Hasn't changed the way my machine runs which is excellent.

Windows 98SE 550mgH 639MB RAM P3

Thanks.

MicroBell · 07-31-2005, 02:14 PM

Your post is confusing. For windows 98 the correct location of this file is C:\WINDOWS\hosts If you have not been hijacked...that is the only hosts file windows will use. If you have others in that directory...delete them ALL but the one that contains the MVPS entrys. Some hijackers change this directory in the registry to point to a BAD hosts file they installed..or adds entrys to your legit hosts file.

Installing MVPS hosts file adds entrys (all bad guys) below the 127.0.0.1 localhost line in an effort to prevent you from going to these bad sites. If a hijacker adds legit sites (like Antivirus sites, Spyware tools sites) to that list...you will then have to remove everything after the 127.0.0.1 localhost and then add the bad guys back. This would be quicker then trying to weed through the hosts file picking out the "Good Guys" that the malware added.

Many infections..add LEGIT sites to the hosts to prevent you from going to these sites to download tools or run scans to remove them. These will need removed in order to access the site your tying to get too. So

If I were you...delete all but one hosts file in the C:\Windows directory and anywere else. Download and run HOSTER and select "Restore Orginal Hosts File". This will give you a clean hosts file..which you can then add your MVPS or IE:Spyad entrys back to the file.

mezzroll · 07-31-2005, 03:04 PM

Thanks for the quick reply. I will do as you suggested as soon as I get the time later this evening. Will let you know what happens.

Be back later.

skate_punk_21 · 07-31-2005, 03:21 PM

You said you cannot access IESpyAds, i believe a link has recently gone out of date. try this one...
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

mezzroll · 07-31-2005, 08:34 PM

I have two answers to the above posts.

#1: I have the hosts file showing up twice in Find files etc. I believe they are the same file, one showing from the folder and the other showing the folder labeled hosts. I deleted any other file that appeared. When I executed Hoster I got a message, Hosts file does not exist, OK to create Hosts file. cancel to quit. I clicked OK and another message appeared, Hoster can not write to your hosts file, pleases check file permissions. Hoster will exit. And it did!

Now what to do? Sorry for being a pain.

#2: The other IE:Spyad link works. Thanks.

MicroBell · 08-01-2005, 01:40 AM

Ok... Download a new hosts file from here...http://www.mvps.org/winhelp2002/hosts2.htm to your desktop. Then locate and delete any other hosts files before unzipping that file. Then unzip that hosts file to this directory...

C:\WINDOWS

Here's a walkthough on making your own hosts file...
http://accs-net.com/hosts/how_to_use_hosts.html

**Notes**

You may have to "Right Click" the hosts file select properties and change it's attributes to make changes to it. Also be aware..programs like spybot, winpatrol, Stopzilla...ect LOCK the hosts file so you'll need to disable or close them down.

mezzroll · 08-01-2005, 07:00 AM

I guess now I'm confused. I shut down Winpatrol exited Spybot deleted existing hosts files and extracted the new zip to c:\windows. I get the same MSRVP file dated July 26, 2005. The same file in Wordpad that I had before but at least there is only one. I can access IESpyad (with the new link) site as mentioned above and I don't see any problems with my computer. I feel like I'm wasting your time and for that I'm sorry. If there's anything else I should do please tell me.

Man, I know I've come a long way for a 70 year old but I'm not thrilled if there's some things I'm not sure about. It's back to playing jazz again.

Whoops. I just checked with Hoster and the hosts file shows up in the left window.

MicroBell · 08-01-2005, 01:36 PM

Your fine. The hosts file I had you download is a Universal hosts file so it's date is unimportant. What is important..is that it's CLEAN!!!! Void of any entrys that bad guys could have put in there. It may look very simular to what you had before...but any entrys that malware may have put in that file...won't be there anymore.

Anyway just make sure you only have 1 copy of the hosts file in C:\windows and you will be fine. Just DON'T run the "Hoster" program and select "Restore Orginal Hosts File" now on that file...as it will remove ALL entrys in the file and restore it to windows default. Windows Default hosts file..has no entrys...but the standard ones..

Standard Text in the hosts file...

Copyright (c) 1998 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

When you use a special hosts file you'll have IP's/sites listed after the 127.0.0.1 localhost entry. These are the bad guys your trying to block access to.

mezzroll · 08-01-2005, 03:22 PM

I really, well sort of thought that it was fine---just lookin' for a little pity!! I also realized that the hosts file was locked by Spybot and that little Scottie dog. Should I use Spyblaster or the the dog to take a snaphot etc.? I should stop putzing around with this thing. Oh yeah, there really is a check in the mail.

Thanks again. Now I can get back to loading my site with music and ordering parts for a new computer.

MicroBell · 08-02-2005, 12:38 AM

Quote:

Originally Posted by mezzroll

Should I use Spyblaster or the the dog to take a snaphot etc.?

The Dog (WinPatrol)

07-31-2005, 12:22 PM	#1 (permalink)
mezzroll Registered User Join Date: Jul 2005 Location: New Jersey Posts: 32 OS: XP Pro SP2	Hosts file confusion I was told to delete every entry below 127.0.0.1 localhost by a Trend Micro tech. The Hosts file I have is an MVPS file. Because of my mad desire to tinker, I have duplicates as follows:Hosts file folder, Hosts file in a Temp. file folder, 2 Hosts files not in a folder all of course in C:\Windows and all 299KB which opens in Wordpad. I believe I saw IE:Spyad and Ad-Aware in there. I can download Ad-Aware but it won't complete a scan. Spyblaster and Winpatrol claim they can't detect any Hosts file. I can't access IE/Spyad site. Okay, can I safely delete all entries below 127:0.0.1 localhost? I would think that I should delete the duplicate files. Hasn't changed the way my machine runs which is excellent. Windows 98SE 550mgH 639MB RAM P3 Thanks.

07-31-2005, 02:14 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	Your post is confusing. For windows 98 the correct location of this file is C:\WINDOWS\hosts If you have not been hijacked...that is the only hosts file windows will use. If you have others in that directory...delete them ALL but the one that contains the MVPS entrys. Some hijackers change this directory in the registry to point to a BAD hosts file they installed..or adds entrys to your legit hosts file. Installing MVPS hosts file adds entrys (all bad guys) below the 127.0.0.1 localhost line in an effort to prevent you from going to these bad sites. If a hijacker adds legit sites (like Antivirus sites, Spyware tools sites) to that list...you will then have to remove everything after the 127.0.0.1 localhost and then add the bad guys back. This would be quicker then trying to weed through the hosts file picking out the "Good Guys" that the malware added. Many infections..add LEGIT sites to the hosts to prevent you from going to these sites to download tools or run scans to remove them. These will need removed in order to access the site your tying to get too. So If I were you...delete all but one hosts file in the C:\Windows directory and anywere else. Download and run HOSTER and select "Restore Orginal Hosts File". This will give you a clean hosts file..which you can then add your MVPS or IE:Spyad entrys back to the file. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

07-31-2005, 03:21 PM	#4 (permalink)
skate_punk_21 1337 C0D3R Join Date: Mar 2005 Location: Canada Posts: 1,400 OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2 My System	You said you cannot access IESpyAds, i believe a link has recently gone out of date. try this one... IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. __________________ Have I Helped you? Please Consider a Donation to TechSupportForums

08-01-2005, 01:40 AM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	Ok... Download a new hosts file from here...http://www.mvps.org/winhelp2002/hosts2.htm to your desktop. Then locate and delete any other hosts files before unzipping that file. Then unzip that hosts file to this directory... C:\WINDOWS Here's a walkthough on making your own hosts file... http://accs-net.com/hosts/how_to_use_hosts.html Notes You may have to "Right Click" the hosts file select properties and change it's attributes to make changes to it. Also be aware..programs like spybot, winpatrol, Stopzilla...ect LOCK the hosts file so you'll need to disable or close them down. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-01-2005, 07:00 AM	#7 (permalink)
mezzroll Registered User Join Date: Jul 2005 Location: New Jersey Posts: 32 OS: XP Pro SP2	I guess now I'm confused. I shut down Winpatrol exited Spybot deleted existing hosts files and extracted the new zip to c:\windows. I get the same MSRVP file dated July 26, 2005. The same file in Wordpad that I had before but at least there is only one. I can access IESpyad (with the new link) site as mentioned above and I don't see any problems with my computer. I feel like I'm wasting your time and for that I'm sorry. If there's anything else I should do please tell me. Man, I know I've come a long way for a 70 year old but I'm not thrilled if there's some things I'm not sure about. It's back to playing jazz again. Whoops. I just checked with Hoster and the hosts file shows up in the left window. Last edited by mezzroll : 08-01-2005 at 07:08 AM.

07-31-2005, 03:04 PM	#3 (permalink)
mezzroll Registered User Join Date: Jul 2005 Location: New Jersey Posts: 32 OS: XP Pro SP2	Thanks for the quick reply. I will do as you suggested as soon as I get the time later this evening. Will let you know what happens. Be back later.

07-31-2005, 08:34 PM	#5 (permalink)
mezzroll Registered User Join Date: Jul 2005 Location: New Jersey Posts: 32 OS: XP Pro SP2	I have two answers to the above posts. #1: I have the hosts file showing up twice in Find files etc. I believe they are the same file, one showing from the folder and the other showing the folder labeled hosts. I deleted any other file that appeared. When I executed Hoster I got a message, Hosts file does not exist, OK to create Hosts file. cancel to quit. I clicked OK and another message appeared, Hoster can not write to your hosts file, pleases check file permissions. Hoster will exit. And it did! Now what to do? Sorry for being a pain. #2: The other IE:Spyad link works. Thanks.

08-01-2005, 01:36 PM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	Your fine. The hosts file I had you download is a Universal hosts file so it's date is unimportant. What is important..is that it's CLEAN!!!! Void of any entrys that bad guys could have put in there. It may look very simular to what you had before...but any entrys that malware may have put in that file...won't be there anymore. Anyway just make sure you only have 1 copy of the hosts file in C:\windows and you will be fine. Just DON'T run the "Hoster" program and select "Restore Orginal Hosts File" now on that file...as it will remove ALL entrys in the file and restore it to windows default. Windows Default hosts file..has no entrys...but the standard ones.. Standard Text in the hosts file... Copyright (c) 1998 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98 # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost When you use a special hosts file you'll have IP's/sites listed after the 127.0.0.1 localhost entry. These are the bad guys your trying to block access to. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-01-2005, 03:22 PM	#9 (permalink)
mezzroll Registered User Join Date: Jul 2005 Location: New Jersey Posts: 32 OS: XP Pro SP2	I really, well sort of thought that it was fine---just lookin' for a little pity!! I also realized that the hosts file was locked by Spybot and that little Scottie dog. Should I use Spyblaster or the the dog to take a snaphot etc.? I should stop putzing around with this thing. Oh yeah, there really is a check in the mail. Thanks again. Now I can get back to loading my site with music and ordering parts for a new computer.