Possible Hosts File Hijack

Possible Hosts File Hijack
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Possible Hosts File Hijack Matt Allen 06-02-2006
Posted by =?Utf-8?B?TWF0dCBBbGxlbg==?= on June 2, 2006, 8:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Defender reported "Possible Hosts File Hijack" as a medium threat
configuration change. It further said that a system configuration change
occurred and that the checkpoint was the Hosts file. It recommended that I
run a quick scan if I choose to block the change of removing the threat.

I am pretty technical with the computer, but I do not understand most of
this stuff. Specifically can someone tell me:
What is a Hosts File Hijack?
What is a configuration change?
What is the checkpoint?
Does quick scan refer to Windows One Care virus scan? If not, to what does
it refer?

Any help is appreciated.

Matt Allen
Raleigh, NC


Posted by David H. Lipman on June 2, 2006, 9:22 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Defender reported "Possible Hosts File Hijack" as a medium threat
| configuration change. It further said that a system configuration change
| occurred and that the checkpoint was the Hosts file. It recommended that I
| run a quick scan if I choose to block the change of removing the threat.
|
| I am pretty technical with the computer, but I do not understand most of
| this stuff. Specifically can someone tell me:
| What is a Hosts File Hijack?
| What is a configuration change?
| What is the checkpoint?
| Does quick scan refer to Windows One Care virus scan? If not, to what does
| it refer?
|
| Any help is appreciated.
|
| Matt Allen
| Raleigh, NC

The hosts file is part of the TCP/IP stack. Before there where DNS Servers or
in a
situation where there are no DNS servers, the hosts table is used to define an
IP address to
an alias.

On NT based platforms the hosts table is located in the following folder... as...

%windir%\system32\drivers\etc\hosts

The table contains entries such as...

127.0.0.1 local
157.145.133.12 myhostname

Malware uses the hosts table to misdirect such sites as www.mcafee.com and
www.symantec.com
to the local TCP/IP diagnostic responder address; 127.0.0.1 Therefore if you
try to load
that address in your browser you instwead are pointed back to your own PC and
get host not
found or a 404 error. basically you don't get to the host you want.

Windows Defender is stating that there is a possibility tyhat the hosts table
has been
modified by malware and is suggesting that the PC be scanned for malware.

My suggestion is to NOT use Windows Defender or OneCare but to use industry
standard
softwsre tio clean and keep you PC clen of malware.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being
exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0
Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser
Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by =?Utf-8?B?UGFuZGFfbWFu?= on June 3, 2006, 11:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
"David H. Lipman" wrote:

> The hosts file is part of the TCP/IP stack. Before there where DNS Servers or
in a
> situation where there are no DNS servers, the hosts table is used to define an
IP address to
> an alias.
>
> On NT based platforms the hosts table is located in the following folder...
as...
>
> %windir%\system32\drivers\etc\hosts
>
> The table contains entries such as...
>
> 127.0.0.1 local
> 157.145.133.12 myhostname
>
> Malware uses the hosts table to misdirect such sites as www.mcafee.com and
www.symantec.com
> to the local TCP/IP diagnostic responder address; 127.0.0.1 Therefore if you
try to load
> that address in your browser you instwead are pointed back to your own PC and
get host not
> found or a 404 error. basically you don't get to the host you want.
> .......


Excellent explaination , Dave :)


Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
Please , rate posts

Posted by RJK on June 12, 2006, 9:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
There's no i in explanation, and stop creeping ! :-)

regards, Richard


> "David H. Lipman" wrote:
>
>> The hosts file is part of the TCP/IP stack. Before there where DNS
>> Servers or in a
>> situation where there are no DNS servers, the hosts table is used to
>> define an IP address to
>> an alias.
>>
>> On NT based platforms the hosts table is located in the following
>> folder... as...
>>
>> %windir%\system32\drivers\etc\hosts
>>
>> The table contains entries such as...
>>
>> 127.0.0.1 local
>> 157.145.133.12 myhostname
>>
>> Malware uses the hosts table to misdirect such sites as www.mcafee.com
>> and www.symantec.com
>> to the local TCP/IP diagnostic responder address; 127.0.0.1 Therefore
>> if you try to load
>> that address in your browser you instwead are pointed back to your own PC
>> and get host not
>> found or a 404 error. basically you don't get to the host you want.
>> .......
>
>
> Excellent explaination , Dave :)
>
>
> Panda_man
> --
> Bronze level Contributor
> http://pandaman.my.contact.bg
> Please , rate posts



Posted by siljaline on June 3, 2006, 7:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Microsoft has set up specific newsgroups for Windows Defender Support.
Please post your queries there, *not* here.
<http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx>

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address is invalid that we may all benefit.



Similar ThreadsPosted
HOSTS File FAQ - Testing the HOSTS File November 4, 2005, 11:21 pm
hosts file "missing" February 21, 2006, 3:48 pm
Hosts file gets deleted automatically. July 16, 2007, 4:59 am
help! Internet Explorer ignoring my HOSTS file July 25, 2005, 2:26 pm
Possible Hijack March 6, 2006, 5:31 pm
hijack homepage May 28, 2006, 2:25 am
Search Engine Hijack October 3, 2006, 12:04 pm
Internet Explorer Hijack September 20, 2007, 9:19 am
Security Warning. (HOSTS related??) November 4, 2005, 12:34 am
Zip File Virus *HELP* June 28, 2006, 1:05 pm

The site map in XML format XML site map

Contact Us | Privacy Policy