# Is my hosts file corrupted?



## perfume (Sep 13, 2008)

Dear friends,
Of late, my FF3 browser has been acting up and today i have run Windows defender and it showed a single problem as i will desribe below.

I visited the Microsoft Malware Detection Center and it explained what was found as " Trojan.Win32.qhost" and i cleaned it up!

Then i visited the "Hosts file" via command prompt and i received this message from Notepad"Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Begin GZapper

# End GZapper# Begin GZapper

# End GZapper# Begin GZapper

# End GZapper"

I am able to access any website of my choice and i do not touch unsafe websites and it includes torrent web sites or porn sites ( i need not, Paris has enough live scenes to view, they smooch on the pavements! )!

I have just ran a Sophos anti-rootkit and it came up with no problems found!

All the above info', i am typing from FF3 and i have neatly divided into paragraphs and if you see the whole thing as one saga, kindly excuse me and please clarify as to why all this is happening?

How do i go about re-creating a "new" and "clean" Hosts file ? Thanks in advance! will be grateful for constructive suggestions! Kindly view this link:http://www.microsoft.com/security/portal/Entry.aspx?name=SettingsModifier%3aWin32%2fPossibleHostsFileHijack&threatid=1758608427027806866


----------



## perfume (Sep 13, 2008)

Dear Gizzy,
Hey, my smilies are back again, but i seem to be in a bigger bowl of soup!


----------



## perfume (Sep 13, 2008)

Oh, i am really sorry as i forgot to post a thumbnail of what Windows Defender came up with :


----------



## gurutech (Apr 23, 2004)

Looks like Defender cleaned the malware entries from the HOSTS file (at least the ones that weren't commented out.

Anything below the "127.0.0.1 localhost" line is safe to delete (is probably related to the malware).

I'd suggest downloading a copy of Spybot S&D (www.spybot.info) and make sure to install the "Tea Timer" app - it will add entries to your hosts file for known malware sites with an IP address of 127.0.0.1. Basically this re-routes any attempt to go to a known malware site back to your local machine instead of the malware site itself.

It's a great app (FREE!!!) and is much better than WinDefender.


----------



## perfume (Sep 13, 2008)

Dear gurutech,
Thanks for the fast reply! Yes, i have used Spybot S&D in the past and of late when i was installing Kaspersky Internet Security Suite 2009, there was a conflict as KIS demanded that i delete Spybot which i had to! So, no Tea-Timer for me!

KIS2009 is very zealous and does not tolerate any program which"it" considers as unwanted and puts it in the "highly restricted Zone" with "limited Functionality"! It was prompting me like crazy that Sophos is "dangerous" and it offered to kill it, but i was merciful and saved Sophos anti-rootkit!

Now, how do i go about creating a new hosts file, as the previous one seems to be compromised?


----------



## perfume (Sep 13, 2008)

By the way, i am going to delete Sophos as KIS2009 demanded!


----------



## perfume (Sep 13, 2008)

I submitted the Hosts file to jott's online malware scan and kindly view this thumbnail! :


----------



## Phantom010 (Mar 9, 2009)

Dear Perfume,

Here's some info on how to deal with your Hosts file:

The first step in editing your HOSTS file is to find it. 
It's located in C:\Windows\System32\Drivers\Etc.

Examine the content of your HOSTS file, and compare it to the screenshot below. We do not need to worry about any line that begins with an # because is ignored by Windows. Also, the line "127.0.0.1 localhost" can be safely ignored, because it is a standard entry.









A HOSTS file can be used to control Web page to IP address associations.

Anything else that appears in your HOSTS file without an # at the beginning, apart from the "127.0.0.1 localhost" line, should be viewed with suspicion when we are trying to diagnose the cause of "Page cannot be displayed" errors. The quickest way to test for HOSTS file involvement is to *right click* the HOSTS file, then select *Rename*. Add the letter X to the beginning or end of the file name and then ok your changes. By changing the name of the HOSTS file, we stop Internet Explorer from using it, and therefore resolve any issues caused by the file.


----------



## Cookiegal (Aug 27, 2003)

Have you just started using G-Zapper?


----------



## aka Brett (Nov 25, 2008)

perfume you can use spybot without conflict if tea timer is disabled
there is a section in tools to add the spybot hosts file so tea timer isnt needed.
without tea timer checked spybot doesnt run in memory and will run happily with other programs
edit
should anyway


----------



## perfume (Sep 13, 2008)

Dear cookiegal,
i've been using G-Zapper since three months! Thank you! Do you suggest i remove it?

Dear phantom010,
will do as you directed me to, and will get back ASAP!(These folks who smooch standing on the pavements of Paris are a sight for sore eyes! you can imagine what's happening in the gardens we have!)

Dear brett888,
Man, i've missed your company in this forum! Scout's honour! Now what you posted is a great piece of news! Thanks a lot! Keep visiting us!


----------



## perfume (Sep 13, 2008)

Dear phantom010,
Thanks to you, i think we have caught the culprit! I am posting four thumbnails and kindly go thru' them and tell me what to do next! Here it goes:


----------



## aka Brett (Nov 25, 2008)

perfume
here is my hosts file from my xp side
it will open in notepad as i put txt file extension on it
open it and view it as this is what a good hosts file looks like.
if you want to use it while you are working on your own
then rename your hosts file to hostsold
save mine to the desktop and rename it hosts 
then copy and paste in the folder where you old hosts is
you can have a spybot hosts file without having to have spybot
cheers
edit
there are better hosts files out there that the above..but the back button doesnt always work correctly with some others...i have never had a problem with spybots hosts file


----------



## perfume (Sep 13, 2008)

Dear brett888,
You've again proved that inside you beats a heart of "Gold"! Can't express my gratitude in mere words, as they are so dry and unemotional in nature! Just can't thank you enough!:up:

PS: which forum do you frequent most?


----------



## perfume (Sep 13, 2008)

brett888 said:


> perfume
> here is my hosts file from my xp side
> it will open in notepad as i put txt file extension on it
> open it and view it as this is what a good hosts file looks like.
> ...


Dear brett888,
I just put the notepad you gave in the same folder where my HOSTS file is located, after saving your's to the desktop! Kindly explain how the notepad's mere presence in the folder works as a spybot? Excuse my confusion! Now that you've gone thru' my thumbnails in the post i addressed to phantom010, what's your verdict? Corrupted or not? I can see the second thumbnail looks like "gibberish",isn't it?

By the way is obomba related to your President Obama? Is he into Bomb-manufacture? A few bombs on these hypocrites would do a world of good in my country!


----------



## Cookiegal (Aug 27, 2003)

I suspect that G-Zapper puts those entries in the hosts file as part of its function to block Google from tracking your searches and WD is picking up on that behaviour. 

You could uninstall G-Zapper and remove those entries from the hosts file (as I'm not sure uninstalling the program will remove them) and then reinstall the program and see if those entries reappear.


----------



## Phantom010 (Mar 9, 2009)

The quickest way to stop your browser form using the HOSTS file, while we try determining which application is the culprit, is to *right click* the HOSTS file, then select *Rename*. Add the letter X to the beginning or end of the file name and then ok your changes.


----------



## Phantom010 (Mar 9, 2009)

Additional information on the Hosts file:

Access is prevented to the websites listed in your HOSTS file, so if you're irritated by a particular pop-up, for example, you could simply add the website it's coming from to your HOSTS file.

You'll notice all entries begin with "127.0.0.1"; all entries MUST begin with this. If a website is preceded by "127.0.0.1", this means the website cannot load and is blocked. The first entry in the HOSTS file is "127.0.0.1 localhost". Your HOSTS file MUST begin with that entry.
To add websites to your HOSTS file (to block them), use this as a guideline:

Code: 
127.0.0.1 www.blockthiswebsite.com. After you've edited your HOSTS file, save the changes made (File > Save). 
You're done!

Optional but recommended:

If you would like to use a pre-made HOSTS file, I recommend you use the MVPS HOSTS file. This HOSTS file blocks websites with ads/banners, parasites, hijackers, and unwanted search engines.

Originally Posted by MVPS.org:


> In many cases using a well designed HOSTS file can speed the loading of web pages by not having to wait for these ads, annoying banners, hit counters, etc. to load.
> This also helps to protect your Privacy and Security by blocking sites that may track your viewing habits, also known as "click-thru tracking" or Data Miners. Simply using a HOSTS file is not a cure-all against all the dangers on the Internet, but it does provide another effective "Layer of Protection".
> If you would like to use the MVPS HOSTS file, open your HOSTS file and delete everything in it. Copy everything in the MVPS HOSTS file (a quick way to select everything is Ctrl+A, then right-click > Copy). Once everything is copied, paste it into your HOSTS file (right-click > Paste). Then, you can save.
> 
> ...


----------



## perfume (Sep 13, 2008)

Dear cookiegal,
Thanks! i am un-installing G-Zapper and see if WD picks up"the behaviour pattern" , and if not will re-install the program! I think i am in love with G-Zapper! Someone somewhere must and should block huge monoliths like Google from exploiting our web-behaviour via third party cookies and use them to send promotional material via e-mail and other malicious means!

Though i know that i should not get hot under the collar(that too,button-downed ones), can't resist telling you, because Admins. like you are pattern setters and we follow in your wake! You definetely know how dangerous third party "persistent" cookies are!


----------



## perfume (Sep 13, 2008)

Phantom010 said:


> The quickest way to stop your browser form using the HOSTS file, while we try determining which application is the culprit, is to *right click* the HOSTS file, then select *Rename*. Add the letter X to the beginning or end of the file name and then ok your changes.


Dear phantom010,
I am really glad that you are on my side,seriously trying to solve my problem and i "THANK YOU" for that! You are a master and i am initiating the steps you outlined!( see,so many "i"s and "me"s)! Am i in love with myself?Shold'nt, because it's diseased and will wilt before all of you!

Is the MVPS HOSTS file a replacement to the HOSTS file I have? The concept of HOSTS file was introduced to me by "hewee" and i actually visited the web site you showed (in the follow up post you sent) and my right hand was actually aching half-way thru", adding all those, asked by the file! I don't mind doing the whole thing again! Can you kindly point out from where i can download(copy) the MVPS HOSTS fiile? Thanks again!:up::up:

I am a bit relaxed now, and am listening to Mark Knopfler's(Dire straits Fame) song"why Aye,why aye man"! He'e the God of Guitar and BTW, do you listen to Rock music?:up:


----------



## Phantom010 (Mar 9, 2009)

Try here. There's a hosts.zip file to download.

And yes, I do listen to rock music.


----------



## perfume (Sep 13, 2008)

Phantom010 said:


> Try here. There's a hosts.zip file to download.
> 
> And yes, I do listen to rock music.


Have put an x mark after every host file, and will download the MVPS HOSTS file! Glad you rrock- Deep Purple,Alice in Chains, Kiss, Def Leppard, Dire Straits, Linkin Park, Blue Oyster Cult, *AC/DC*, Rod Stewart( some guys have all the luck), White Stripes(not bad) etc!:up:


----------



## perfume (Sep 13, 2008)

DEar cookiegal,
I have removed the G-Zapper as advised. will run WD and get back ASAP! Thanks for your time!


----------



## Phantom010 (Mar 9, 2009)

perfume said:


> Have put an x mark after every host file, and will download the MVPS HOSTS file! Glad you rrock- Deep Purple,Alice in Chains, Kiss, Def Leppard, Dire Straits, Linkin Park, Blue Oyster Cult, *AC/DC*, Rod Stewart( some guys have all the luck), White Stripes(not bad) etc!:up:


Rename the Hosts file not the individual entries you see within.


----------



## perfume (Sep 13, 2008)

Oh! O.K, then! Thanks for the tip!


----------



## aka Brett (Nov 25, 2008)

perfume said:


> Dear brett888,
> You've again proved that inside you beats a heart of "Gold"! Can't express my gratitude in mere words, as they are so dry and unemotional in nature! Just can't thank you enough!:up:
> 
> PS: which forum do you frequent most?


i just hop around,from one thread to the next


----------



## hewee (Oct 26, 2001)

If you do not have a Hosts file manager then get one. They can make having, editing, backing up and updating so much more easy.

Also WinPatrol can monitor the hosts file. It makes a backup also. But it alerts you if the hosts file changes and the only time that should happen is when you know about it because you made the changes.

You can get them here.
http://www.mvps.org/winhelp2002/hosts.htm

I use HostsMan but HostsXpert is good also.


----------



## aka Brett (Nov 25, 2008)

perfume said:


> Dear brett888,
> I just put the notepad you gave in the same folder where my HOSTS file is located, after saving your's to the desktop! *Kindly explain how the notepad's mere presence in the folder works as a spybot?* Excuse my confusion!


that was the hosts file created when you have spybot and choose to use the spybot hosts file...the entries within the file merely sites that your dont want your pc to communicate with,it wouldnt have near the effect as spybot,but blocking the bad sites is a great part of the battle.
The are other good hosts filesout there as well,i glanced the thread and i saw where you were getting a known good file.
Good to see you back,you hadnt been on much lately


----------



## perfume (Sep 13, 2008)

brett888 said:


> i just hop around,from one thread to the next


Dear brett888,
So,you're like that American boxer who said " i fly like a butterfly and sting like a bee". So, i guess ,OBOMBA is into defusing bombs and not making them!:up:


----------



## aka Brett (Nov 25, 2008)

perfume said:


> Dear brett888,
> So,you're like that American boxer who said " i fly like a butterfly and sting like a bee". So, i guess ,OBOMBA is into defusing bombs and not making them!:up:


Mohamed Ali he was a great boxer.
Obama is into printing money and raising taxes,taking care of his wal;street buddies with cabinet positions or jobs.forcing a merge with fiat and chrysler.
setting terrorists free to the states and giving them grants.Giving money to other countries for abortions,firther raise corperate taxes increasing the price of our goods and forcing more companies to go overseas further harming the economy.
I better stop as this doesnt belong in this thread,
so i will leave it at Obama is to America as fox is to chicken


----------



## perfume (Sep 13, 2008)

Phantom010 said:


> Try here. There's a hosts.zip file to download.
> 
> And yes, I do listen to rock music.


Dear phantom010,
Grateful! Unzipped and extracted the MVPS HOSTS file to the HOSTS folder and deleted the other entries! The original HOSTS file had no content in it!:up:


----------



## Phantom010 (Mar 9, 2009)

You're welcome!


----------



## perfume (Sep 13, 2008)

Dear phantom010,
It's knowledgable folks like you who have made the site and the forums so useful and helpful! Excellent piece of detective work you did!


----------



## perfume (Sep 13, 2008)

Dear cookiegal,
I have saved the best till the last! You have asked me to run WD after removing G-Zapper and cleaning up the trash in the HOSTS File. I am attaching a thumbnail of what WD displayed after a full scan! Really thankful to you, but i miss the Zap sound of G-Zapper!:up:


----------



## Cookiegal (Aug 27, 2003)

perfume said:


> Dear cookiegal,
> I have saved the best till the last! You have asked me to run WD after removing G-Zapper and cleaning up the trash in the HOSTS File. I am attaching a thumbnail of what WD displayed after a full scan! Really thankful to you, but i miss the Zap sound of G-Zapper!:up:


I only asked you to remove it as a test and then reinstall it if you want it and see if it puts those entries back in the hosts file again. I don't think there ever was anything malicious in the hosts file.


----------



## perfume (Sep 13, 2008)

Dear cookiegal,
Now that's fantastic! I'll get to hear the Zap sound again. Many thanks!


----------

