Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, October 1, 2008

hosts & unwanted malware

C:\WINDOWS\system32\drivers\etc\
What it does

The Hosts file contains the mappings of IP addresses to host names.
This file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local (your) machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.
You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems.
Example - the following entry 127.0.0.1
ad.doubleclick.net
blocks all files supplied by that DoubleClick
Server to the web page you are viewing. This also prevents the server from tracking your movements. Why? ... because in certain cases "Ad Servers" like Doubleclick (and many others) will try to open a separate connection on the webpage you are viewing.
For Windows XP SP2 users you should see a Security Center prompt about allowing this connection. [screenshot]
Simply click No and continue. Yes the prompts can be annoying but at least you'll know, however you should not see these prompts if these entries are included in the HOSTS file.
Note: this prompt only occurs if (example) *.doubleclick.net is included in the "Restricted Zone".
More Examples
AdTech |
BridgeTrack |
Honesty |
Mgnetwork |
ValueClick |
Google AdSense |
Atdmt |
Atdmt

Now here is a 3rd party ad server opening a connection to another
3rd party ad server - Ad-Flow
More 3rd parties opening other 3rd parties:
Overture |
Overture2 |
Directtrack |
Directtrack2 |
RealMedia

Note
:
By placing these type sites in the Restricted Zone this also cures most "Back Button" issues.
Now includes most major parasites, hijackers and unwanted Adware/Spyware programs!
...

To view the HOSTS file in plain text form. (604 kb) (opens in browser)
Note:
The text version also makes a terrific reference for determining possible unwanted sites
Download: hosts.zip [right-click - Select: Save Target As] [Updated September-23-2008]
Read more: Source

=============================================
Creating a HOSTS Editor  [return to FAQ]
To edit your HOSTS file you can create a custom Desktop or Quick Launch shortcut.

Note: the below locations are for the default paths, edit as needed. [screenshot (XP only)]
Right-click on the Desktop, select: New > Shortcut (and paste the following)

Windows XP
Target: C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS
Start In:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Or put a Notepad shortcut in your SendTo folder
Start | Run (type) sendto (click Ok)
File > New > Shortcut
In the command line, (highlight and paste the below)
C:\WINDOWS\NOTEPAD.EXE (provided Windows is the default location)
Then simply right-click on the HOSTS file and select: SendTo > Notepad (Screenshot)
Vista

You can use the same method above, however after creating your Shortcut you will need to right-click the shortcut and select: Properties, click Advanced and select: Run as Administrator, click Apply/Ok.
Windows ME/98

I would recommend using a 3rd party editor such as HostsXpert or one of the other Utilities listed below since the HOSTS file is too large for the version of Notepad used in Win98/ME. If you are using a HOSTS file now, check to see if there are any needed entries before you replace it with the new download. Several users have reported overwriting their entries for Norton's Email Protection or AdSubtract, etc.

127.0.0.1 pop3.norton.antivirus
127.0.0.1 pop3.spa.norton.antivirus

_____________________________________________

Editing the HOSTS file

  • You must maintain the proper format or else the entry will be invalid.
  • Entries are invalid if they contain "http:" or an ending "/" slash.
  • IP addresses are invalid as HOSTS file entries.
    (re: 127.0.0.1  123.456.78.9)
  • In the event you need to rename the file, use the below batch file.
  • If you wish to disable an entry place a "#" in front of the line.
  • Each host entry is limited to 255 characters.
Note: HijackThis can detect invalid entries or a
"redirection" entry. [more
info
]



No comments: