Classic British Flight Sim

Thanks for that, as I was dashing about I got myself confudled over where the host file was supposed to go. Reading destructions carefully is against engineer's rools anyway.

I have run Malwarebyte a couple of times and noticed in microsoft security that three virus files were "seen" at the time that I first ran malwarebyte. More worryingly, when SWMBO opened the email purporting to come from UPS with a .rar attachment, microsoft security mentions allowing a Trojandownloader:Java/OpneConnection.MV file to operate.

MAlwarebyte found and removed three files, and I've run cr*pcleaner twice since then.

I doubt whether she opened the .rar file, but I have left the machine disconnected from the wireless network with malwarebyte and microsoft security doing another pair of runs.

Only changes that I've seen since putting the new host file in are that cr*pcleaner will not run from the C: drive, but will run from my USB stick, and Google Chrome needs a "right click run as admin" to operate - which it didn't before. Explorer and Firefox start up ok. Funnily enough when Dave started this thread, I remember thinking that I had those files already on a stick from a previous effort clearing a friend's infected PC.

So am I likely to be free of the little sod (not SWMBO - not so little but just as annoying ) if malwarebyte is not finding anything new, and any way to get Chrome to fire up without invoking Admin rights which I have set for All Users anyway? Would it be quicker to just re-install Chrome?

What's in your new hosts file?

Should be nothing in there that causes those problems. And I wouldn't run Chrome as administrator - if anything nasty comes in from that it could have total access to your PC.

Might also be worth scanning with Windows Defender since Microsoft - I had to look up how to start a scan : http://windows.microsoft.com/en-GB/wind ... d-software

Back after dinner!

The hosts file that I downloaded from bleepingcomputer.com just contains the following:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

So if everything is commented out, is that a problem?

I think they all say pretty much the same Allan.. here's mine

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Your final line is different to mine but that's it. Makes you wonder why the file is there as it doesn't appear to do anything

ATB
DaveB

Mine looks like this:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# SAME AS EXAMPLE HERE
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
192.168.0.40 Linda1
192.168.0.4 Laptop
192.168.0.5 Ian1
192.168.0.7 Media1
192.168.0.10 Photos
192.168.0.14 Linkstation 500
192.168.0.31 LDFiles
192.168.0.33 RAIDBox

LMHOSTS is the same and just allows internal redirection whether I use the absolute IP address or the computer's name.


Problems occur when something in HOSTS or LMHOSTS hijacks to an external address.

Blacklists can also be used so that they point to 127.0.0.1 to prevent hijacking

eg (made up example)

127.0.0.1 onlinepoker.com


So HOSTS is not your problem - take a look at LMHOSTS as well. It's in the same ..../drivers/etc directory

Ian

The lmhosts file has a .sam file type applied to it. The contents are:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

If the file has this .sam file type applied, might there be something suss going on?

Quick check suggest that this is legit. I tried to download chrome to re-install and it failed with a message:

...unable to start correctly (0xc00000a5)

My hosts file (on winxp) is 423 kb and containes numerous entries. I was going to post it but it is too long. Spybot Search and Destroy added most of the entries and I also added some myself to block some ads in Winamp.

Nigel²

@Nigel2

That sounds correct - all the additional entries are to stop hijacking of websites to other pages - you'll probably fins they all point to 127.0.0.1 = local computer.

@Allan

That LMHOSTS file is the "sample" file put there by Windows so it has not been altered.

Googling (!) that Chrome error comes up with this: http://answers.microsoft.com/en-us/wind ... 0264c4ef37

I've given up with Chrome for now so don't know if this is a current problem. Pale Moon is my new best friend (thanks Darren).

ianhind wrote:@Nigel2

That sounds correct - all the additional entries are to stop hijacking of websites to other pages - you'll probably fins they all point to 127.0.0.1 = local computer.

Yes, they all point to 127.0.0.1.