MVPS HOSTs file changed unexpectidely?

Discussion in 'Computer Security' started by Keith (Southend), May 9, 2006.

  1. I just noticed that I was getting all those advert in my Hotmail screen
    that the MVPS HOSTS file eliminates. When I checked the HOSTS file was
    only 1Kbit compared with the 400 or Kbit. I've just put back the MVPS
    HOSTS file and all is blocked once again. What worries me is what caused
    the MVPS HOSTS file to be replaced with the old one? Any thoughts as I
    feel as I'm being 'tampered' with!

    I use AVG Free (runs every night as PC is on 24/7)
    AdAware SE
    Spybot Search & Destroy
    Behind a NAT Router
    I get FULL stealth when doing a Sheilds Up apart from 'ping'
    I have also installed Multi_AV, but only run one of the scans.
    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 9, 2006
    #1
    1. Advertising

  2. Keith (Southend) wrote:
    > I just noticed that I was getting all those advert in my Hotmail screen
    > that the MVPS HOSTS file eliminates. When I checked the HOSTS file was
    > only 1Kbit compared with the 400 or Kbit. I've just put back the MVPS
    > HOSTS file and all is blocked once again. What worries me is what caused
    > the MVPS HOSTS file to be replaced with the old one? Any thoughts as I
    > feel as I'm being 'tampered' with!
    >
    > I use AVG Free (runs every night as PC is on 24/7)
    > AdAware SE
    > Spybot Search & Destroy
    > Behind a NAT Router
    > I get FULL stealth when doing a Sheilds Up apart from 'ping'
    > I have also installed Multi_AV, but only run one of the scans.


    It's done something again so it appears as "hosts.msn" yet was the file
    I unzipped from MVPS ?

    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 9, 2006
    #2
    1. Advertising

  3. Keith (Southend) wrote:
    > I just noticed that I was getting all those advert in my Hotmail screen
    > that the MVPS HOSTS file eliminates. When I checked the HOSTS file was
    > only 1Kbit compared with the 400 or Kbit. I've just put back the MVPS
    > HOSTS file and all is blocked once again. What worries me is what caused
    > the MVPS HOSTS file to be replaced with the old one? Any thoughts as I
    > feel as I'm being 'tampered' with!


    What about stopping misusage of the HOSTS file at all and thinking about
    some serious alternatives for blocking advertisement or general website
    modifications like a browser plugin (AdBlock + GreaseMonkey on
    Mozilla-based browsers) or a filtering HTTP Proxy (like Privoxy or
    Proxomitron)...

    > I get FULL stealth when doing a Sheilds Up apart from 'ping'


    Well, that's still bad. At least Ident (113/TCP) should give a CLOSED,
    beside that Shields Up is utterly useless anyway.
    Sebastian Gottschalk, May 9, 2006
    #3
  4. Keith (Southend) wrote:
    > Keith (Southend) wrote:
    >> I just noticed that I was getting all those advert in my Hotmail
    >> screen that the MVPS HOSTS file eliminates. When I checked the HOSTS
    >> file was only 1Kbit compared with the 400 or Kbit. I've just put back
    >> the MVPS HOSTS file and all is blocked once again. What worries me is
    >> what caused the MVPS HOSTS file to be replaced with the old one? Any
    >> thoughts as I feel as I'm being 'tampered' with!
    >>
    >> I use AVG Free (runs every night as PC is on 24/7)
    >> AdAware SE
    >> Spybot Search & Destroy
    >> Behind a NAT Router
    >> I get FULL stealth when doing a Sheilds Up apart from 'ping'
    >> I have also installed Multi_AV, but only run one of the scans.

    >
    > It's done something again so it appears as "hosts.msn" yet was the file
    > I unzipped from MVPS ?
    >


    I've deleted the hosts.msn file and put back the new hosts file from
    MVPS, seems to be keeping together atm.

    I'll keep an eye on it.

    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 9, 2006
    #4
  5. From: "Keith (Southend)" <>

    | I just noticed that I was getting all those advert in my Hotmail screen
    | that the MVPS HOSTS file eliminates. When I checked the HOSTS file was
    | only 1Kbit compared with the 400 or Kbit. I've just put back the MVPS
    | HOSTS file and all is blocked once again. What worries me is what caused
    | the MVPS HOSTS file to be replaced with the old one? Any thoughts as I
    | feel as I'm being 'tampered' with!
    |
    | I use AVG Free (runs every night as PC is on 24/7)
    | AdAware SE
    | Spybot Search & Destroy
    | Behind a NAT Router
    | I get FULL stealth when doing a Sheilds Up apart from 'ping'
    | I have also installed Multi_AV, but only run one of the scans.

    Do the other scans. You may have som Trojan as it looks like it wiped your etc/hosts file.

    If the AV scanners don't come up with anything...

    Download and execute HiJack This! (HJT)
    http://www.spywareinfo.com/~merijn/files/HijackThis.exe

    Create a HJT log file and post it in one of the below locations...

    { Please - Do NOT post the HJT Log here ! }

    Forums where you can get expert advice for HiJack This! (HJT) logs.
    NOTE: Registration is REQUIRED before posting a log
    NOTE: Web sites NOT listed in any particular order

    http://aumha.net/viewforum.php?f=30
    http://www.bleepingcomputer.com/forums/forum22.html
    http://www.dslreports.com/forum/security
    http://castlecops.com/forum67.html
    http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
    http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    http://gladiator-antivirus.com/forum/index.php?showforum=170
    http://forum.networktechs.com/forumdisplay.php?f=130
    http://forums.maddoktor2.com/index.php?showforum=17
    http://www.spywarewarrior.com/viewforum.php?f=5
    http://forums.spywareinfo.com/index.php?showforum=18
    http://forums.techguy.org/f54-s.html
    http://forums.tomcoyote.org/index.php?showforum=27
    http://forums.subratam.org/index.php?showforum=7
    http://www.5starsupport.com/ipboard/index.php?showforum=18
    http://www.malwarebytes.org/forums/index.php?showforum=7

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, May 9, 2006
    #5
  6. David H. Lipman wrote:

    > Create a HJT log file and post it in one of the below locations...
    >
    > { Please - Do NOT post the HJT Log here ! }
    >
    > Forums where you can get expert advice for HiJack This! (HJT) logs.
    > NOTE: Registration is REQUIRED before posting a log
    > NOTE: Web sites NOT listed in any particular order


    There is an automated evaluation at <http://hijackthis.de>
    Sebastian Gottschalk, May 9, 2006
    #6
  7. David H. Lipman wrote:

    > Do the other scans. You may have som Trojan as it looks like it wiped your etc/hosts file.
    >
    > If the AV scanners don't come up with anything...
    >
    > Download and execute HiJack This! (HJT)
    > http://www.spywareinfo.com/~merijn/files/HijackThis.exe
    >
    > Create a HJT log file and post it in one of the below locations...
    >
    > { Please - Do NOT post the HJT Log here ! }
    >
    > Forums where you can get expert advice for HiJack This! (HJT) logs.
    > NOTE: Registration is REQUIRED before posting a log
    > NOTE: Web sites NOT listed in any particular order
    >
    > http://aumha.net/viewforum.php?f=30
    > http://www.bleepingcomputer.com/forums/forum22.html
    > http://www.dslreports.com/forum/security
    > http://castlecops.com/forum67.html
    > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
    > http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    > http://gladiator-antivirus.com/forum/index.php?showforum=170
    > http://forum.networktechs.com/forumdisplay.php?f=130
    > http://forums.maddoktor2.com/index.php?showforum=17
    > http://www.spywarewarrior.com/viewforum.php?f=5
    > http://forums.spywareinfo.com/index.php?showforum=18
    > http://forums.techguy.org/f54-s.html
    > http://forums.tomcoyote.org/index.php?showforum=27
    > http://forums.subratam.org/index.php?showforum=7
    > http://www.5starsupport.com/ipboard/index.php?showforum=18
    > http://www.malwarebytes.org/forums/index.php?showforum=7
    >


    Thanks David, I run quite a few applications on this PC, and because
    it's on-line 24/7 with upload manager and downloads I get a bit paranoid
    if I get a feeling somethings not quite right. The last week I must have
    had about 20 bank phishing e-mails, of which I just delete. But of
    course you are only as secure as the latest .dat file.

    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 9, 2006
    #7
  8. Keith (Southend) wrote:
    > The last week I must have
    > had about 20 bank phishing e-mails, of which I just delete. But of
    > course you are only as secure as the latest .dat file.


    Bullshit. With a sane and correctly configured software base there's no
    exploitable attack vector in first place. And, in contrasr, depending on
    a scanner protecting a defective software base and/or configuration
    isn't even partially reliable or effective.
    Sebastian Gottschalk, May 9, 2006
    #8
  9. David H. Lipman, May 9, 2006
    #9
  10. David H. Lipman wrote:

    >> There is an automated evaluation at <http://hijackthis.de>

    >
    > It isn't very good because it needs human interpretation.


    A certain level of interpretation is needed anyway, and the ratings are
    based on user's submissions (including comments).
    So actually it's a quite efficient way to not always needing to tell the
    same things ("explorer.exe not in %windir% is evil...").
    Sebastian Gottschalk, May 9, 2006
    #10
  11. Sebastian Gottschalk wrote:

    > Bullshit. With a sane and correctly configured software base there's no
    > exploitable attack vector in first place. And, in contrasr, depending on
    > a scanner protecting a defective software base and/or configuration
    > isn't even partially reliable or effective.


    Have I said something to upset you? We're not all experts in this field,
    just trying to keep my head above the surface. If there are other ways
    of avoiding some of these problems let me know, but I'm no computer
    guru, but probably know a little more than 99% of the punters out there
    using the internet.

    Multi_AV.exe running Sophos atm.
    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 9, 2006
    #11
  12. David H. Lipman, May 9, 2006
    #12
  13. David H. Lipman wrote:
    > From: "Keith (Southend)" <>
    >
    >
    >
    > < snip >
    >
    > |
    > | Multi_AV.exe running Sophos atm.
    >
    > OK
    >


    Just got back in from the gym and the Sophos ScanReport.txt is complete.

    Sophos Anti-Virus
    Version 4.05.0 [Win32/Intel]
    Virus data version 4.05, May 2006
    Includes detection for 121688 viruses, trojans and worms
    Copyright (c) 1989-2006 Sophos Plc, www.sophos.com

    System time 20:08:46, System date 09 May 2006
    Command line qualifiers are: -f -di -all -remove -mime -mbr -noc
    -archive -opt=ISCabinet

    IDE directory is: c:\AV-CLS\Sophos

    etc...
    4 master boot records swept.
    53268 files swept in 34 minutes and 10 seconds.
    65 errors were encountered.
    No viruses were discovered.
    43 encrypted files were not checked.
    Ending Sophos Anti-Virus.

    Interesting, I had 'Windows Explorer' opened at the /drivers/etc.
    directory and the 'hosts' file has disappeared again!!

    Trend next.

    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 9, 2006
    #13
  14. Keith (Southend) wrote:

    > Sebastian Gottschalk wrote:
    >
    >> Bullshit. With a sane and correctly configured software base there's no
    >> exploitable attack vector in first place. And, in contrasr, depending on
    >> a scanner protecting a defective software base and/or configuration
    >> isn't even partially reliable or effective.

    >
    > Have I said something to upset you?


    No, this is Mr. Gottschalk's usual and expected way of compensating for
    whatever deficiency it is that makes his life absolute misery.

    Ignore him, or filter him, as you please. He sometimes comes up with a
    little nugget of good information, but it's simply not worth all the
    juvenile bullshit.

    > We're not all experts in this field,
    > just trying to keep my head above the surface. If there are other ways of
    > avoiding some of these problems let me know, but I'm no computer guru, but
    > probably know a little more than 99% of the punters out there using the
    > internet.


    A well rounded course of action includes a considerable amount of
    education, intelligent software choices, "hardening" you operating system,
    and a bit of attention to making sure it all stays up to date. The opinion
    above is "hardening your OS" taken to its illogical extreme. It assumes
    the OS is the only piece of software every running on the machine, and
    that you never really do anything of any consequence with it. For a
    machine just "sitting there" performing a single task, as in many types of
    servers, it works fine. For the average end user who wants to listen to
    online radio while downloading the latest game patches and chatting online
    about the pictures of the grandkids they just received it's mostly
    unworkable.

    Your best bet is to read as much as you can and ask questions. Make sure
    your Operating system is up to dates on all its patches and bug fixes.
    Drop MS Internet Explorer and Outlook Express for more exploit free
    applications like Firefox and Thunderbird, Opera, etc. You already have
    some good advice regarding Antivirus and Antispyware software, and you
    should consider a good firewall if you don't already have one. Something
    standalone like a NAT capable router is preferable, but "personal"
    firewalls will suffice. I like Agnitum's Outpost Pro on Windows boxes,
    but it may be a bit "geeky" and daunting for average users. Too many bells
    and whistles. Some creative Googling might point you toward something more
    "civil". :)

    No matter what you choose, go back and read the part about educating
    yourself again. ;-) A little bit of knowledge goes a long way, and helps
    you get the most out of your other tools. :)

    > Multi_AV.exe running Sophos atm.


    Sophos is good stuff, IMO. historically one of the more bulletproof. :)
    Borked Pseudo Mailed, May 9, 2006
    #14
  15. David H. Lipman, May 10, 2006
    #15
  16. Keith (Southend) wrote:
    > Sebastian Gottschalk wrote:
    >
    >> Bullshit. With a sane and correctly configured software base there's no
    >> exploitable attack vector in first place. And, in contrast, depending on
    >> a scanner protecting a defective software base and/or configuration
    >> isn't even partially reliable or effective.

    >
    > Have I said something to upset you? We're not all experts in this field,
    > just trying to keep my head above the surface. If there are other ways
    > of avoiding some of these problems let me know, but I'm no computer
    > guru, but probably know a little more than 99% of the punters out there
    > using the internet.


    And still a virus scanner won't save you from thinking about what you're
    doing and using sane software. I might be useful as an intrusion
    detection, but not as a protection. Can you say "security concept"? I
    can clearly see a big lack of it.
    Sebastian Gottschalk, May 10, 2006
    #16
  17. Trend completed, no virus's found. Hosts file dissapeared again. Put it
    back this morning, but it'll be gone later I recon.

    McAffee now, will se results when I get home tonight.

    The Hyjack thing I will run later.

    Keith (Southend)
    Keith (Southend)G, May 10, 2006
    #17
  18. Keith (Southend)G wrote:
    > Trend completed, no virus's found. Hosts file dissapeared again. Put it
    > back this morning, but it'll be gone later I recon.
    >
    > McAffee now, will se results when I get home tonight.
    >
    > The Hyjack thing I will run later.
    >
    > Keith (Southend)
    >


    McAfee completed found very little. I ran hyjackthis and have posted the
    log on:
    http://www.geekstogo.com/forum/index.php?showtopic=112083

    I updated the host file with todays MVPS HOSTS file update. One thing I
    did notice which I have rectified, is that when I copy/pasted the host
    file in the drivers/etc directory it was named all in upper case. I
    looked on my other computer and saw it was lower case so I have changed
    it to lower case. I don't why it automatically inserted in upper case.

    explore.exe still not reappeared.

    Many thanks
    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 10, 2006
    #18
  19. Keith (Southend) wrote:

    > McAfee completed found very little. I ran hyjackthis and have posted
    > the log on: http://www.geekstogo.com/forum/index.php?showtopic=112083


    one little detail:
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

    Normally just your RealTek AD650 Sound Driver control, but is also used
    by a known trojan horse. Just for your information.

    And the Macrovision C-Dilla Driver is nothing you'd like to have on your
    system.

    > I updated the host file with todays MVPS HOSTS file update.


    Once again: Stop using the HOSTS nonsense. It slows down the system,
    causes DNS cache misses and fucks up DNS resolving anyway.
    Sebastian Gottschalk, May 10, 2006
    #19
  20. Sebastian Gottschalk wrote:

    > one little detail:
    > O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    >
    > Normally just your RealTek AD650 Sound Driver control, but is also used
    > by a known trojan horse. Just for your information.
    >
    > And the Macrovision C-Dilla Driver is nothing you'd like to have on your
    > system.


    > Once again: Stop using the HOSTS nonsense. It slows down the system,
    > causes DNS cache misses and fucks up DNS resolving anyway.


    Sebastian,

    from your previous post...
    <snip>
    What about stopping misusage of the HOSTS file at all and thinking about
    some serious alternatives for blocking advertisement or general website
    modifications like a browser plugin (AdBlock + GreaseMonkey on
    Mozilla-based browsers) or a filtering HTTP Proxy (like Privoxy or
    Proxomitron)...
    <snip>

    I use Firefox and Thunderbird so have been taking a look at a couple of
    the extensions. I take it I would need both?
    Adblock Plus 0.7
    Adblock Filterset.G Updater 0.3.0.4
    Admittedly my understanding of the mechanics of computers is limited,
    but surely the purpose of the hosts file is that it has put together ALL
    the know adware/malware url's and 'globally' blocked them. I'm trying to
    understand what advantage one method has over the other, although you
    see it as 'misuse' of the hosts file, yet it's there to be changed?
    Convince me? An I'm not wanting to sound as though I know better than
    you, because I don't.

    Privoxy Toggler 0.1

    I've always got my ears open.
    --
    Keith (Southend)
    http://www.southendweather.net
    Keith (Southend), May 10, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. S. Pidgorny
    Replies:
    6
    Views:
    942
    S. Pidgorny
    Dec 18, 2004
  2. spec
    Replies:
    7
    Views:
    1,282
    Peter
    Jun 5, 2006
  3. Replies:
    0
    Views:
    433
  4. Replies:
    3
    Views:
    14,701
    JF Mezei
    Mar 7, 2007
  5. Ctrl¤/Alt¤/Del¤

    MVPS Hosts File blocks Google Street View

    Ctrl¤/Alt¤/Del¤, Jun 23, 2010, in forum: Computer Support
    Replies:
    23
    Views:
    2,640
    Ctrl¤/Alt¤/Del¤
    Jun 28, 2010
Loading...

Share This Page