 Understanding Domain Name Resolution - Tutorial, Question-Default location of HOSTS file |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
  |
 Oct 22 2004, 08:59 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 9 Joined: 15-September 04 Member No.: 2,790  |
Many thanks for the excellent tutorials. I'm havong problems with my HOSTS file. My question is: Is it possible for malware to plant a second HOSTS file and have this rogue HOSTS file referenced by the OS instead of the HOSTS file in the default location? If so, how if the location of the "in-use" HOSTS file specified? (I've tried to find an appropriate registry key without success) Many thanks, -Z- |
 |
 
|
|
Oct 22 2004, 04:48 PM
Post
#2
|
|
 Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
I am pretty sure if you change this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DataBasePath to another directory , it will read the database files from that directory -------------------- Lawrence
|
|
|
|
|
Oct 24 2004, 04:33 PM
Post
#3
|
|
|
New Member Group: Members Posts: 9 Joined: 15-September 04 Member No.: 2,790 |
Hi Grindler,
Many thanks for your prompt reply. If I'm "allowed" a follow-on question... Is there another way (or two) that the HOSTS file protection can be circumvented by malware? The reason I ask is that coolwebsearch.com is in the HOSTS file but my browser is still able to get to coolwebsearch. I've run updated Ad-aware SE and Spybot S&D so I "think" I've removed coolwebsearch. Many thanks. -Z- Any pointer for learning more about the registry will be most appreciated |
|
|
|
|
Oct 24 2004, 06:16 PM
Post
#4
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
I am not sure if there is a way to disable it, but there is a way to make it last in the search order so that would effectively make it useless if dns was able to resolve the entry.
Information on that can be found in the tutorial. IN a reply to this post the entry you have in the hosts file and I will tell you if its set up right -------------------- Lawrence
|
|
|
|
|
Oct 24 2004, 08:36 PM
Post
#5
|
|
|
New Member Group: Members Posts: 9 Joined: 15-September 04 Member No.: 2,790 |
Hi Grinler,
Thank you again for the VERY swift response and for pointing me to the search order, I'll check that out. I'm sure the entry in the hosts file is OK because the hosts file is imported from Spybot, and the entry has the same format as all the others...but thanks for offering. I'll keep plugging away at this ;-) Regards, -Z- |
|
|
|
|
Oct 24 2004, 08:44 PM
Post
#6
|
|
 Forum Regular Group: Members Posts: 208 Joined: 13-July 04 Member No.: 1,385 |
There is/was some question in this post and another recent post re having duplicate/identical files/--filenames in your computer. As Grinler pointed out to me recently , yes there can be more than one of the same named file--for instance SVCHOSTS and some others as well. So this, in itself is NOT an indicator than one of them is a bad/file (malware). So we should not be running programs that look for dup files and just deleting them just because there is more than one!
I think I have that correct. But, I have been wrong before. 
-------------------- EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS
|
|
|
|
|
Oct 25 2004, 04:38 PM
Post
#7
|
|
|
New Member Group: Members Posts: 9 Joined: 15-September 04 Member No.: 2,790 |
Hi Grinler and Edbee,
Maybe I should take this question to another aection of the board? Anyway, the problem persists. (the HOSTS file(per SpybotS&D) entry does not block my browsers from getting to, for example coolwebsearch.com) I've checked the following: - the default prefix is set to http:// - the search order is still the default values - the default location of the HOSTS file is still the default location. Any ideas as to why the HOSTS file is not blocking access to coolwebsearch.com. Is there anything else I can check? Thanks, -Z- PS I have of course run Ad-awareSE and Spybot in safe mode and CWshredder) |
|
|
|
|
Oct 25 2004, 09:06 PM
Post
#8
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Can you post the portion of the hosts file that references coolwebsearch? Also is the hosts file named hosts? or another name?
Have you posted a hijackthis log in the hijackthis forum? -------------------- Lawrence
|
|
|
|
|
Dec 1 2004, 03:06 PM
Post
#9
|
|
|
New Member Group: Members Posts: 9 Joined: 15-September 04 Member No.: 2,790 |
Hi Grinler,
Thank you again for your prompt response. Here's the section of the HOSTS file that references coolwebsearch: 127.0.0.1 localhost # Start of entries inserted by Spybot - Search & Destroy 127.0.0.1 coolwwwsearch.com 127.0.0.1 coolwebsearch.com 127.0.0.1 hi.studioaperto.net 127.0.0.1 www.webbrowser.tv I've been picking the brains of another knowledgable person and it appears that the problem is probably a lack of understanding (on my part) of what happens between typing in an address into the browser and the request going out to the web site so perhaps the "test" that I think is failing is not a valid test? Some more clues: - when I "test" to see if the HOSTS file is blocking, if I type in coolwebsearch OR coolwebsearch.com OR http://coolwebsearch.com the browser gives the expected error message, however, - when I type in http://www.coolwebsearch.com the browser DOES take me to what appears to me to be a coolwebsearch site. So, I wonder what is it that I'm not properly understanding. Thanks again for your assistance with this. (No, I have not posted a HJT log yet but I can, if necessary...however I believe the problem here lies between my chair and my keyboard ;-( not inside the machine.. -Z- (PS Sorry for the LONG delay) |
|
|
|
|
Dec 1 2004, 08:02 PM
Post
#10
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
That is correct. Remember that a hostname is bleepingcomputer.com. Another hostname, but not the same hostname as the previous example, is www.bleepingcomputer.com
When you use the hosts you are mapping ip address to hostnames. Therefore if you have the entry: 127.0.0.1 coolwebsearch.com in your hosts file you are only blocking the hostname for coolwebsearch.com and not also www.coolwebsearch.com. To block that hostname as well you need to add: 127.0.0.1 ww.coolwebsearch.com as well. Does this clear it up better? Dont hesitate to ask me to clarify it more. -------------------- Lawrence
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2008 - 08:30 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.