Hosts file

Simon · Mar 09, 2009, 21:48:18

I've just had my very first alert from Windows Defender, saying I've had a possible Hosts file hijack:

QuoteCategory:
Settings Modifier

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts

I opted to 'Clean' the file, which WD reports it has done sucessfully, however, when I now open the Hosts file in Notepad, I get the following:

Quote# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

Is this normal? I thought it was supposed to contain actual settings, not what appears to be a 'sample'. Can anyone clarify, please?

john · Mar 09, 2009, 21:55:47

Mine has the same samples Simon but then has an IP address followed by 'localhost'.

I think the IP address may be the same on every machine as I seem to recall it has the same one on the ones at work too.

Do you wish me to PM you with it ?

Sebby · Mar 09, 2009, 21:58:23

Underneath all the commented lines (those that start with a '#') you should have 127.0.0.1 localhost.

Simon · Mar 09, 2009, 22:04:43

What, so I just type 127.0.0.1 localhost underneath the last line, with no '#' or anything else? Curiously, I thought that the http://home/ shortcut to the 2700 was an entry in the Hosts file too, and that's also disappeared, but the link still works.

Could it be possible that the current 'hosts' file is a rogue one? It's not coming up as suspicious with any other scanners I've tried.

Simon · Mar 09, 2009, 22:05:23

Quote from: john on Mar 09, 2009, 21:55:47
Mine has the same samples Simon but then has an IP address followed by 'localhost'.

I think the IP address may be the same on every machine as I seem to recall it has the same one on the ones at work too.

Do you wish me to PM you with it ?

Thanks, John, I think Seb has answered that.

Simon · Mar 09, 2009, 22:11:04

Well, I did it, and got the warning again, which, this time, I said 'Allow' to. I'm guessing it came up before, because the 127.0.0.1 localhost entry must have been removed somehow.

Steve · Mar 09, 2009, 22:14:48

I wonder whether it was a false alarm in the first place $:-\$

Simon · Mar 09, 2009, 22:17:56

That's what I'm starting to think, Steve.

LesD · Mar 09, 2009, 22:22:49

Just for the record this is what my host file contains and yes the last entry surprises me too!
The second from last I have seen many times but the last one is new to me.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

Simon · Mar 09, 2009, 22:33:40

Thanks Les. I wouldn't know what to make of that last entry.

Lance · Mar 09, 2009, 22:38:37

The home thing for the 2700 is normally done from the router dns tables itself. The only time you would need an entry in the hosts file for this would be if you have manually configured dns servers within windows.

Simon · Mar 09, 2009, 22:46:19

OK, it seems to have been a false alarm - now scanned with SAS and Malwarebytes, as well as F-Secure, and nothing found.

Rik · Mar 10, 2009, 09:31:06

I think you should try Norton as well, Simon, just to be on the safe side.

Simon · Mar 10, 2009, 10:48:30

Ray · Mar 10, 2009, 11:16:59

Quote from: Rik on Mar 10, 2009, 09:31:06
I think you should try Norton as well, Simon, just to be on the safe side.

How come that wasn't picked up by the swear filter, Rik.

Rik · Mar 10, 2009, 11:24:09

I doctored it.

Ray · Mar 10, 2009, 11:25:21

Quote from: Rik on Mar 10, 2009, 11:24:09
I doctored it.

I did wonder.

Sebby · Mar 10, 2009, 13:23:22

Quote from: Rik on Mar 10, 2009, 09:31:06
I think you should try Norton as well, Simon, just to be on the safe side.

Then his computer really would be infected.

gizmo71 · Mar 10, 2009, 13:35:06

I belive "::1" is the loopback address in IPv6-speak.