Ok -

We are stuck with this section - Host Files -

Repa, this is my Sister question in regarding - She understand more technical things than I

Roxanne wrote:

Hi Repa, As you know, my computer is out of commission and it seems I've come under attack from some strange events. I first noticed this when I could not access certain security websites that I normally visit (but I can access others that I don't usually visit). Then, I started getting viruses and other malware. I decided to implement your tutorial and started off with investigating my Hosts file, which you can see in the attached files (in jpg format). In your tutorial, the code used to block access is 127.0.0.1, but in my case it's 10.0.0.6. I eliminated one of the lines in the file and I was able to access the site. Can you tell me how access was gained to my Hosts file and where the 10.0.0.6 code comes from?

Please see attachments




Repa
Site Admin
User is Online



Joined: 26 Nov 2006
Posts: 1840
Location: North Carolina

Posted: Tue Jun 12, 2007 11:31 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

Every hosts file usually has a number of lines beginning with the # sign (comments) and then an address that contains no # sign. That address usually defaults to:

127.0.0.1 localhost

This line should be in every Hosts file. It merely tells the computer to send messages for other parts of the same computer (the local host) to the "loop back" address 127.0.0.1. In a new default installation of Windows, this is the only line in the Hosts file that is not a comment. You should have this address in your hosts file. If, instead, you have

10.0.0.6 localhost

then perhaps that is an address that is unique to computers in Venezuela. I don’t know that and would guess that the first address above still applies. All that has ever been in my hosts table is the first address, and no other. If you have a computer, or a friend has a computer that you know is “clean”, look at that computer’s hosts table and see which of the 2 addresses is in it. My guess is the first, but then again, I’m not sure since you are in Venezuela. My guess, too, is that will be the only address in the table.

If there are lines for many anti-virus, anti-trojan and firewall companies in your Hosts file as there is in yours, it is a pretty safe bet that they were put there by malware or a hacker. So, your hosts file appears to have been “hijacked.” To solve the immediate problem, follow the specific instructions given in the link found in Sticky #6, step 3.f. You will delete all the unwanted lines and save the Hosts file. The only address left should be one of either 127.0.0.1 or 10.0.0.6 depending on what you find in the hosts file of a “clean” computer.

From what you are telling me, you need to go all the way through Sticky #6, if you can. I remember you saying that you don’t have enough room on your hard drive to do Sticky #6. If you cannot follow all the steps to find and eliminate the malware infecting your computer, you may be better off wiping your drive clean, reformatting your hard drive and reloading your operating system from scratch. If you do that, be sure you copy any important files and folders you want to keep to a backup CD or DVD before you start the process. There is also a tutorial (Sticky #13) to help you with the process of reformatting your hard drive and reloading Windows in the Tutorials forum.

If you do try to go all the way through Sticky #6, one of the things I have been meaning to add to that procedure is a program that checks for “Rootkits.” The following link will take you to AVG’s anti-rootkit software download:

http://free.grisoft.com/doc/5390#avg-anti-rootkit-free

Download and run this in both “Normal” and “Safe Mode” after running the application for Trojans in Step 11 of the Sticky #6 tutorial.
_________________




Older than dirt!

Back to top · Profile · PM · Email



--------------------------------------------------------------------------------

janewm
Moderator
User is Offline



Joined: 01 Dec 2006
Posts: 1377
Location: Florida

Posted: Wed Jun 13, 2007 11:02 am Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

Samantha,

If you do reinstall your OS here is a tidbit. Do NOT be connecated to the internet when running the reintall from CDs. IF the OS not up to date, the updates will try to install during your reinstall and freeze up the process. Disconnect the internet before starting.

This was one of the problems I ran into when I reinstalled the OS after my hard drive crash.

Jane
_________________

"If you cannot find the Truth right where you are, where else do you expect to find it?" Dogen



Back to top · Profile · PM · Email · WWW · MSN



--------------------------------------------------------------------------------

pepperpot
Site Admin
User is Offline



Joined: 24 Nov 2006
Posts: 2440
Location: Venezuela

Posted: Wed Jun 13, 2007 12:54 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

Thank you Repa & Jane,

We did look up other computers here and they all have 127.0.0.1 (even our other laptop) - Will let you know what we have decided to do.

Thank you again,
Samantha
_________________

"Spirituality is not religion, religion divides people. Believing in something unites"

Back to top · Profile · PM · Email · WWW



--------------------------------------------------------------------------------

Sheila
Moderator
User is Offline



Joined: 23 Nov 2006
Posts: 2590


Posted: Wed Jun 13, 2007 2:30 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

Samantha,

I don't know if this will help with your problem or not but I'll say it anyways...I have Spy Sweeper as my anti spy-ware (paid version) and if you think your IP has been hijacked, you can click on a button to get it back or fixed...May not help you...Sorry everyone I don't mean to interrupt...
_________________

"You will find as you look back upon your life that the moments when you have really lived are the moments when you have done things in the spirit of love.” ...
"Henry Drummond"

Back to top · Profile · PM · Email · WWW



--------------------------------------------------------------------------------

Repa
Site Admin
User is Online



Joined: 26 Nov 2006
Posts: 1840
Location: North Carolina

Posted: Wed Jun 13, 2007 9:32 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

pepperpot wrote:

We did look up other computers here and they all have 127.0.0.1 (even our other laptop) - Will let you know what we have decided to do.



I thought as much! Sorry I cannot tell you exactly what that 10.0.0.6 address is, but you are being redirected to that address everytime you try to get to one of the anti-malware sites listed in your hosts table. Get rid of all those addresses in the hosts table, leave only the 127.0.0.1 address for the localhost, and save the corrected hosts file. Now, you should be able to get to any of the online virus scanners and other anti-malware applications listed in Sticky #6 to complete cleaning your computer. Once you have it clean, go to Stickies #3 and #4 for instructions on how to complete securing your computer and keeping it safe and running optimally.

Keep us posted on your progress.
_________________




Older than dirt!

Back to top · Profile · PM · Email



--------------------------------------------------------------------------------

pepperpot
Site Admin
User is Offline



Joined: 24 Nov 2006
Posts: 2440
Location: Venezuela

Posted: Thu Jun 14, 2007 10:44 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

Keeping you all posted.

We have decided to do sticky #6 and go through all the steps... we are still in the first section.

We were able to delete all the host files, but if you notice from the images above, none of the 127.0.0.1 are there. So we went to the section in sticky #6 part 3.f and replace all with what have provided at that site - mvps host file.

Then we run the it through emisoft.com, both in normal & safe mode. It picked up 1 in normal but none in safe... this took almost 5 hours... we are taking a break I'm on the other computer.

That's all for now just keeping you posted
_________________

"Spirituality is not religion, religion divides people. Believing in something unites"

Back to top · Profile · PM · Email · WWW



--------------------------------------------------------------------------------

Repa
Site Admin
User is Online



Joined: 26 Nov 2006
Posts: 1840
Location: North Carolina

Posted: Thu Jun 14, 2007 10:56 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

The bad thing is that this does take a lot of time. The good thing is, it will catch most everything bad before you are done. Sometimes a virus or malware will prevent you from updating or running a scanner in Normal mode, or will prevent itself from being detected there, or if detected, unable to fix or remove. That is why you should run all the downloaded scanners in safe mode - viruses and other malware will not be active and cannot prevent detection or removal. If you have trouble updating a scanner in normal mode, temporarily use Safe Mode with Internet Connection to accomplish the update. The online scans are run in Normal mode. Just keep following the directions and be patient. It is going to take a while to get through the sticky. If some of the apps or online scanners run for several hours, don't be surprised or think your system has frozen. It's normal! Go do something else and periodically check back on the progress. Good luck!
_________________




Older than dirt!

Back to top · Profile · PM · Email



--------------------------------------------------------------------------------

Repa
Site Admin
User is Online



Joined: 26 Nov 2006
Posts: 1840
Location: North Carolina

Posted: Tue Jun 19, 2007 10:30 pm Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

Sam, is your hosts file problem resolved? If so, could you change your thread to indicate that it is resolved?
_________________




Older than dirt!

Back to top · Profile · PM · Email



--------------------------------------------------------------------------------

pepperpot
Site Admin
User is Offline



Joined: 24 Nov 2006
Posts: 2440
Location: Venezuela

Posted: Wed Jun 20, 2007 1:18 am Post subject: · Quote · Edit · Delete · IP


--------------------------------------------------------------------------------

yes Repa - my bad - I apologized - the Host files situation in solved.

I shall change my thread to resolved

_________________
Repa