Hi,
Many thanks for the excellent tutorials.
I'm havong problems with my HOSTS file.
My question is:
Is it possible for malware to plant a second HOSTS file and have this rogue HOSTS file referenced by the OS instead of the HOSTS file in the default location?
If so, how if the location of the "in-use" HOSTS file specified?
(I've tried to find an appropriate registry key without success)
Many thanks,
-Z-
Full Version: Understanding Domain Name Resolution - Tutorial
I am pretty sure if you change this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DataBasePath
to another directory , it will read the database files from that directory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DataBasePath
to another directory , it will read the database files from that directory
Hi Grindler,
Many thanks for your prompt reply.
If I'm "allowed" a follow-on question...
Is there another way (or two) that the HOSTS file protection can be circumvented by malware?
The reason I ask is that coolwebsearch.com is in the HOSTS file but my browser is still able to get to coolwebsearch. I've run updated Ad-aware SE and Spybot S&D so I "think" I've removed coolwebsearch.
Many thanks.
-Z-
Any pointer for learning more about the registry will be most appreciated
Many thanks for your prompt reply.
If I'm "allowed" a follow-on question...
Is there another way (or two) that the HOSTS file protection can be circumvented by malware?
The reason I ask is that coolwebsearch.com is in the HOSTS file but my browser is still able to get to coolwebsearch. I've run updated Ad-aware SE and Spybot S&D so I "think" I've removed coolwebsearch.
Many thanks.
-Z-
Any pointer for learning more about the registry will be most appreciated
I am not sure if there is a way to disable it, but there is a way to make it last in the search order so that would effectively make it useless if dns was able to resolve the entry.
Information on that can be found in the tutorial. IN a reply to this post the entry you have in the hosts file and I will tell you if its set up right
Information on that can be found in the tutorial. IN a reply to this post the entry you have in the hosts file and I will tell you if its set up right
Hi Grinler,
Thank you again for the VERY swift response and for pointing me to the search order, I'll check that out.
I'm sure the entry in the hosts file is OK because the hosts file is imported from Spybot, and the entry has the same format as all the others...but thanks for offering. I'll keep plugging away at this ;-)
Regards,
-Z-
Thank you again for the VERY swift response and for pointing me to the search order, I'll check that out.
I'm sure the entry in the hosts file is OK because the hosts file is imported from Spybot, and the entry has the same format as all the others...but thanks for offering. I'll keep plugging away at this ;-)
Regards,
-Z-
There is/was some question in this post and another recent post re having duplicate/identical files/--filenames in your computer. As Grinler pointed out to me recently , yes there can be more than one of the same named file--for instance SVCHOSTS and some others as well. So this, in itself is NOT an indicator than one of them is a bad/file (malware). So we should not be running programs that look for dup files and just deleting them just because there is more than one!
I think I have that correct. But, I have been wrong before.
I think I have that correct. But, I have been wrong before.
Hi Grinler and Edbee,
Maybe I should take this question to another aection of the board?
Anyway, the problem persists. (the HOSTS file(per SpybotS&D) entry does not block my browsers from getting to, for example coolwebsearch.com)
I've checked the following:
- the default prefix is set to http://
- the search order is still the default values
- the default location of the HOSTS file is still the default location.
Any ideas as to why the HOSTS file is not blocking access to coolwebsearch.com.
Is there anything else I can check?
Thanks,
-Z-
PS I have of course run Ad-awareSE and Spybot in safe mode and CWshredder)
Maybe I should take this question to another aection of the board?
Anyway, the problem persists. (the HOSTS file(per SpybotS&D) entry does not block my browsers from getting to, for example coolwebsearch.com)
I've checked the following:
- the default prefix is set to http://
- the search order is still the default values
- the default location of the HOSTS file is still the default location.
Any ideas as to why the HOSTS file is not blocking access to coolwebsearch.com.
Is there anything else I can check?
Thanks,
-Z-
PS I have of course run Ad-awareSE and Spybot in safe mode and CWshredder)
Can you post the portion of the hosts file that references coolwebsearch? Also is the hosts file named hosts? or another name?
Have you posted a hijackthis log in the hijackthis forum?
Have you posted a hijackthis log in the hijackthis forum?
Hi Grinler,
Thank you again for your prompt response. Here's the section of the HOSTS file that references coolwebsearch:
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
I've been picking the brains of another knowledgable person and it appears that the problem is probably a lack of understanding (on my part) of what happens between typing in an address into the browser and the request going out to the web site so perhaps the "test" that I think is failing is not a valid test?
Some more clues:
- when I "test" to see if the HOSTS file is blocking, if I type in coolwebsearch OR coolwebsearch.com OR http://coolwebsearch.com the browser gives the expected error message, however,
- when I type in http://www.coolwebsearch.com the browser DOES take me to what appears to me to be a coolwebsearch site.
So, I wonder what is it that I'm not properly understanding.
Thanks again for your assistance with this.
(No, I have not posted a HJT log yet but I can, if necessary...however I believe the problem here lies between my chair and my keyboard ;-( not inside the machine..
-Z-
(PS Sorry for the LONG delay)
Thank you again for your prompt response. Here's the section of the HOSTS file that references coolwebsearch:
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
I've been picking the brains of another knowledgable person and it appears that the problem is probably a lack of understanding (on my part) of what happens between typing in an address into the browser and the request going out to the web site so perhaps the "test" that I think is failing is not a valid test?
Some more clues:
- when I "test" to see if the HOSTS file is blocking, if I type in coolwebsearch OR coolwebsearch.com OR http://coolwebsearch.com the browser gives the expected error message, however,
- when I type in http://www.coolwebsearch.com the browser DOES take me to what appears to me to be a coolwebsearch site.
So, I wonder what is it that I'm not properly understanding.
Thanks again for your assistance with this.
(No, I have not posted a HJT log yet but I can, if necessary...however I believe the problem here lies between my chair and my keyboard ;-( not inside the machine..
-Z-
(PS Sorry for the LONG delay)
That is correct. Remember that a hostname is bleepingcomputer.com. Another hostname, but not the same hostname as the previous example, is www.bleepingcomputer.com
When you use the hosts you are mapping ip address to hostnames. Therefore if you have the entry:
127.0.0.1 coolwebsearch.com
in your hosts file you are only blocking the hostname for coolwebsearch.com and not also www.coolwebsearch.com.
To block that hostname as well you need to add:
127.0.0.1 ww.coolwebsearch.com
as well.
Does this clear it up better? Dont hesitate to ask me to clarify it more.
When you use the hosts you are mapping ip address to hostnames. Therefore if you have the entry:
127.0.0.1 coolwebsearch.com
in your hosts file you are only blocking the hostname for coolwebsearch.com and not also www.coolwebsearch.com.
To block that hostname as well you need to add:
127.0.0.1 ww.coolwebsearch.com
as well.
Does this clear it up better? Dont hesitate to ask me to clarify it more.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.