Jump to content


Photo

Redirected Hostfile entry


  • Please log in to reply
5 replies to this topic

#1 Tyki

Tyki

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 September 2008 - 02:10 PM

There's already a topic made about this but i think it's in the wrong section:

http://www.lavasofts...amp;#entry85802


Basically since 0122.0000 there are 9 host files that are detected as malware, all with ip 127.0.0.1 :

Therealsearch.com
greg-search.com
approvedlinks.com
vse-moe.biz
aifind.info
find4u.net
i-lookup.com
ie-search.com
itseasy.us


They can't be removed either, at least not on my PC

Since the mentioned ip is 127.0.0.1 i'm thinking it's a false positive, from what i could find through google a host file with that ip is actually there to defend your computer, not sure about this as my computer knowledge is very limited though

Edited by Tyki, 18 September 2008 - 05:18 PM.


#2 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 18 September 2008 - 03:43 PM

There's already a topic made about this but i think it's in the wrong section:

http://www.lavasofts...amp;#entry85802
Basically since 0122.0000 there are 9 host files that are detected as malware, all with ip 127.0.0.1 :

Therealsearch.com
greg-search.com
approvedlinks.com
vse-moe.biz
aifind.info
find4u.net
i-lookup.com
ie-search.com
itseasy.us
They can't be removed either, at least not on my PC

Since the mentioned ip is 127.0.0.1 i'm thinking it's a false positive, from what i could find through google a host file with that ip is actually there to defend your computer, not sure about this as my computer knowledge is very limited though


Hi Tyki!

We will take a closer look at these entries that clearly look to be inserted in the Hosts file in order to block access to the listed domains as the malicious hostnames are redirected to 127.0.0.1 (local address or localhost). We will correct this as of the next definition file update. The blocking may have been done by some other application that you may have installed and and it may also have locked(write protected) the Hosts file in order to protect it from changes (this can also be done by the Ad-Aware Hosts File Editor, by ticking "Write-Protect Hosts File"). The Ad-Aware 2008 Hosts File Editor can be reached via the Tools & Plug-Ins button.

Spybot Search & Destroy is an example of an application that let their users "Add Spybot S&D hosts lists" in order to block access to certain malicious sites. If the Hosts file is locked down by the application the entries cannot be removed for as long as the the lock(write-protection) is applied.

Thank´s for informing us about the issue!

As mentioned previously it will be corrected as of the next definition file update.

Regards,

LS Pekka

Lavasoft Research

#3 saucerdesigner

saucerdesigner

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 September 2008 - 05:33 PM

Hi Tyki!

We will take a closer look at these entries that clearly look to be inserted in the Hosts file in order to block access to the listed domains as the malicious hostnames are redirected to 127.0.0.1 (local address or localhost). We will correct this as of the next definition file update. The blocking may have been done by some other application that you may have installed and and it may also have locked(write protected) the Hosts file in order to protect it from changes (this can also be done by the Ad-Aware Hosts File Editor, by ticking "Write-Protect Hosts File"). The Ad-Aware 2008 Hosts File Editor can be reached via the Tools & Plug-Ins button.

Spybot Search & Destroy is an example of an application that let their users "Add Spybot S&D hosts lists" in order to block access to certain malicious sites. If the Hosts file is locked down by the application the entries cannot be removed for as long as the the lock(write-protection) is applied.

Thank´s for informing us about the issue!

As mentioned previously it will be corrected as of the next definition file update.

Regards,

LS Pekka

Lavasoft Research

Here are the hostnames that Ad-Aware 2008 with Definitions 0122.0000 updated 09/18/08 at 7:26 AM (GMT-07:00 US Mountain time) reported as Critical Objects. Please note that my host file is the 08/06/08 version from MVPS HOSTS and is read-only, which is probably why Ad-Aware could not remove them:

563 Redirected hostfile entry Misc 4
[500000035] IP Address: 127.0.0.1 Host Name: THEREALSEARCH.COM
[500000049] IP Address: 127.0.0.1 Host Name: INSTALL.XXXTOOLBAR.COM
[500000062] IP Address: 127.0.0.1 Host Name: 1-SE.COM
[500000070] IP Address: 127.0.0.1 Host Name: CRACKS.AM
[500000076] IP Address: 127.0.0.1 Host Name: IE-SEARCH.COM
[500000078] IP Address: 127.0.0.1 Host Name: ITSEASY.US

Thanks

#4 Name User

Name User

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 18 September 2008 - 07:28 PM

Spybot Search & Destroy is an example of an application that let their users "Add Spybot S&D hosts lists" in order to block access to certain malicious sites.

I just had this happen for the first time recently, and it is indeed SpyBot placing blocks on known bad URLs via it's Immunize feature. I not only found lots of 127.0.0.1 entries in the host file under SpyBot, I Googled and one person said it's a current glitch in Ad-Aware, or basically false positive, which sometimes happens between two security applications. The IP address 127.0.0.1 is a loopback. When URLs are placed in the host file under that address they cannot be accessed, just SpyBot doing it's good deeds. You can just click on the Ignore feature of Ad-Aware and it won't read them as malware next time.

Edited by Name User, 18 September 2008 - 07:30 PM.


#5 JohnBurns

JohnBurns

    Member

  • Members
  • PipPip
  • 19 posts

Posted 18 September 2008 - 09:26 PM

Update 0123.0000 just released has corrected this on both my home pc's. Thanks Lavasoft

#6 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 18 September 2008 - 09:34 PM

Update 0123.0000 just released has corrected this on both my home pc's. Thanks Lavasoft


Hi!

Yes, the issue is fixed in the current definition file, 0123.0000.

Thank you all for reporting this issue :)

Regards,

LS Pekka

Lavasoft Research




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users