I've just had my very first alert from Windows Defender, saying I've had a possible Hosts file hijack:
QuoteCategory:
Settings Modifier
Description:
This program has potentially unwanted behavior.
Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.
Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts
I opted to 'Clean' the file, which WD reports it has done sucessfully, however, when I now open the Hosts file in Notepad, I get the following:
Quote# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
Is this normal? I thought it was supposed to contain actual settings, not what appears to be a 'sample'. Can anyone clarify, please?
Mine has the same samples Simon but then has an IP address followed by 'localhost'.
I think the IP address may be the same on every machine as I seem to recall it has the same one on the ones at work too.
Do you wish me to PM you with it ?
Underneath all the commented lines (those that start with a '#') you should have 127.0.0.1 localhost.
What, so I just type 127.0.0.1 localhost underneath the last line, with no '#' or anything else? Curiously, I thought that the http://home/ shortcut to the 2700 was an entry in the Hosts file too, and that's also disappeared, but the link still works.
Could it be possible that the current 'hosts' file is a rogue one? It's not coming up as suspicious with any other scanners I've tried.
Quote from: john on Mar 09, 2009, 21:55:47
Mine has the same samples Simon but then has an IP address followed by 'localhost'.
I think the IP address may be the same on every machine as I seem to recall it has the same one on the ones at work too.
Do you wish me to PM you with it ?
Thanks, John, I think Seb has answered that. :)
Well, I did it, and got the warning again, which, this time, I said 'Allow' to. I'm guessing it came up before, because the 127.0.0.1 localhost entry must have been removed somehow. :dunno:
I wonder whether it was a false alarm in the first place :-\
That's what I'm starting to think, Steve.
Just for the record this is what my host file contains and yes the last entry surprises me too!
The second from last I have seen many times but the last one is new to me.
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
Thanks Les. I wouldn't know what to make of that last entry. :dunno:
The home thing for the 2700 is normally done from the router dns tables itself. The only time you would need an entry in the hosts file for this would be if you have manually configured dns servers within windows.
OK, it seems to have been a false alarm - now scanned with SAS and Malwarebytes, as well as F-Secure, and nothing found. :)
I think you should try Norton as well, Simon, just to be on the safe side. ;D
:eek4:
Quote from: Rik on Mar 10, 2009, 09:31:06
I think you should try Norton as well, Simon, just to be on the safe side. ;D
How come that wasn't picked up by the swear filter, Rik. ;D
I doctored it. :evil:
Quote from: Rik on Mar 10, 2009, 09:31:06
I think you should try Norton as well, Simon, just to be on the safe side. ;D
Then his computer really would be infected. :P
I belive "::1" is the loopback address in IPv6-speak.