For some reason it appears that when I ran a AdAware scan today it listed a bunch of blocked sites that I added a couple of months ago (Using Spybot SD) to my Hosts file. Am I misreading these results, and is this really a security issue, or is this a false alarm. ??? See below. Thanks!

As long as the entries are being redirected to 127.0.0.1, you're OK. I would say false alarms.

Nick

-{ Quote: "As long as the entries are being redirected to 127.0.0.1, you're OK. I would say false alarms.

Nick" }-
Thanks, Nick. I thought so, but wanted to make sure. I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries. ??? ???

Hi Daisy,

Nick is right.
Something similar is mentioned at the MVPS-HOSTS site.

Indeed: just ignore them if they are redirected to 127.0.0.1 like Nick already posted :)

Cheers, Jan.

-{ Quote: "Hi Daisy,

Nick is right.
Something similar is mentioned at the MVPS-HOSTS site.

Indeed: just ignore them if they are redirected to 127.0.0.1 like Nick already posted :)

Cheers, Jan." }-
I use the MVPS hosts file and set Ad-Aware to ignore the hosts file. The MVPS hosts file has about 6000 entries.

Nick

As Nick says "Ignore" them... whatever you do, DON'T DELETE.... those are the redirected "bad" sites back to you so you cannot get to them from a hosts file... 127.0.0.1

You will only get an alert once you ignore them, when you update a new lot of hosts files.

In your scan, the next time AdAware will say how many items you've set in Ignore Section.

The reason AdAware 'sees' them, is the 'redirection' aspect of those, as that is what spyware will do to your security apps so they cannot be updated. Each time you try to connect to the update site then, it simply redirects back to your home machine.

Just a little more info. :)

TAS

Nevertheless I wonder exactly the same as Daisy posted:

"I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries."

Just like I'm wondering for example why PestPatrol sometimes doesn't check the DWORD of a registry-entry (example: a registry-entry put there by IE-SPYAD, to put a site in the Restricted Zone of IE).

Same thing happened to me

Thanks to everyone for their helpful replies. :)

-{ Quote: "I use the MVPS hosts file and set Ad-Aware to ignore the hosts file. The MVPS hosts file has about 6000 entries." }-When the entries showed in the Ad-Ware scan, I added them (60 entries) to the ignore list. When you say that you "set Ad-Aware to ignore the hosts file", did you do this same thing (just ignore every single entry as it is detected during a scan), or is there a way to simply tell Ad-Aware to always ignore everything in the Hosts file?


Edit: By the way, there are a LOT more entries in my Hosts file. Not sure why Ad-Aware just now decided to start flagging only 60 of them. ???

-{ Quote: "Thanks to everyone for their helpful replies. :)

When the entries showed in the Ad-Ware scan, I added them (60 entries) to the ignore list. When you say that you "set Ad-Aware to ignore the hosts file", did you do this same thing (just ignore every single entry as it is detected during a scan), or is there a way to simply tell Ad-Aware to always ignore everything in the Hosts file?


Edit: By the way, there are a LOT more entries in my Hosts file. Not sure why Ad-Aware just now flagged only 60 of them. ???" }-

Here's where I disabled the hosts file scan. I like to manage the hosts file myself.

Nick

-{ Quote: "Here's where I disabled the hosts file scan. I like to manage the hosts file myself.

Nick" }-
Aah. Found it. Thanks, Nick. By the way, are you aware there is a new version of Ad-Aware?

-{ Quote: "Aah. Found it. Thanks, Nick. By the way, are you aware there is a new version of Ad-Aware?" }-
I know. I bought the Plus version a long time ago. So I'm waiting for my free SE Plus upgrade e-mail.

Nick

-{ Quote: " I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries. ??? ???" }-
you lot know more about these things then i do, but isnt it because malware puts 127.0.0.1 enteries into the hosts to stop you DL HJT, online scaners etc?

-{ Quote: "you lot know more about these things then i do, but isnt it because malware puts 127.0.0.1 enteries into the hosts to stop you DL HJT, online scaners etc?" }-
Good point. The hosts file can be a two-edged sword.

Nick

-{ Quote: "Good point. The hosts file can be a two-edged sword." }-

Yes, that can be a problem... you really have to check the entries listed.
Must admit I nearly fell off chair first time it happened, as it was near the very end of scan and up pops all these, especially when I saw the words 'CoolwebSearch' at end of lists, until I checked. :)

TAS

Hi All, ;)

Ad-Aware SE New Build 1.02 available upgrade from 1.01

http://www.lavasoft.de/

Download SE 1.02 from Major Geeks - http://www.majorgeeks.com/download506.html

Ad-Aware SE Build 1.02

No Longer picks up F/P's for 127.0.0.1 host enteries - as redirects. ;) :)

dog - *puppy*

-{ Quote: "Hi All, ;)


No Longer picks up F/P's for 127.0.0.1 host enteries - as redirects. ;) :)

dog - *puppy*" }-
do you know if that is the only update for this new version? because if it is ill keep the one ive got, it seems to make more sense to me. ???

-{ Quote: "do you know if that is the only update for this new version? because if it is ill keep the one ive got, it seems to make more sense to me. ???" }-

It's all I noticed so far. ;)

-{ Quote: ".. but isnt it because malware puts 127.0.0.1 enteries into the hosts to stop you DL HJT, online scaners etc?
" }-

As for this ... well ... seeing as you have this knowledge ... you can always check your host for bad enteries if something should go wrong ... but a modified host will help prevent malware from adding enteries to begin with ... you can also set the file to read only for a ~little~ added protection.

But I think not picking up these F/P's is much better for the less advanced user ... as they'll probably are most likely delete the found F/P's and lose their protection afforded them by their modified host file.

dog - *puppy*

thanks, dog *puppy* . i did a scan then put the results from my hosts file in ignore, so if anything shows up it should be malware. and, after reading your post i set it to read-only ;) , and have it locked with spybot. but i'll have to check and see what was in the update. thanks *puppy* :D *puppy*

NEW features in Ad-Aware SE Professional edition

Applicable to both 1.01 & 1.02 - I can't find any details about the version 1.02 update ... other than what I noticed in regards to no longer reporting the F/P host redirects.

NEW features in Ad-Aware SE Professional edition

- New command line parameters that allow for silent and automated operation of Ad-Aware

- UNC support for remote storage of Preferences, definitions, and log files

- New results screens and detailed statistics

- Improved logging and reporting

- Hardened against third party uninstall with encrypted preference files

- Links to more information on detected content from our website

- New safety option that allows you to write protect sensitive system files such as the Hosts file

Scanning engine improvements
Extended Memory scanning
Now scans all modules loaded by a process
Uses our all new CSI (Code Sequence Identification) technology to identify new and unknown variants of known targets
Extended protection against DLL-injection, SE can unload process modules on the fly

Extended Registry scanning
Now scans registry branches of multiple user accounts
Performs additional smart checks to detect dynamically created references
Scanning speed noticeably faster
Extended Scanning for known and unknown/possible Browser-Hijackers

Extended Disk scanning
Now scans and lists alternate Data-streams on NTFS volumes
Now Ad-Aware supports scanning of Cabinet files, (including spanned archives)
Scanning speed increased

Improved Hosts-file scan
Now Ad-Aware and Ad-Watch use much smaller reference files

Several User Interface improvements
Improved Graphical UI
Ad-Aware now supports custom graphical Skins
More user friendly Plug-in/Extension GUI (Plug-ins and Extensions now shown on separate screens)
New Scan Result view, includes a scan summary and detailed view
Ad-Aware now linked to the online TAC database

Multiple New Tweak options
Unloading of process modules during a scan
Obtaining command line of scanned processes
Ignoring spanned cab files
Scan registry for all users instead of current user only
Permanent archive caching
Always try to unload modules before deletion
Disable manual quarantine if auto quarantine is selected
Block pop-ups aggressively
Load Ad-Watch minimized
Hide Ad-Watch tray icon
Write protect system files after repair
Limit drive selection to fixed drives
Use gridlines in item lists
Log file detail section condensed

Process-Watch
Improved Process-Watch scanning capabilities and scanning speed (Using the new CSI technology)
Several Process-Watch Interface improvements
Option to create a Hexdump of the process memory or dump the process memory to disk

Several logfile improvements
Includes support for separate removal logfiles
Allows adding a Reference summary/index to logfiles
Logfile contains overall more detailed information

Ad-Watch *Plus Version
Several GUI improvements
Ad-Watch now supports Cookie Blocking
Site-manager to edit the popup-blacklist included
Ad-Watch now uses the new CSI technology to detect new and unknown variants of known targets
New Ad-Watch configuration screen
New rules editor for pre-defined blocking exclusions
Support for hiding the Ad-Watch tray icon for unattended operation


dog - *puppy*

-{ Quote: "Hi All, ;)

Ad-Aware SE New Build 1.02 available upgrade from 1.01

http://www.lavasoft.de/

Download SE 1.02 from Major Geeks - http://www.majorgeeks.com/download506.html

Ad-Aware SE Build 1.02

No Longer picks up F/P's for 127.0.0.1 host enteries - as redirects. ;) :)

dog - *puppy*" }-
Thanks for the info, Dog! :)

Actually, it still picks up some: (1.02 SE (free version), latest update flagged this in big red letters:

Warning!
Bad Hosts file entry:127.0.0.1:only-virgins.com


Win32.Delf.Trojan.A Object Recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Malware
Comment :
Bad Hostfile entry : 127.0.0.1:only-virgins.com

That entry in the hosts file is perfectly correct and to flag it in red on the critical list will only cause unnecessary scare to the less experienced. Letting AdAware fix it (assuming that they have thought about the possibility that my hosts file is read only) would actually put me at greater risk, should I ever be tempted to pay the virgins a visit :-).

As for the point made higher up in this thread (sorry, forgot by whom) that malware can redirect 'good' sites to 127.0.0.1, true, but AdAware would not flag those anyway, unless somehow it built up a database of 'good' sites.

What I would like it to flag are entries redirecting to other than localhost (usually 127.0.0.1), which malware often does too (redirecting to their own sites, for example). It could also check that the hosts file has been set to read only, which is a good first line of defence against malware writing into it (not foolproof, of course, it's not difficult to bypass if the malware programmer wants to, just one extra little hurdle).

I made the point on the Lavasoft boards, calling the above example a false positive, but they claim it is a 'feature'. Still, they have passed on the comments to their development team, so maybe things will change in some future update.

PS No idea where those emoticons have sprung from...underneath it says only-virgins.com.

From the Lavasoft Product Updates page:
Ad-Aware SE 1.03 Now Available, New definition file included (http://www.lavasoftsupport.com/index.php?showtopic=41538)

-{ Quote: "Updated Items
--------------------------------------------------------
trojan (win32.delf.trojan.a)" }-

Note
Re-ran Adaware 1.02 and the....127.0.0.1 only-virgins.com Hosts entry....was still being flagged. I then installed the new 1.03 defs.ref file....and it no longer flags the above mentioned Hosts entry.

Yes, 1.03 has fixed it! So now I have nothing more to grumble about :-)

-{ Quote: "
PS No idea where those emoticons have sprung from...underneath it says only-virgins.com." }-

Hi,

It is the board-software that "translates" the characters :o immediately after each other to that emoticon http://www.wilderssecurity.com/images/smilies/eek.gif

If such a thing happens and you don't want it to happen, then (when you are making your posting) put a checkmark in the box "Disable smilies in text" in the "Additional Options" at the bottom.

Thanks to everyone. The new version of Ad-Aware seems to be working fine on my PC. No more false positives. :)