Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spybot download


  • Please log in to reply
11 replies to this topic

#1 cpm392

cpm392

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 02 February 2010 - 03:02 AM

Hello, I'm a newbie and this is my first post. I'll try to keep this short and to the point, but I just found or learned most of this in the past three days. When I download spybot search and destroy, I get a message saying my host file has changed. When I found the hosts file, the only address was 127.0.0.1. The first line reads "# start of entries inserted by Spybot- Search and Destroy". Some of the entries are www.sexlinks.com, www.007guard.com, and www.1001namen.com. I have a copy of the file on my desktop, but I don't know how to post it here. There are over 14,000 entries of this sort. My question is this-- has anyone else had this happen? Does this mean spybot is malware? I downloaded from cnet.com which I trust. I would appreciate any explanation or advice about this. Thanks in advance. cpm392

BC AdBot (Login to Remove)

 


#2 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:11 PM

Posted 02 February 2010 - 04:16 AM

Hi and Welcome to BleepingComputer,

There is no need to post the file here. Spybot changes your host file by adding sites to it to prevent your computer from going to known bad sites. It makes it so that if you happen upon one of those sites, it just directs your computer to 127.0.0.1, which means your computer will not connect to the bad site.

Spybot is not malware and changing your host file is a normal function of Spybot intended to protect your computer.

Out of curiosity, what program told you that the host file had been changed?

Edited by Stang777, 02 February 2010 - 04:20 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 02 February 2010 - 07:06 AM

Although malware can be responsible for altering the HOSTS file in an attempt to redirect your browser, it does not do so without infecting other areas of your system. There are several legitimate security programs like Spybot S&D, SpySweeper and STOPzilla, etc which can add entries to the HOSTS file and that action may be detected as a change or some other alert. If you downloaded and used a custom HOSTS file or made edits that too would trigger a change detection or alert. If you did not make any changes, use a custom HOSTS file or have a security programs with these features, then you need to investigate what the changes are.

If you open the Hosts file, the note at the top will show the entries were inserted by other security programs like Spybot:
# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1	007guard.com
127.0.0.1	www.007guard.com
127.0.0.1	008i.com
127.0.0.1	008k.com
127.0.0.1	www.008k.com
127.0.0.1	00hq.com
127.0.0.1	www.00hq.com
127.0.0.1 	legal-at-spybot.info
127.0.0.1 	www.legal-at-spybot.info
127.0.0.1...
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 cpm392

cpm392
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 02 February 2010 - 01:30 PM

Hi and Welcome to BleepingComputer,

There is no need to post the file here. Spybot changes your host file by adding sites to it to prevent your computer from going to known bad sites. It makes it so that if you happen upon one of those sites, it just directs your computer to 127.0.0.1, which means your computer will not connect to the bad site.

Spybot is not malware and changing your host file is a normal function of Spybot intended to protect your computer.

Out of curiosity, what program told you that the host file had been changed?


Spybot itself told me the host file had been changed when I installed it. Thanks for the info.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 02 February 2010 - 01:43 PM

Guess Spybot does not know on one hand from what its doing on the other.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 02 February 2010 - 02:33 PM

For a little more information: The Hosts File and what it can do for you

Also allow me to expand on Stang777's information as it isn't clear in the tutorial.

From a security standpoint, the HOSTS file is commonly used in two ways.

1. By security entities to block access to websites known to be bad.
2. By malware to redirect your browser so that you do not go to the domain you want it to go to, or to block access to security related sites.

You need to know the difference so that you can tell if entries are good or bad when something like this comes up and so that you have to examine the hosts file.

The way you can tell a good entry that a program like Spybot might insert is that domain names that look bad will have the address that Stang777 mentioned, 127.0.0.1, next to them. What this does is it tells Windows to connect back to your machine instead of the IP address assigned to that domain, so the website is effectively blocked.
http://www.topbits.com/127-0-0-1.html

127.0.0.1 is the standard IP address used for a loopback network connection. This means that if you try to connect to 127.0.0.1, you are immediately looped back to your own machine, considering that a local server is installed on your machine. 127.0.0.1 is also referred to as “localhost”, meaning ‘this computer’.

There are other loopback addresses but you don't see them very often.

If you see 127.0.0.1 next to the domain name of a security related site, such as bleeping computer.com or antivirus vendors like Symantec, then you are likely infected with malware that is blocking your access to those sites by altering your hosts file.

When redirecting to another site, malware will substitute an illicit IP address for the legit one. Most common reason for doing this is to send you to away from Google or other legit search site to their own search engine so that the malware authors make some money. When this happens, use a Whois search to determine if the IP address matches the domain name.

As noted in the tutorial, some people think you can prevent malware from altering your hosts file by making it read only, but that's a myth. So it's better that Spybot notifies you when the hosts file has been changed. I suppose it is by design to notify you of its own changes to the file--tho I agree it's confusing. But at least it got you to look into what a hosts file is. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#7 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:11 PM

Posted 02 February 2010 - 05:15 PM

I am glad you guys elaborated on that, thanks.

I am confused by Spybot making that notification because I have never had Spybot notify me of changes it has made to my hosts file. I am probably not using the latest version so maybe that is why.

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 PM

Posted 02 February 2010 - 05:48 PM

Maybe the user has TeaTimer running? TeaTimer notifies you of changes to the registry, but maybe it includes HOSTS file protection?

#9 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:11 PM

Posted 02 February 2010 - 06:26 PM

Good thinking xblindx, I bet you are right. I do not have Teatimer running so if the op does, that would explain the difference. Good catch.

#10 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 PM

Posted 02 February 2010 - 08:23 PM

I am not positive that that is what the reason is, just a guess. I haven't used Spybot or TeaTimer in about a year or more but I do remember how annoying the TeaTimer alerts were until I disabled it *shudder* :thumbsup:

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 03 February 2010 - 10:00 AM

TeaTimer should monitor hosts file changes
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 PM

Posted 03 February 2010 - 05:07 PM

TeaTimer should monitor hosts file changes


Thanks for clarifying, quietman7 :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users