Said in HOSTS but it's not ?

Discussion in 'Prevx Releases' started by CloneRanger, Jul 6, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi,

    A nasty www was blocked by PSOL the other day, the screen went black as it should and i was alerted by PSOL :thumb:

    PSOL said that www was in my HOSTS file.

    The funny thing is, i have a VERY small HOSTS file with less than 20 entries, and it is NOT in there :D

    I clicked the ignore button and proceeded anyway for testing ;) and PSOL said it had removed the entry ?

    How could it, if it wasn't in there, plus my HOSTS file is Read Only so PSOL couldn't alter it anyway ?
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's possible that your hosts file was modified by other sources or hidden back. A HOSTs file rootkit isn't unheard of, although somewhat rare. It could also be that another component in the browser is redirecting the browsing - the hosts file message is generic and not always indicative of a change directly to the hosts file (although that is most likely the case).

    A read only attribute on a file doesn't prevent SafeOnline (or most applications) from modifying it :)
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Hi

    It's read only and locked by

    lock.gif

    You serious :eek: If that's the case, which i Very much doubt, then Prevx hasn't detected it :D

    Such as ?

    Well that makes it misleading then, and not the right info we need to see :(

    Anything you can suggest which might be of help would be welcome :)

    TIA
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That certainly wouldn't prevent everything ;)

    It is quite rare but I have seen an infection a few months ago which did it although I strongly doubt this is the case :D


    Something in the LSP chain, a browser BHO that is maliciously redirecting traffic, a scripted extension within the browser, an injected DLL forwarding requests, something at the TDI level modifying packets, an NDIS rootkit changing destination addresses... the list continues :)

    If you do run into it again on another domain, let me know and I'll take a closer look :)
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Originally Posted by PrevxHelp

    Oh no :D

    Interesting :eek:

    So do i ;)

    Thanks for the Such as info :thumb:

    Will do :)
     
Thread Status:
Not open for further replies.