[pmitas]

Just now I noticed, that my "shortcuts" i have set up in 'hosts' suddenly stopped working. So I looked into the file and found this:

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space. - dddddddddddddd---------
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#

127.0.0.1 localhost
127.0.0.1 atwola.com
72.167.163.234 www.google-analytics.com
72.167.163.234 pagead.googlesyndication.com
72.167.163.234 pagead2.googlesyndication.com
#68.178.151.28 as.casalemedia.com
#68.178.151.28 ad.yieldmanager.com
#68.178.151.28 ad.doubleclick.net
72.167.163.234 ads1.msn.com
#38.113.170.200 ads.sup.com
#38.113.174.32 dehp.myspace.com
#38.113.174.32 demr.myspace.com
#38.113.174.32 desk.myspace.com
#38.113.174.32 delb.myspace.com
#38.113.174.32 delb2.myspace.com
#38.113.174.32 debr.myspace.com
#38.113.174.32 view.atdmt.com
#38.113.170.200 rad.msn.com
#38.113.170.200 themis.geocities.yahoo.com
127.0.0.1 www.intuneads.com
127.0.0.1 www.freemusic123.com
127.0.0.1 www.cifras.com.br
127.0.0.1 www.gshome.com
127.0.0.1 www.all-midi.com
127.0.0.1 www.directtabs.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 ad.harmony-central.com
127.0.0.1 cdn1.tribalfusion.com
127.0.0.1 isg01.casalemedia.com
127.0.0.1 isg02.casalemedia.com
127.0.0.1 isg03.casalemedia.com
127.0.0.1 isg04.casalemedia.com
127.0.0.1 isg05.casalemedia.com
127.0.0.1 isg06.casalemedia.com
127.0.0.1 isg07.casalemedia.com
127.0.0.1 isg08.casalemedia.com
127.0.0.1 isg09.casalemedia.com
127.0.0.1 isg10.casalemedia.com
127.0.0.1 isg11.casalemedia.com
127.0.0.1 isg12.casalemedia.com
127.0.0.1 isg14.casalemedia.com
127.0.0.1 isg15.casalemedia.com
127.0.0.1 isg16.casalemedia.com
127.0.0.1 ads.PointRoll.com
127.0.0.1 icq.rambler.ru
#127.0.0.1 global.msads.net
127.0.0.1 distortica.com


What does does it mean? I have kaspersky antivirus on all the time and am scanning whole disk as I type this, nothing found so far. Should I be worried? (OFC none of theese entries is mine, something switched the whole file)

[pmitas]

also, I found my old hosts backed up as "001 archive" (by the way, how do you set vista to show file extensions?) in the same directory

[Nesjemannen]

Certain software such as Spybot Search and Destroy add lines like that to your host-file to prevent intruders. So if you use any "immunization" software, you really shouldn't worry.

[pmitas]

But I don't use any of such software (only Kaspersky Antivirus). And if it was some legit software, wouldn't it add entries instead of replacing the whole file? But, on the other side, Kaspersky didn't find anything particular, so I don't see anything to be worried about, still it feels a bit creepy...

[Book]

Well, spybot only adds entries to redirect suspicious website connections back to your own machine, so I suppose you shouldn't be worried about the 127.0.0.1 entries. Also lines beggining with # are comments so nothing bad about those either. The only lines left are:
72.167.163.234 ads1.msn.com
72.167.163.234 www.google-analytics.com
72.167.163.234 pagead.googlesyndication.com
72.167.163.234 pagead2.googlesyndication.com

I don't know why these are added maybe you installed some google software (toolbar or whatever?)? Although if you're really suspicious you might notice a strange pattern, like ads1.msn.com seems like a phising site (ads1 instead of adsl, maybe?) and they all point to the same IP address. And BTW google has nothing to do with MSN so..

[billoddly]

I've just noticed the same problem. My hosts file was changed on 28th April 2008. I play about with hosts fairly often but I didn't make any of these changes. Note the "- dddddddddddddd---------" in the second paragraph - very odd. I noticed the changes because I'm getting redirects to media.fastclick.net when using mininova.org sometimes (I mention this in case it triggers a memory of a similar set of symptims). I click a link on mininova.org and get a web page (media.fastclick.net) displaying an advert and then redirected to the original mininova page I clicked on. I ran Hijiack This to check for suspicious entries while trying to work out if I have spyware or if the redirects are being done by mininova and noticed the changes to hosts in the Hijack This log.

My original hosts file was backed up as hosts1.txt in the same directory (I think, although it really could have been me that did that when I last played around with hosts and then blanked it)

WinXP, AVG and Avast! antivirus . Spybot Search and destroy (not used for a few months before today though). No virus warnings, no spyware warnings

EDIT 1: I just saw this post that mentions someone with the same problem that downloaded GuitarFX. I definitely downloaded and installed GuitarFX. I've reinstalled it recently so I can't check the date, but it could have been installed on 28th April. Perhaps it's the culprit.
- http://www.malwareremoval.com/forum/...30483&p=297241

EDIT 2: Yes, I think so. C:\Program Files\GuitarFX 3\SRC\Ext\backme.bat contains

copy C:\WINDOWS\system32\drivers\etc\hosts.001 C:\WINDOWS\system32\drivers\etc\hosts
copy C:\WINDOWS\system32\drivers\etc\hostsb C:\WINDOWS\system32\drivers\etc\hosts

So there's some kind of manipulation of hosts it's doing. Possibly it copied hosts to hostsb when it installed and this backme.bat file undoes that change? Whatever the case, it's hands in the cookie jar

EDIT 3: See this - http://www.topshareware.com/reviews/...1/guitarfx.htm and http://www.technozid.de/2006/07/11/g...-your-browser/

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space. - dddddddddddddd---------
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#

127.0.0.1 localhost
127.0.0.1 atwola.com
72.167.163.234 www.google-analytics.com
72.167.163.234 pagead.googlesyndication.com
72.167.163.234 pagead2.googlesyndication.com
127.0.0.1 as.casalemedia.com
#68.178.151.288 ad.yieldmanager.com
#68.178.151.288 ad.doubleclick.net
72.167.163.234 ads1.msn.com
#38.113.170.200 ads.sup.com
38.113.174.32 dehp.myspace.com
38.113.174.32 demr.myspace.com
38.113.174.32 desk.myspace.com
38.113.174.32 delb.myspace.com
38.113.174.32 delb2.myspace.com
38.113.174.32 debr.myspace.com
38.113.174.32 view.atdmt.com
#38.113.170.208 rad.msn.com
38.113.170.200 themis.geocities.yahoo.com
127.0.0.1 www.intuneads.com
127.0.0.1 www.freemusic123.com
127.0.0.1 www.cifras.com.br
127.0.0.1 www.gshome.com
127.0.0.1 www.all-midi.com
127.0.0.1 www.directtabs.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 ad.harmony-central.com
127.0.0.1 cdn1.tribalfusion.com
127.0.0.1 isg01.casalemedia.com
127.0.0.1 isg02.casalemedia.com
127.0.0.1 isg03.casalemedia.com
127.0.0.1 isg04.casalemedia.com
127.0.0.1 isg05.casalemedia.com
127.0.0.1 isg06.casalemedia.com
127.0.0.1 isg07.casalemedia.com
127.0.0.1 isg08.casalemedia.com
127.0.0.1 isg09.casalemedia.com
127.0.0.1 isg10.casalemedia.com
127.0.0.1 isg11.casalemedia.com
127.0.0.1 isg12.casalemedia.com
127.0.0.1 isg14.casalemedia.com
127.0.0.1 isg15.casalemedia.com
127.0.0.1 isg16.casalemedia.com
127.0.0.1 ads.PointRoll.com
127.0.0.1 icq.rambler.ru
#127.0.0.1 global.msads.net
127.0.0.1 distortica.com