Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disappearing HOSTS File in XP Pro SP2


  • Please log in to reply
7 replies to this topic

#1 evolution3000

evolution3000

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 05 August 2009 - 04:03 AM

Hello,
I recently started using XP Pro SP2, installing it not long ago. The system hasn't had any time to be infected by any malware. Aside from FireFox 3.5.1, WordPerfect Suite 12, WinAmp 5, and my drivers, I haven't installed much in it. I have a program called Adfree 3.2. It is an ad blocker which relies on the system HOSTS text file to block ads, substituting any small GIF image of your choice in its place. I correctly reconfigured it to place its HOSTS file in the
C:\WINDOWS\system32\drivers\etc
folder. This is the beginning of the Adfree 3.2 HOSTS file which I have updated with newer advertisement server locations. I estimate there are about 1,890 server locations. The HOSTS file is 56K bytes:
===================
#
# Hosts file created by AdFree
#

# localhost: Needs to stay like this to work
127.0.0.1 localhost

# Other servers: These servers are directed towards
# AdFree to be filtered. You must alter these from
# within the AdFree program.

127.0.0.1 123banners.com
127.0.0.1 247media.com
127.0.0.1 24pm-affiliation.com
127.0.0.1 7adpower.com
127.0.0.1 911promotion.com
127.0.0.1 a.as-us.falkag.net
127.0.0.1 a.consumer.net
127.0.0.1 a.r.tv.com
...
===================

However, I am having a problem with XP Pro SP2. Every time I start any operation, no matter what it is, XP automatically deletes the HOSTS file. No matter if I start any browser, IE or FireFox, Windows Explorer, Notepad, even if I open any applet in "Control Panel" > "Administrative Tools", XP will delete the HOSTS file. The system and Adfree need the HOSTS file to properly block ads. I have spent over 12 hours trying find the solution online, but with no success. I shut off the "DNS Client" service, I even tried shutting off the XP firewall, but nothing has worked.

I can get Adfree to work correctly, substituting a GIF of my choice in place of ads. I must set the HOSTS file to "read only." However, Adfree isn't really meant to function that way and I will run into problems if I try to "pause" it. Plus, every time I start or exit Adfree, or shut off the system, I must change the "read only" setting. Reading posts on the 'Net, I know others have had this problem, but they never posted their solution. I know there is a either a service applet I can disable or Registry setting I can use to stop XP from deleting the HOSTS file. Does anyone know what it is?

BC AdBot (Login to Remove)

 


#2 joseibarra

joseibarra

  • Members
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:07:58 AM

Posted 05 August 2009 - 05:10 AM

Never heard of AdFree, but I know some "blockers" will put stuff in the hosts file and personally, I don't want anybody modifying my hosts file without my knowledge and consent.

If you are using Firefox and are not using the free Adblock add-on, please try it. In a word, it blocks the ads and that annoying underlining of key words with advertising behind them.

It is quite effective out of the download box - I might even say amazing (sorry Andrew). It also keeps itself up to date and there and there are no .GIF files to tinker with to replace ads, it doesn't mess with the hosts file, you can add stuff to it yourself and block ads it might miss on the fly. Never lost a hosts file yet.

Here is Adblock for Firefox:

http://download.cnet.com/Adblock/3000-11745_4-10461863.html

or

https://addons.mozilla.org/en-US/firefox/addon/1865

AdFree may or may not be the hosts file deleter, but since you have been surfing, a good scan can't hurt:

Download, install, update and do a full scan with these free
malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

I know how the hosts file works, but just don't mess with it. If yours keeps disappearing, I would start to eliminate programs that you know tamper with it until it stops getting deleted. That is just plain wrong.

Spybot will put their blocked sites in the hosts file, but I have never seen Spybot delete one.

I have heard that some other malicious software removal tools will interpret a modified hosts file as an infection and attempt to do something about the perceived threat - like maybe quarantine/delete it? Just a rumor to me.

XP SP3 is also available for your consideration.

Edited by joseibarra, 05 August 2009 - 11:01 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:58 AM

Posted 05 August 2009 - 08:29 AM

<<The system hasn't had any time to be infected by any malware.>>

That seems to be quite an erroneous statement...I'll tell you a personal experience and you decide.

On one of my previous systems, I had just completed a clean install of XP. Because I then used the Kerio Free firewall, I immediately disabled the XP/Windows firewall, removed MSN, Windows Messenger...and then proceeded to the Windows Update site.

Within no more than 1 minute of my connecting to the WU site...I was hit by the Blaster Worm. Fortunately, I had installed my AV program before I went to Windows Update, so it alerted me as to what was happening and told me what to do (shut down, erect firewall, use application to remove Blaster).

I could have avoided the whole episode just by either employing the Windows firewall or setting up the Kerio firewall before I went to the Windows Update site.

I don't know how much time you think it takes for a vulnerability to be exploited/attacked...but that episode taught me that anyone on the Intenet...is under constant attack by the idiots who create malware.

Louis

#4 evolution3000

evolution3000
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 07 August 2009 - 12:02 AM

ADDENDUM:
I ran Process Monitor v2.5 and added the HOSTS filter as suggested. I also opened Windows Explorer at folder C:\WINDOWS\system32\drivers\etc. I then ran Adfree 3.2 and it correctly placed the HOSTS file into the etc folder. The HOSTS file was sitting there as it's supposed to be. Then I ran NOTEPAD and the HOSTS file was deleted as usual.

I really wish I knew what is going on. I'm getting tired of dealing with this. If necessary, I will call Microsoft Support and perhaps someone there can help me if no one here can. That is, if they still provide free support for XP Pro SP2.

Here are the results from Process Monitor AFTER RUNNING NOTEPAD.EXE. There are 5 lines ONLY AND NO MORE: 4 from "Explorer.EXE" and 1 from "notepad.exe." The Event and Process information from the first Explorer.EXE line are below. Does ANYONE know the solution to this problem? I know it's some kind of service or Registry setting. PLEASE!

===================================================
EVENT
Date & Time: 8/6/2009 8:43:50 PM
Event Class: File System
Operation: CreateFile
Result: SUCCESS
Path: C:\WINDOWS\system32\drivers\etc\hosts
TID: 1312
Duration: 0.0000274
Desired Access: Read Attributes, Delete
Disposition: Open
Options: Non-Directory File, Open Reparse Point
Attributes: n/a
ShareMode: Read, Write, Delete
AllocationSize: n/a
OpenResult: Opened
===================================================
PROCESS
Description: Windows Explorer
Company: Microsoft Corporation
Name: Explorer.EXE
Version: 6.0.2900.2180
Path: C:\WINDOWS\Explorer.EXE
Command Line: C:\WINDOWS\Explorer.EXE
PID: 1200
Parent PID: 1184
Session ID: 0
User: DANIEL\danielm
Auth ID: 00000000:0000ddef
Architecture: 32-bit
Virtualized: n/a
Integrity: n/a
Started: 8/6/2009 8:31:46 PM
Ended: (Running)
Modules:
Explorer.EXE 0x1000000 0xff000 C:\WINDOWS\Explorer.EXE
GUStrLib.dll 0x1590000 0x1c000 C:\WINDOWS\system32\GUStrLib.dll
hercplgs.cpl 0x1810000 0x73000 C:\WINDOWS\system32\hercplgs.cpl
rsaenh.dll 0xffd0000 0x28000 C:\WINDOWS\system32\rsaenh.dll
lpad32.dll 0x10000000 0x26000 C:\WINDOWS\system32\lpad32.dll
PortableDeviceApi.dll 0x10930000 0x49000 C:\WINDOWS\system32\PortableDeviceApi.dll
PortableDeviceTypes.dll 0x109c0000 0x2c000 C:\WINDOWS\system32\PortableDeviceTypes.dll
WPDShServiceObj.dll 0x164a0000 0x23000 C:\WINDOWS\system32\WPDShServiceObj.dll
xpsp2res.dll 0x20000000 0x2c5000 C:\WINDOWS\system32\xpsp2res.dll
PFIM120EN.DLL 0x383d0000 0xa000 H:\WordPerfect Office 12\Programs\PFIM120EN.DLL
PFSE120.DLL 0x38480000 0x16000 H:\WordPerfect Office 12\Programs\PFSE120.DLL
WINHTTP.dll 0x4d4f0000 0x58000 C:\WINDOWS\system32\WINHTTP.dll
UxTheme.dll 0x5ad70000 0x38000 C:\WINDOWS\system32\UxTheme.dll
NETAPI32.dll 0x5b860000 0x54000 C:\WINDOWS\system32\NETAPI32.dll
themeui.dll 0x5ba60000 0x71000 C:\WINDOWS\system32\themeui.dll
ShimEng.dll 0x5cb70000 0x26000 C:\WINDOWS\system32\ShimEng.dll
comctl32.dll 0x5d090000 0x97000 C:\WINDOWS\system32\comctl32.dll
msisip.dll 0x60980000 0x7000 C:\WINDOWS\system32\msisip.dll
AcGenral.DLL 0x6f880000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL
WS2HELP.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll
WS2_32.dll 0x71ab0000 0x17000 C:\WINDOWS\system32\WS2_32.dll
WSOCK32.dll 0x71ad0000 0x9000 C:\WINDOWS\system32\WSOCK32.dll
SAMLIB.dll 0x71bf0000 0x13000 C:\WINDOWS\system32\SAMLIB.dll
actxprxy.dll 0x71d40000 0x1c000 C:\WINDOWS\system32\actxprxy.dll
mydocs.dll 0x72410000 0x1a000 C:\WINDOWS\system32\mydocs.dll
msacm32.drv 0x72d10000 0x8000 C:\WINDOWS\system32\msacm32.drv
wdmaud.drv 0x72d20000 0x9000 C:\WINDOWS\system32\wdmaud.drv
WZCSAPI.DLL 0x73030000 0x10000 C:\WINDOWS\system32\WZCSAPI.DLL
mfc42.dll 0x73dd0000 0xfe000 C:\WINDOWS\system32\mfc42.dll
DSOUND.dll 0x73f10000 0x5c000 C:\WINDOWS\system32\DSOUND.dll
msi.dll 0x745e0000 0x2c6000 C:\WINDOWS\system32\msi.dll
POWRPROF.dll 0x74ad0000 0x8000 C:\WINDOWS\system32\POWRPROF.dll
BatMeter.dll 0x74af0000 0xa000 C:\WINDOWS\system32\BatMeter.dll
webcheck.dll 0x74b30000 0x46000 C:\WINDOWS\system32\webcheck.dll
oleacc.dll 0x74c80000 0x2c000 C:\WINDOWS\system32\oleacc.dll
wshext.dll 0x74ea0000 0x10000 C:\WINDOWS\system32\wshext.dll
CRYPTUI.dll 0x754d0000 0x80000 C:\WINDOWS\system32\CRYPTUI.dll
SXS.DLL 0x75e90000 0xb0000 C:\WINDOWS\system32\SXS.DLL
BROWSEUI.dll 0x75f80000 0xfc000 C:\WINDOWS\system32\BROWSEUI.dll
msvcp60.dll 0x76080000 0x65000 C:\WINDOWS\system32\msvcp60.dll
stobject.dll 0x76280000 0x21000 C:\WINDOWS\system32\stobject.dll
WINSTA.dll 0x76360000 0x10000 C:\WINDOWS\system32\WINSTA.dll
MSIMG32.dll 0x76380000 0x5000 C:\WINDOWS\system32\MSIMG32.dll
comdlg32.dll 0x763b0000 0x49000 C:\WINDOWS\system32\comdlg32.dll
NETSHELL.dll 0x76400000 0x1a6000 C:\WINDOWS\system32\NETSHELL.dll
CSCDLL.dll 0x76600000 0x1d000 C:\WINDOWS\System32\CSCDLL.dll
RASDLG.dll 0x768d0000 0xa4000 C:\WINDOWS\system32\RASDLG.dll
LINKINFO.dll 0x76980000 0x8000 C:\WINDOWS\system32\LINKINFO.dll
ntshrui.dll 0x76990000 0x25000 C:\WINDOWS\system32\ntshrui.dll
USERENV.dll 0x769c0000 0xb3000 C:\WINDOWS\system32\USERENV.dll
ATL.DLL 0x76b20000 0x11000 C:\WINDOWS\system32\ATL.DLL
WINMM.dll 0x76b40000 0x2d000 C:\WINDOWS\system32\WINMM.dll
credui.dll 0x76c00000 0x2e000 C:\WINDOWS\system32\credui.dll
WINTRUST.dll 0x76c30000 0x2e000 C:\WINDOWS\system32\WINTRUST.dll
IMAGEHLP.dll 0x76c90000 0x28000 C:\WINDOWS\system32\IMAGEHLP.dll
MPRAPI.dll 0x76d40000 0x18000 C:\WINDOWS\system32\MPRAPI.dll
iphlpapi.dll 0x76d60000 0x19000 C:\WINDOWS\system32\iphlpapi.dll
adsldpc.dll 0x76e10000 0x25000 C:\WINDOWS\system32\adsldpc.dll
rtutils.dll 0x76e80000 0xe000 C:\WINDOWS\system32\rtutils.dll
rasman.dll 0x76e90000 0x12000 C:\WINDOWS\system32\rasman.dll
TAPI32.dll 0x76eb0000 0x2f000 C:\WINDOWS\system32\TAPI32.dll
RASAPI32.dll 0x76ee0000 0x3c000 C:\WINDOWS\system32\RASAPI32.dll
WTSAPI32.dll 0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll
WLDAP32.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
CLBCATQ.DLL 0x76fd0000 0x7f000 C:\WINDOWS\system32\CLBCATQ.DLL
COMRes.dll 0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll
OLEAUT32.dll 0x77120000 0x8c000 C:\WINDOWS\system32\OLEAUT32.dll
WININET.dll 0x771b0000 0xa6000 C:\WINDOWS\system32\WININET.dll
urlmon.dll 0x77260000 0x9c000 C:\WINDOWS\system32\urlmon.dll
comctl32.dll 0x773d0000 0x102000

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1

ff9\comctl32.dll
ole32.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll
SHDOCVW.dll 0x77760000 0x16c000 C:\WINDOWS\system32\SHDOCVW.dll
SETUPAPI.dll 0x77920000 0xf3000 C:\WINDOWS\system32\SETUPAPI.dll
cscui.dll 0x77a20000 0x54000 C:\WINDOWS\System32\cscui.dll
CRYPT32.dll 0x77a80000 0x94000 C:\WINDOWS\system32\CRYPT32.dll
MSASN1.dll 0x77b20000 0x12000 C:\WINDOWS\system32\MSASN1.dll
appHelp.dll 0x77b40000 0x22000 C:\WINDOWS\system32\appHelp.dll
midimap.dll 0x77bd0000 0x7000 C:\WINDOWS\system32\midimap.dll
MSACM32.dll 0x77be0000 0x15000 C:\WINDOWS\system32\MSACM32.dll
VERSION.dll 0x77c00000 0x8000 C:\WINDOWS\system32\VERSION.dll
msvcrt.dll 0x77c10000 0x58000 C:\WINDOWS\system32\msvcrt.dll
msv1_0.dll 0x77c70000 0x23000 C:\WINDOWS\system32\msv1_0.dll
ACTIVEDS.dll 0x77cc0000 0x32000 C:\WINDOWS\system32\ACTIVEDS.dll
ADVAPI32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll
RPCRT4.dll 0x77e70000 0x91000 C:\WINDOWS\system32\RPCRT4.dll
GDI32.dll 0x77f10000 0x46000 C:\WINDOWS\system32\GDI32.dll
SHLWAPI.dll 0x77f60000 0x76000 C:\WINDOWS\system32\SHLWAPI.dll
Secur32.dll 0x77fe0000 0x11000 C:\WINDOWS\system32\Secur32.dll
msvcr70.dll 0x7c000000 0x54000 C:\WINDOWS\system32\msvcr70.dll
mfc70.dll 0x7c140000 0xee000 C:\WINDOWS\system32\mfc70.dll
kernel32.dll 0x7c800000 0xf4000 C:\WINDOWS\system32\kernel32.dll
ntdll.dll 0x7c900000 0xb0000 C:\WINDOWS\system32\ntdll.dll
SHELL32.dll 0x7c9c0000 0x814000 C:\WINDOWS\system32\SHELL32.dll

Edited by evolution3000, 07 August 2009 - 12:04 AM.


#5 joseibarra

joseibarra

  • Members
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:07:58 AM

Posted 07 August 2009 - 09:45 AM

I downloaded AdFree to try it out.

As near as I can tell, AdFree wants to replace the hosts file with it's own version. I could not get the software to update it's own version and I could not even get to the developers WWW site. I wanted to see if they had a user forum to read about your observation. Does that mean this person is out of business? Are you able to get it to update with a new list of blocked sites?

I probably am missing some configuration in AdFree that you are using, but if it replaces you hosts file with it's own, that is really kind of dumb. Then it would have to keep a copy of your original and put it back when it is done. The remove part sounds like it is working just fine, but maybe the putting back part is not.

The Windows firewall also noticed a request for an outside door through for AdFree which I also did not care for. It is rude of AdFree to tamper with my firewall when no other program needs to do so. What is it doing?

Scanning software (as I mentioned) can also interpret a change in the hosts file as a threat and remove or quarantine the file. Have you looked in your scanning software quarantined items to see if it is removing the file?

There are so many other better, proven and safer ways to block ads that do not touch the hosts file. Doing so even by human hands introduces a certain amount of risk, so why introduce risk if there is a no risk way to accomplish what you want?

You have Firefox, and IMHO, that has the best browser ad blocker I have encountered if you use it properly - like with the Adblock add-on I mentioned before. It works. It is easy. It updates itself - frequently. Total problems so far: zero.

Even if you can narrow down the problem with AdFree, what are you going to do about it if the developers WWW site doesn't even work anymore? Now you have invested time with Process Monitor, how's that going?

You did not ever say if you ran the scanning softwares yet. That should be FIRST.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:58 AM

Posted 07 August 2009 - 11:04 AM

<<...but if it replaces you hosts file with it's own, that is really kind of dumb.>>

I believe Spybot S&D practically does the same thing...Spybot has a list of entries which are added to/placed on the Hosts file, as a means of protecting the system ).

Louis

#7 joseibarra

joseibarra

  • Members
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:07:58 AM

Posted 07 August 2009 - 11:29 AM

Sort of... Spybot ADDS things to the bottom of your hosts file when you Immunize, like this:


.
.
.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
...lots more...
.
.
.
# End of entries inserted by Spybot - Search & Destroy

I have seen a Spybot adjusted hosts file with 10K+ extra lines!

Good for Chrome and IE (and Firefox of course).

I have not studied the Adblock method, but it appears similar but internal to Firefox, plus it also gets rid of those double underline things.

Edited by joseibarra, 07 August 2009 - 03:21 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#8 joseibarra

joseibarra

  • Members
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:07:58 AM

Posted 11 August 2009 - 04:37 PM

I tracked down the AdFree author seeking guidance and ideas.

I described your issue and condition as best I understood it and my
valiant but failed attempts at reproducing it (however, I am on
SP3).

Here is part of a recent email message from him regarding AdFree:

Sure, you can show him my email. He should appreciate simple
solutions, and the simplest solution is to just use Firefox with
Adblock Plus. After 10 minutes of installation, he won't have to worry
or think about anything ad-related again. I use it myself, and it
works perfectly. AdFree was the best at the time, but now is the era
of Adblock Plus - the fact that I'm not using my own program should
tell him something :thumbsup:


I think this was recommended some time ago and is not the solution you
seek.

Are you still behind in SPs? Have you selected a malicious software
suite for your system?

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users