Said in HOSTS but it's not ?

Discussion in 'Prevx Releases' started by CloneRanger, Jul 6, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    Hi,

    A nasty www was blocked by PSOL the other day, the screen went black as it should and i was alerted by PSOL :thumb:

    PSOL said that www was in my HOSTS file.

    The funny thing is, i have a VERY small HOSTS file with less than 20 entries, and it is NOT in there :D

    I clicked the ignore button and proceeded anyway for testing ;) and PSOL said it had removed the entry ?

    How could it, if it wasn't in there, plus my HOSTS file is Read Only so PSOL couldn't alter it anyway ?
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's possible that your hosts file was modified by other sources or hidden back. A HOSTs file rootkit isn't unheard of, although somewhat rare. It could also be that another component in the browser is redirecting the browsing - the hosts file message is generic and not always indicative of a change directly to the hosts file (although that is most likely the case).

    A read only attribute on a file doesn't prevent SafeOnline (or most applications) from modifying it :)
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    @PrevxHelp

    Hi

    It's read only and locked by

    lock.gif

    You serious :eek: If that's the case, which i Very much doubt, then Prevx hasn't detected it :D

    Such as ?

    Well that makes it misleading then, and not the right info we need to see :(

    Anything you can suggest which might be of help would be welcome :)

    TIA
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That certainly wouldn't prevent everything ;)

    It is quite rare but I have seen an infection a few months ago which did it although I strongly doubt this is the case :D


    Something in the LSP chain, a browser BHO that is maliciously redirecting traffic, a scripted extension within the browser, an injected DLL forwarding requests, something at the TDI level modifying packets, an NDIS rootkit changing destination addresses... the list continues :)

    If you do run into it again on another domain, let me know and I'll take a closer look :)
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    Originally Posted by PrevxHelp

    Oh no :D

    Interesting :eek:

    So do i ;)

    Thanks for the Such as info :thumb:

    Will do :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.