Hosts File vanished again !

Discussion in 'Virus Information' started by RJK, Apr 29, 2009.

  1. RJK

    ~BD~ Guest

    My only advice to you .......
    ..........if you *are* genuine - BE genuine and *only* tell the truth.

    Probably best to re-invent yourself completely and concentrate on using
    your undoubted skill to help the thousands of folk who have no clue
    whatsoever about 'computing'.

    No-one but you and your maker need ever know! <smile>

    Good luck
     
    ~BD~, May 1, 2009
    #41
    1. Advertisements

  2. RJK

    Leythos Guest

    If you are as ethical as you suggest, why are you STILL Stalking myself
    and others in your every post to Usenet?
     
    Leythos, May 1, 2009
    #42
    1. Advertisements

  3. RJK

    Leythos Guest

    If you notice his handle, the only truth he understands is the lies he
    tells, and he attempts to change the truth to what he wants you to
    believe - you've fallen for it many times based on your responses to
    him.
    His only skill, as evidenced by his "products" is to pilfer other
    vendors/authors code, edit the vendor/authors name out and replace it
    with his name, and then rename the file and trick people into
    downloading it. If you really think that those actions show "Skill" then
    you really need to go back and reconsider your understanding of the
    world.
    He's done that many times, created many identities, but he always slips
    up and exposes himself.
     
    Leythos, May 1, 2009
    #43
  4. RJK

    RJK Guest

    Hi, many thanks for your response, ...sorry for delay - am sometimes unable
    to post several days due to work pattern and an ISP with NNTP that only
    works now and again.
    ....my ISP is Tiscali
    ....router is Linksys WAG354G with NAT always switched on :)
    AVG internet security suite has a firewall :) ...Windows f'wall of course
    switched off :)

    .... Malwarebytes sweep found nothing other than 3 XP keys to do with
    security notification (f'wall/ a/v updates), ...I prefer to keep them
    switched off and do it myself !

    ....anyhooo, to cut a long story short, ...after av-cls sweeps in Safe and
    Normal mode, and AVG 8.5 a/v / malware sweeps in Safe then Normal mode,
    Malwarebytes etc.
    ....nothing found, ...and a few other sweeps !

    ....I've installed Spybot S&D ...yet again, ...dunno why I keep taking it out
    ! ...now I have placed a small Windows Explorer pane on the desktop
    displaying the contents of etc ...so that I can, hopefully, spot, the next
    time, when hosts disappears !!!

    ....interestingly, after S&D "Immunize" the hosts file size jumps from
    around 550k to 880k !!!!!!
    ....I wonder what all that is about !!!

    regards, Richard
     
    RJK, May 2, 2009
    #44
  5. RJK

    Mees de Roo Guest

    ...anyhooo, to cut a long story short, ...after av-cls sweeps in Safe and

    I had my hosts-file disappearing too (only local-net IP's in it, but a
    nuisance anyway). I discovered that av-cls was always completely clearing the
    host file; this happens already when you let av-cls get the latest
    virus-updates only (I used to do that regularly, in order to have recent ones
    for malware that blocked all internet access). This is probably done to make
    sure you can reach these various virus-updating IP's against (via hosts)
    blocking malware. The problem with av-cls is that it does not document this
    behaviour, and has no mechanism to restore the file afterwards. Are you sure
    that what you see is not av-cls's normal behaviour and/or that you are
    restoring an already compromised hosts file afterwards?

    Mees de Roo
     
    Mees de Roo, May 2, 2009
    #45
  6. | I had my hosts-file disappearing too (only local-net IP's in it, but a
    | nuisance anyway). I discovered that av-cls was always completely clearing the
    | host file; this happens already when you let av-cls get the latest
    | virus-updates only (I used to do that regularly, in order to have recent ones
    | for malware that blocked all internet access). This is probably done to make
    | sure you can reach these various virus-updating IP's against (via hosts)
    | blocking malware. The problem with av-cls is that it does not document this
    | behaviour, and has no mechanism to restore the file afterwards. Are you sure
    | that what you see is not av-cls's normal behaviour and/or that you are
    | restoring an already compromised hosts file afterwards?

    | Mees de Roo


    Mees:

    You are correct the Multi-AV makes makes a backup and then deletes the etc/hosts file to
    make sure WGET can get to the respective AV vendor update sites.

    However the statement "The problem with av-cls is that it does not document this
    behaviour..." is not true.

    In the PDF Help File - Multi AV Command Line Scanner.PDF

    Notes section:

    1. If a ‘hosts’ file is found by this utility, it will be renamed from ‘hosts’ to
    ‘hosts.bak’ since malware has a tendency to modify the ‘hosts’ file to block access to
    anti virus vendor web sites and thus possibly blocking the ability to download the needed
    Sophos, Kaspersky, Trend Micro or McAfee files.
     
    David H. Lipman, May 2, 2009
    #46
  7. RJK

    Geoff Guest

    SS&D uses the hosts file to map malicious domains to your loopback
    address. This prevents your browser from connecting to those sites. As
    I have pointed out elsewhere in this thread, this is effective for
    known bad sites but only if they are named sites, it's completely
    useless for URL's containing IP addresses.

    You can look at the hosts file in Notepad or any other text editor and
    see exactly what it is doing. There is a comment block at the top of
    the list that SS&D adds. Yes, it's a long list.

    As for the size of your file, I only use SS&D and my hosts is 309k.
    You apparently have multiple applications adding to this list and SS&D
    added it's 300k worth. By looking at the file you should be able to
    identify the other programs that have added to the list. You very
    probably have some duplications in there. Not to worry, it will stop
    at the first match and point your browser or other applications at the
    loopback. The hosts file is local and even with the expense of string
    scanning the file, it's still faster than a DNS lookup on your ISP's
    DNS servers.
     
    Geoff, May 2, 2009
    #47
  8. RJK

    RJK Guest

    ....at least I now know why my hosts file was disappearing !!! :)

    regards, Richard
     
    RJK, May 3, 2009
    #48
  9. RJK

    RJK Guest

    ....I meant, ...at least I now know one of the causes of my hosts file
    disappearing !!! :)

    regards, Richard
     
    RJK, May 3, 2009
    #49
  10. That's because it is a crap program.


    --
    The Real Truth http://pcbutts1-therealtruth.blogspot.com/
    *WARNING* Do NOT follow any advice given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue. Do not waste
    your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
     
    The Real Truth [MS MVP], May 3, 2009
    #50
  11. RJK

    ---Fitz--- Guest

    This from the "King of Crap".
     
    ---Fitz---, May 3, 2009
    #51
  12. RJK

    Mees de Roo Guest

    |>> However the statement "The problem with av-cls is that it does not
    Sorry about that (failing RTFM). I did never need the Help file at all (since
    everything is perfectly self-explaining and works as it should be), so when
    the hosts-files started disappearing it took me quite some time to point that
    to av-cls rather than some unknown malware (that usually comes without Help
    file).
    I have 2 remarks (not big enough to call it even an enhancement)
    1. By renaming the hosts-file it is excluded from scanners looking for malware
    adresses. Would it help to rename the hosts-file shortly before each WGET,
    while renaming it back immediately after, or would caching spoil that trick?
    2. For people like me that, on a perfectly clean system, want to keep their
    updates up to date just in case future malware breaks their internet
    connection, could there be an extra restore host-file option on the main menu
    (in case 1. cannot be done)?

    Thanks for a good and usefull product,

    Mees de Roo
     
    Mees de Roo, May 3, 2009
    #52
  13. From: "Mees de Roo" <>

    ||>> However the statement "The problem with av-cls is that it does not
    | Sorry about that (failing RTFM). I did never need the Help file at all (since
    | everything is perfectly self-explaining and works as it should be), so when
    | the hosts-files started disappearing it took me quite some time to point that
    | to av-cls rather than some unknown malware (that usually comes without Help
    | file).
    | I have 2 remarks (not big enough to call it even an enhancement)
    | 1. By renaming the hosts-file it is excluded from scanners looking for malware
    | adresses. Would it help to rename the hosts-file shortly before each WGET,
    | while renaming it back immediately after, or would caching spoil that trick?
    | 2. For people like me that, on a perfectly clean system, want to keep their
    | updates up to date just in case future malware breaks their internet
    | connection, could there be an extra restore host-file option on the main menu
    | (in case 1. cannot be done)?

    | Thanks for a good and usefull product,

    | Mees de Roo


    Mees:

    I will take your suggestions under advisement for v7.0 which is STILL in Beta (oy vey).
     
    David H. Lipman, May 3, 2009
    #53
  14. From: "Mees de Roo" <>

    ||>> However the statement "The problem with av-cls is that it does not
    | Sorry about that (failing RTFM). I did never need the Help file at all (since
    | everything is perfectly self-explaining and works as it should be), so when
    | the hosts-files started disappearing it took me quite some time to point that
    | to av-cls rather than some unknown malware (that usually comes without Help
    | file).
    | I have 2 remarks (not big enough to call it even an enhancement)
    | 1. By renaming the hosts-file it is excluded from scanners looking for malware
    | adresses. Would it help to rename the hosts-file shortly before each WGET,
    | while renaming it back immediately after, or would caching spoil that trick?
    | 2. For people like me that, on a perfectly clean system, want to keep their
    | updates up to date just in case future malware breaks their internet
    | connection, could there be an extra restore host-file option on the main menu
    | (in case 1. cannot be done)?

    | Thanks for a good and usefull product,

    | Mees de Roo


    #1 - Done !

    Now in the v7.x Beta.
     
    David H. Lipman, May 5, 2009
    #54
  15. RJK

    Mees de Roo Guest

    That's fast!
    I seem to get v6.0 at the above adresses; can I test v7.x Beta from somewhere
    else?
    Thanks again,

    Mees de Roo
     
    Mees de Roo, May 6, 2009
    #55
  16. From: "Mees de Roo" <>




    | That's fast!
    | I seem to get v6.0 at the above adresses; can I test v7.x Beta from somewhere
    | else?
    | Thanks again,

    | Mees de Roo


    Drop me an email from your Quicknet Cable account.
     
    David H. Lipman, May 6, 2009
    #56
  17. RJK

    RJK Guest

    oooooh! <ROFL> " a perfectly clean system" !!!

    ....I assume that you're adept at techniques like tweaking "sniffing"
    software so that it can "sniff" the hostile "sniffing sentry," that is
    alerting the the hostile sniffing software which is sniffing your sniffer
    !!! ...which comes first - the chicken, or the egg !! :)

    regards, Richard
     
    RJK, May 8, 2009
    #57
  18. RJK

    Mees de Roo Guest

    Well, this one won't bother anyone any longer!
    David's version 7 to come, will leave your hostfile alone and will even flush
    the DNS cache to make sure!
    But as I said, it DID take me some time .............
     
    Mees de Roo, May 9, 2009
    #58
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.