Hosts files

Question

When you type in the symbolic name of another computer i.e. www.msgale.com something has to change it to its numeric address 216.168.224.63 there are several mechanism to do this DNS http://www.webopedia.com/TERM/D/DNS.html  services is the most common.  Another is by using the 'hosts' file (\windows\system32\drivers\etc\hosts).  The file is composed of lines of name and number parings as an example.    127.0.0.1 localhost myself   Anytime I would enter the ping command with either localhost or myself, the ping would go to 127.0.0.1 my/your local computer.   I have a Linksys router to connect to it the command is http://192.168.1.1  I am very bad with numbers so I added a line to the hosts file '192.168.1.1  router'.  Now whenever I type http://router I get a response from my router at 192.168.1.1   I then modified my hosts file to intechange the numeric addresses of LaSalle University and Temple University.  With that change if you tried to go to LaSalle University's home page you would get the home page of Temple University home page.  If you suspect malware and you have trouble getting to a specific web site to download some tools, i.e on-line virus scanners you may want to consider searching the host file for entries with the name have a problem with and deleting the offending line or commenting it out by putting a pound singn '#' as the first character.   Do not use a word processor it may put control characters in the file, 'Notepad' should work.

ky331 · Answer

'you may want to ... search the host file ...  deleting the offending line or commenting it out'   It should be noted that certain malware (e.g. the W32.Surflog.A worm), as well as some legitimate programs (e.g., WinPatrol) can LOCK the hosts file, making it READ-ONLY, and in such a case, one must remove this 'impediment' first, if you're able to (i.e., W32.Surflog.A will try to resist), before changing the HOSTS file.

jwatt · Answer

I think I've seen this symptom associated with malware, but I can't find the reference.

It's possible to change the directory where the hosts/lmhosts/services files are stored by editing the registry, as described in this Microsoft article. See the section entitled "Checking the Lmhosts File".

That will leave the original files in ...\system32\drivers\etc intact, but the running copies are somewhere else. If a machine is resolving host names incorrectly, but the "hosts" file in the standard location is OK, that registry entry should be examined.

I wonder if any of the anti-malware tools check for that entry. It's not present by default.

Jim

Virus & Spyware

Was this post helpful?