Does Spybot do anything to the HOSTS file?

[licensedtoquill]

Have been trying to baffle out what on earth is going on with my hosts file

It has just stopped working

I have been using it for numerous years and suddenly a few months ago ads have started appearing all over web pages I access. Mainly ones I know to be both prevented by the hosts file (and also immunised?)

The hosts file is still there, I have RE-written it just in case, and the registry still points to it in the /etc directory and no one on the alt.privacy.spyware forum or bleepingcomputer can figure out why mine has stopped workig or what malware has done this.

I was just wondering if anyone here had any idea what was going on?

 

[owilky1]

It happened to me a couple of years ago and a microsoft tech support guy sorted it. I cannot find all the steps i had to go through but try a search on Corrupt hosts file at microsofts knowledge base. It was Spybot that caused it but that was an old version and it should not happen with the newer versions.

Just found this .....http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx

 

[licensedtoquill]

All seems normal, which is the worrying bit

No, I checked this and all I could find was a normal HOSTS file which starts:
This MVPS HOSTS file is a free download from: #
# http://www.mvps.org/winhelp2002/ #
# #
# Notes: the browser does not read this "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
# ********************************************************#
# ------------------Updated: 07-28-06

There WERE two entries which started with a # but they seemed to be there intentionally and were SUPPOSED malware uninstallers. In any event I unchecked them and then checked with an innocent looking one (www.http-tunnel.org) which, when I tried to access it, gave me a blank page, which is as it should.

So I wonder what (for example) ad.doubleclick.net is doing which prevents the system from looking at the hosts file when your computer tries to access some doubleclick ad?

 

[licensedtoquill]

not sure I agree with the advice

Incidentally I am not sure I agree with the advice "By changing the name of the HOSTS file, we stop Internet Explorer from using it, and therefore resolve any issues caused by the file." after she has said "The quickest way to test for HOSTS file involvement is to right click the HOSTS file, then select Rename. Add the letter X to the beginning or end of the file name and then ok your changes"

This seems to the uninitated to suggest preventing the hosts file from working is some type of test of something whereas in reality it stops the user from benefiting from the HOSTS file thereafter??????

Incidentally when I checked the etc directory there WERE two HOSTS files, one there and one slightly older one grayed out. Neither showed extensions. I tohught I had renamed one of them hosts.bak. Anyway I renamed the one which looked as if it was there to oldhosts and left the extension as it was. Not sure if this might have done anything but ads certainly arent appearing on normal web sites any more: I wonder how long this will last?

Has anyone else found that they have two hosts files with neither working properly?

 

[Pete (FI)]

Precisions, please.

Incidentally I am not sure I agree with the advice "By changing the name of the HOSTS file, we stop Internet Explorer from using it, and therefore resolve any issues caused by the file." after she has said "The quickest way to test for HOSTS file involvement is to right click the HOSTS file, then select Rename. Add the letter X to the beginning or end of the file name and then ok your changes"

This seems to the uninitated to suggest preventing the hosts file from working is some type of test of something whereas in reality it stops the user from benefiting from the HOSTS file thereafter??????

The writer of the piece of advice apparently assumes that it is self-evident to the reader that the rename is revoked when possible involvement of the HOSTS file has been either eliminated or confirmed. If confirmed, then studying the contents of the HOSTS file should take place. If eliminated, revoking the rename is enough.

Incidentally when I checked the etc directory there WERE two HOSTS files, one there and one slightly older one grayed out. Neither showed extensions.

It should not be possible to store two files with identical names in the same directory. Since the HOSTS file does not have a file extension, what you describe should not be possible, i.e. there cannot be two files by the name HOSTS in the same directory. If one of the files has an extension, then it is of course possible, but in that case, you have just one HOSTS file in the directory, namely the one without the file extension. A file, the name of which is HOSTS followed with any file extension is not a HOSTS file.

The 'greying out' merely suggests that the file is a hidden file.

I tohught I had renamed one of them hosts.bak.

What do you mean by "I thought I had renamed one of them hosts.bak". Are you trying to say, e.g. "I thought I had renamed one of them hosts.bak, but I apparently had not."?

Anyway I renamed the one which looked as if it was there to oldhosts and left the extension as it was.

Not sure, whether I am able to interpret what you try to say. Do you mean, you renamed the file that was not greyed out to "oldhosts" (without the quotes)? If so, then how should "and left the extension as it was" be interpreted? Do you mean you left the file without an extension? If there was no extension, how can you "leave the extension as it was"? Would it not be clearer to say you left the file without an extension (the way it was), if that is the case?

Not sure if this might have done anything but ads certainly arent appearing on normal web sites any more: I wonder how long this will last?

Regarding your first post on the subject:

<snip>
I have been using it (= HOSTS file) for numerous years and suddenly a few months ago ads have started appearing all over web pages I access. Mainly ones I know to be both prevented by the hosts file (and also immunised?)
<snip>

Do you have any recollection what happened at the time when "suddenly a few months ago ads have started appearing all over web pages you access"? Did you do changes to your system? Did you install SW? Is it possible that your system was corrupted? Is your platform WXP [Pro] or W2K [Pro]?

Has anyone else found that they have two hosts files with neither working properly?

Two HOSTS files on a single system (in the same directory and by identical names) should not be possible.

Having one HOSTS file working properly should be less challenging.

To my understanding, making changes to the HOSTS file is not that challenging for malware to do. There are some tools available for countermeasures, making it easier to hide and lock the HOSTS file against unwanted changes. At least previously, you could find some tools for that at, e.g. Mike Burgess' awesome web site at http://www.mvps.org/winhelp2002/hosts.htm . However, I would not count on those tools (lockhost.bat) only in protecting the HOSTS file.

According to my research, some SW (e.g. ZoneAlarm Pro) does quite decent job in protecting the HOSTS file from being tampered if you select that option. (In ZAP, it is deselected as default.)



"Don't find fault, find a remedy."
Henry Ford (1863-1947); US industrialist/US auto manufacturer.

 

[licensedtoquill]

Sorry for lack of precision

It should not be possible to store two files with identical names in the same directory. Since the HOSTS file does not have a file extension, what you describe should not be possible, i.e. there cannot be two files by the name HOSTS in the same directory. If one of the files has an extension, then it is of course possible, but in that case, you have just one HOSTS file in the directory, namely the one without the file extension. A file, the name of which is HOSTS followed with any file extension is not a HOSTS file.

The 'greying out' merely suggests that the file is a hidden file.
What was probably happening was that the file not grayed out had an extension .bak which I couldnt see. (I DO know that you cant have two files in the same directory with the same name) But in any event, renaming the older one might possibly have been what has cured the problem?

Are you trying to say, e.g. "I thought I had renamed one of them hosts.bak, but I apparently had not."?

(I doubt it as one cannot have two files in the same directory with the same name)

Not sure, whether I am able to interpret what you try to say. Do you mean, you renamed the file that was not greyed out to "oldhosts" (without the quotes)?

Yes,

If so, then how should "and left the extension as it was" be interpreted? Do you mean you left the file without an extension?

Yes, without an extension showing

If there was no extension, how can you "leave the extension as it was"? Would it not be clearer to say you left the file without an extension (the way it was), if that is the case?

Only because I handt turned on SHOW EXTENSIONS in Windows Explorer do I didn't know exactly what I was doing in this regard: I just assumed that as one cannot have two files in the same directory with the same name, the extension of the one not grayed out must have been .old or .bak or something. (That was why I hadn't checked: I thought that this whole two-file situation was just a red herring and was posting here to see if anyone agreed with me: I didnt realise that so much confusion could be caused by my saying this while asking if Spybot did anything to the HOSTS file or moved it or protected it and if I could check for this)

Do you have any recollection what happened at the time when "suddenly a few months ago ads have started appearing all over web pages you access"? Did you do changes to your system? Did you install SW? Is it possible that your system was corrupted? Is your platform WXP [Pro] or W2K [Pro]?

This is XP Home: I thought that it MIGHT have had something to do with when I first noticed that I should be immunising as well as running Spybot: It may ahve been auto-immunising before that (eg as part of the initial set-up process)


To my understanding, making changes to the HOSTS file is not that challenging for malware to do.

That was my understanding which was one reason why I was posting here, to see if I could check for anythning which might have changed it. Also to see if SPybot (for example) puts it somewhere else and puts a pointer there in the Registry as some of my anti-virus checks seem to be telling me that something is preventing scanning the Spybot Hosts file

There are some tools available for countermeasures, making it easier to hide and lock the HOSTS file against unwanted changes. At least previously, you could find some tools for that at, e.g. Mike Burgess' awesome web site at http://www.mvps.org/winhelp2002/hosts.htm . However, I would not count on those tools (lockhost.bat) only in protecting the HOSTS file.

It probably IS quite a good idea to lock it for someone like me who doesnt change the HOSTS file automatically.

According to my research, some SW (e.g. ZoneAlarm Pro) does quite decent job in protecting the HOSTS file from being tampered if you select that option. (In ZAP, it is deselected as default.)

Again, I posted here to see if Spybot did anything either to protect it or to move it

 

[Zenobia]

Spybot should not have moved your hosts file to anywhere else.
If you clicked Add Spybot-S&D hosts list,it should just add it's entries to your hosts file,then it locks your Hosts file as read-only,and you should also have a backup in the etc. folder,with the extension backup(it'll be named similar to this...hosts.20060808-120540.backup.)

 

[Pete (FI)]

No problem.

< huge snip >

Re: "Sorry for lack of precision"

0) No problem.

1) You seem to have received an answer to the cogitation "if Spybot did anything either to protect it (WXP Home's HOSTS file) or to move it".

As you may have read in the answer, Spybot-S&D does not move the HOSTS file around, and is possibly able to add another layer of protection to the HOSTS file.

2) Will still try to provide you with a likely explanation to what you have experienced, i.e. an inoperative system's HOSTS file.

Unless system corruption or compromised system is the reason for your system having (temporarily for a few months time) allowed connections to sites listed in a so-called "existing" HOSTS file on the system, I would suggest one possible explanation to what you describe might be an unintentional rename of the one and only working HOSTS file.

If you renamed the HOSTS file to anything else (than HOSTS) or gave the file a file extension, that would de facto mean you did not have an operative HOSTS file hence on your system.

Then when you "RE-wrote the HOSTS file just in case", or possibly renamed an inoperative HOSTS file (with a file extension) to HOSTS (without a file extension) again, from that moment onwards you had an operative HOSTS file again on your system.

3) BTW, in your multiple posts, you did not merely ask, "Does Spybot do anything to the HOSTS file?"

4) You also asked a wide or open question: "I was just wondering if anyone here had any idea what was going on?"

Now that you provide us with more information, you may get valid answers.

5) You also commented a practical troubleshooting method referred to in one of the replies you have received (and presented at MS site regarding "when we are trying to diagnose the cause of 'Page cannot be displayed' errors. The quickest way to test for HOSTS file involvement is renaming the file") as follows:

"Incidentally I am not sure I agree with the advice..."

"This seems to the uninitiated to suggest preventing the hosts file from working is some type of test of something whereas in reality it stops the user from benefiting from the HOSTS file thereafter??????"

My comment originated from your criticism towards the method presented. It appeared to me that you thought that the suggested temporary rename of the HOSTS file would be permanent.

6) You also explicitly and specifically asked: "Has anyone else found that they have two hosts files with neither working properly?"

In my attempt to answer to your question, I tried to point out why the situation you refer to in your question is not possible.

7) Would warmly recommend having SHOW FILE EXTENSIONS turned on, since cannot think of any reason for not having extensions show.

Showing file extensions supports system security, since revealing, e.g. existence of multiple file extensions for a particular file can reveal attempts to perform nasty things on the system.

In order to benefit from file extensions shown, the user is of course supposed to be clued enough in having enough understanding of the meaning of different file extensions and associated risks.



"To learn something new, take the path that you took yesterday."
John Burroughs (1837-1921); US author, naturalist.

 

[licensedtoquill]

Response to your explanations

Interpreting your response, I'll bet what actually happened was that when I did some minor change to it using Notepad (adding some advertising URL which suddenly appeared in some page I visited, thereby telling me that this site wasnt pointed to 127.0.0.1 in HOSTS), Notepad DID give it a txt file extension which wasnt shown. So I was effectively without a hosts file which is why ads started appearing all over my screen. Then when I tried to rework it in Explorer, it recognised HOSTS as a system file without an extension and saved it as such, then somehow getting rid of the extension? Or possibly I did this manually, saving it as it was asking me to save it, without an extension. That there was some other hosts file there would have made no difference to this as that would have had a BAK extension.

(I agree with you fully: There is no reason not to show extensions in Windows Explorer and I dont know why the extensions are turned off by default)

Incidentally my only comment on the advice given to disable the hosts file was that to some (the uninitiated, - for whom FULL manuals are written) not telling someone to backtrack to correct a problem at the end of some piece of advice I see as dangerous: Not that I didnt think it blindingly obvious that you had to 'turn' hosts back on.