Question for SpyBot users concerning HOSTS file

Discussion in 'other anti-malware software' started by siliconman01, Jan 18, 2006.

Thread Status:
Not open for further replies.
  1. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I've been struggling with a user's system via email trying to recover from an incomplete KazaaLite and Kazaa Resurrection removal plus a damaged HOSTS file where 127.0.0.1 localhost as the first entry was non-existent and the first entry was 127.0.0.1 desktop.kazaa.com. That's been straightened out. KazaaBeGone has been run and other things done to complete the removal of Kazaa.

    The user has been using SpyBot V1.4. The HOSTS file was damaged at the time the user installed SpyBot V1.4. Is there any protection lock in SpyBot that would have picked up 127.0.0.1 desktop.kazaa.com from the HOSTS file and is now making the system think localhost is desktop.kazaa.com?

    When running X-Netstat, it is showing multiple connections to desktop.kazaa.com and none to localhost.
     
  2. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    The only thing I can think of is if you check the "lock hosts file" feature in Spybot, but I have been able to edit my hosts file even with that enabled.
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Throw this into your thoughts.

    If you had an exisiting Hosts file located in the proper location for your OS when you added Spybot's Hosts file protection....Spybot added it's Hosts file to the end of your Hosts file. Having said that....Spybot would not have "picked up" anything....it simply adds to the end of an exisiting Hosts file which for a default Windows Hosts file as you probably know the entry is....
    127.0.0.1 localhost

    Code:
    # Copyright (c) 1998 Microsoft Corp. 
    # This is a sample HOSTS file used by Microsoft TCP/IP stack 
    -
    -
    [COLOR="Red"]127.0.0.1 localhost[/COLOR]
    Code:
    [COLOR="Red"]127.0.0.1 localhost [/COLOR]
    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1	babe.the-killer.bz
    127.0.0.1	www.babe.the-killer.bz
    127.0.0.1	babe.k-lined.com
    -
    -
    # This list is Copyright 2000-2004 Patrick M. Kolla / Safer Networking Limited
    # End of entries inserted by Spybot - Search & Destroy
    
     
  4. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Hey, thanks for the replies. I just wanted to check with experienced Spybot users on this in order to rule in/out interaction on the problem. Thanks again
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
    If the Hosts file has been compromised as you say, its time to replace it with perhaps one from the following list of well-known Hosts file providers:

    Hosts file: http://remember.mine.nu/ [WinXP: disable DNS Client service]
    Hosts file: http://www.mvps.org/winhelp2002/hosts.htm or hosts.zip
    MVPS Hosts file: http://forum.aumha.org/viewtopic.php?t=15921&sid=c3c390156c8dda6afdfa641612ec9d3e
    Hosts file: http://www.dozleng.com/hpguru/
    Hosts file: http://accs-net.com/hosts/get_hosts.html
    Hosts file: http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hosts
    Hosts file: http://www.bluetack.co.uk/forums/index.php?showtopic=8406
    Hosts file: http://www.richardthelionhearted.com/Hosts/index.htm

    After replacing the Hosts file, you can run Spybot S&D and from Advanced View mode, select Hosts from under Tool submenu on left, and add the Spybot entries to the end of the newly installed Hosts file, and check the box that prevents the Hosts file from modification.

    -- Tom
     
  6. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Thanks lotuseclat79.

    The HOSTS file has been completely rebuilt and is as it should be with the first entry being 127.0.0.1 localhost
     
  7. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    This issue has been resolved. It turned out to be a caching problem in X-NetStat Pro where it picked up the info from the damaged HOSTS file. Clearing this cache picked up the new 127.0.0.1 localhost for the X-NetStat display.

    Thanks for the feedback and guidance.
     
Loading...
Thread Status:
Not open for further replies.