• What should be in host. Hosts file: we eliminate the consequences of a virus attack. What should the hosts file look like?

    I write about what is on my mind at the moment. On my computer, the Odnoklassniki, VKontakte, and My World sites were simultaneously blocked.

    Of course, you can bypass the blocking using an anonymizer if this happens at work or school, but if this is your computer, then know that you "caught a virus." Of course, it is very unpleasant to realize that a “stranger” is in charge of your territory, but do not despair, everything is in our hands!

    To remove the virus, you need to find the hosts file on the computer at these addresses: Press the button Start - Computer - Local Disk (C:) and further -

    Windows95/98/ME:WINDOWS\hostsWindowsNT/2000:

    WINNT\system32\drivers\etc\hostsWindowsXP/2003/Vista:

    WINDOWS\system32\drivers\etc\hosts

    Attention!

    Before opening the file, at the top, click Tools - Folder Options - View - Advanced Options. Scroll down the window and at the very bottom we find the option Show hidden folders, files, drives.

    This is very important, since the hosts virus file enters our computer in a hidden form.

    I found as many as two "extra" hosts files. These hidden "viral" files need to be removed. Open the file using Notepad editor (right-click - "open with").

    If you do not have this editor, then open with Notepad or WpordPad.

    A "clean" hosts file should look like this:

    For Windows XP

    # Copyright (c) 1993-1999 Microsoft Corp.

    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

    # This file contains the mappings of IP addresses to host names. Each

    # entry should be kept on an individual line. The IP address should

    # be placed in the first column followed by the corresponding host name.

    # The IP address and the host name should be separated by at least one

    # Additionally, comments (such as these) may be inserted on individual

    # lines or following the machine name denoted by a '#' symbol.

    # 102.54.94.97 rhino.acme.com # source server

    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    For Windows Vista system


    #

    #




    #space.
    #


    #
    # For example:
    #


    127.0.0.1 localhost::1 localhost

    For Windows 7 system

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    #space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1localhost
    # ::1 localhost

    In Russian:

    # (C) Microsoft Corp., 1993-1999

    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

    # This file contains mappings of IP addresses to hostnames.

    # Each element must be on a separate line. The IP address must

    # be in the first column, followed by the appropriate name.

    # The IP address and hostname must be separated by at least one space.

    # Also, comments can be inserted on some lines

    # (such as this line), they must follow the hostname and be separated

    # from it with a '#' symbol.

    # For example:

    # 102.54.94.97 rhino.acme.com # source server

    # 38.25.63.10 x.acme.com # client node x

    127.0.0.1 localhost

    When you compared the "clean version" with yours and found extra entries - run away - it's garbage! Also, remove unnecessary hidden hosts files in which you will find links to Odnoklassniki, My World, VKontakte and many other nasty things. You yourself will understand everything.

    This is what the infected hosts file looks like:

    If you are afraid to make any changes, then just restore the hosts file. To do this, create an empty hosts.txt file on drive C (it is selected to make it easier to perform subsequent actions), open it in notepad and enter the file template corresponding to your operating system (see above).

    After that, copy the created file to the C:\Windows\System32\Drivers\etc directory or to C:\Windows\SysWOW64\drivers\etc for 64-bit Windows 7.

    If there are no hidden files and your only file contains more than the above, delete everything in it and paste one of the above texts.

    Attention!

    The hosts file is saved without an extension (there should be no hosts.txt format) After all that has been done, be sure to restart your computer.

    The hosts file is a rather vulnerable place in the Windows operating system. This file is the number one target for almost all viruses and trojans that manage to infect a computer. In this article, we will talk about what the hosts file is, where it is located, what it is used for, and how to restore it after a computer is infected with viruses.

    The task of this file is to store a list of domains and their corresponding ip-addresses. The operating system uses this list to convert domains to IP addresses and vice versa.

    Every time you enter the address of the site you need in the address bar of the browser, a request is made to convert the domain to an ip address. Now this conversion is performed by a service called DNS. But, at the dawn of the development of the Internet, the hosts file was the only way to associate a symbolic name (domain) with a specific ip-address.

    Even now, this file has a direct effect on the translation of symbolic names. If you add an entry to the hosts file that will associate the ip address with the domain, then such an entry will work fine. This is exactly what developers of viruses, trojans and other malicious programs use.

    As for the file structure, the hosts file is a plain text file with an extension. That is, this file is not called hosts.txt, but simply hosts. To edit it, you can use the usual text editor Notepad (Notepad).

    The standard hosts file consists of several lines that begin with the "#" character. Such lines are ignored by the operating system and are simply comments.

    Also in the standard hosts file there is an entry "127.0.0.1 localhost". This entry means that when you access the symbolic name localhost, you will be accessing your own computer.

    Fraud with the hosts file

    There are two classic ways to benefit from making changes to the hosts file. Firstly, it can be used to block access to sites and servers of anti-virus programs.

    For example, after infecting a computer, a virus adds the following entry in the hosts file: "127.0.0.1 kaspersky.com". When you try to open the kaspersky.com website, the operating system will connect to the IP address 127.0.0.1. Naturally, this is the wrong ip-address. This leads toaccess to this site is completely blocked.As a result, the user of the infected computer cannot download antivirus or anti-virus database updates.

    In addition, developers can use another technique. By adding entries to the hosts file, they can redirect users to a fake site.

    For example, after infecting a computer, the virus adds the following entry to the hosts file: “90.80.70.60 vkontakte.ru”. Where "90.80.70.60" is the ip address of the attacker's server. As a result, when trying to access a well-known site, the user gets to a site that looks exactly the same, but is located on someone else's server. As a result of such actions, fraudsters can get logins, passwords and other personal information of the user.

    So in case of any suspicion of a virus infection or site spoofing, the first thing to do is to check the HOSTS file.

    Where is the hosts file

    Depending on the version of the Windows operating system, the hosts file can be located in different folders. For example, if you use Windows XP, Windows Vista, Windows 7, or Windows 8, the file is located in the WINDOWS\system32\drivers\etc\ folder.

    On Windows NT and Windows 2000 operating systems, this file is located in the WINNT\system32\drivers\etc\ folder.

    In very ancient versions of the operating system, for example, in Windows 95, Windows 98 and Windows ME, this file can be found simply in the WINDOWS folder.

    Restoring the hosts file

    Many hacked users are interested in where they can download the hosts file. However, you do not need to search and download the original hosts file at all. You can fix it yourself, for this you need to open it with a text editor and delete everything except the line except "127.0.0.1 localhost". This will unblock access to all sites and update the antivirus.

    Let's take a closer look at the process of restoring the hosts file:

    1. Open the folder where this file is located. In order not to wander through the directories for a long time in search of the desired folder, you can use a little trick. Press the key combination Windows + R, in order to open the "Run" menu". In the window that opens, enter the command "%systemroot%\system32\drivers\etc" and click OK.
    2. After you open the folder in which the hosts file is located, make a backup copy of the current file. In case something goes wrong. If the hosts file exists, just rename it to hosts.old. If the hosts file is not in this folder at all, then this item can be skipped.
    3. Create a new empty hosts file. To do this, right-click in the etc folder and select "Create a text document".
    4. When the file is created, it must be renamed to hosts. When renaming, a window will appear in which there will be a warning that the file will be saved without an extension. Close the warning window by clicking the OK button.
    5. After the new hosts file has been created, it can be edited. To do this, open the file with Notepad.
    6. Depending on the version of the operating system, the contents of the standard hosts file may differ.
    7. For Windows XP and Windows Server 2003, "127.0.0.1 localhost" must be added.
    8. Windows Vista, Windows Server 2008, Windows 7 and Windows 8 need to add two lines: "127.0.0.1 localhost" and "::1 localhost".

    File hosts establishes a correspondence between the server IP and the site domain. Requests to this file take precedence over requests to DNS servers. Unlike DNS, the content of the file is controlled by the computer's administrator.

    To date, a large number of malicious programs use the file hosts to block access to websites of popular portals or social networks. Often, instead of blocking sites, malware redirects the user to pages that look like popular resources (social networks, mail services, etc.), where an inattentive user enters credentials, which thus get to attackers. It is also possible to block access to the websites of anti-virus software companies.

    hosts file location

    Default file hosts located here C:\Windows\System32\drivers\etc The file has no extension, but it can be opened with notepad. To change the contents of a file in notepad, you must have administrator rights.

    To view a file hosts open the menu Start, select an item Run, enter the command

    and press the button OK

    This is what the file should look like hosts default.

    If the file contains entries like 127.0.0.1 odnoklassniki.ru 127.0.0.1 vkontakte.ru or the addresses of your sites that you cannot access, then first check your computer for "malware", and then restore the file hosts

    Restoring the contents of the hosts file to default

    • Open the menu Start, select an item Run, enter the command
      %systemroot%\system32\drivers\etc

      and press the button OK.

    • Rename the hosts file to hosts.old.
    • Create a new file hosts default. To do this, follow the steps below.
    1. Right click in an empty space in the folder %WinDir%\system32\drivers\etc, select an item Create, click an element Text Document, Enter your name hosts and press the key ENTER.
    2. Click the button Yes to confirm that the filename will not have an extension TXT.
    3. Open a new file hosts in a text editor. For example, open the file in the program " Notebook".
    4. Copy the text below into a file.
      # Copyright (c) 1993-2009 Microsoft Corp.
      #
      # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
      #
      # This file contains the mappings of IP addresses to host names. Each
      # entry should be kept on an individual line. The IP address should
      # be placed in the first column followed by the corresponding host name.
      # The IP address and the host name should be separated by at least one
      #space.
      #
      # Additionally, comments (such as these) may be inserted on individual
      # lines or following the machine name denoted by a "#" symbol.
      #
      # For example:
      #
      # 102.54.94.97 rhino.acme.com # source server
      # 38.25.63.10 x.acme.com # x client host

      # localhost name resolution is handled within DNS itself.
      # 127.0.0.1localhost
      # ::1 localhost

    Save and close the file.

    You can edit the file hosts and in Notepad, delete unnecessary lines, or add your own. To do this, you need to run Notebook in mode administrator.

    How to run standard Windows programs, see

    What is the Hosts file for?
    The purpose of this system file is to assign certain IP addresses to certain site addresses.
    This file is very fond of all kinds of viruses and malware in order to write their data into it or simply replace it.
    The result of these actions may be signs of "inserting" the site into browsers, which will ask to send SMS when the browser is opened, or blocking various sites, at the discretion of the creators of the virus.

    Where is the hosts file in windows?
    For different versions of Windows, the location of the hosts file is slightly different:

    Windows 95/98/ME: WINDOWS\hosts
    Windows NT/2000: WINNT\system32\drivers\etc\hosts
    Windows XP/2003/Vista/Seven(7)/8: WINDOWS\system32\drivers\etc\hosts


    And the ending hosts, this is already the target file, not the folder. He doesn't have .

    What should the correct hosts file look like?
    The "content" of the hosts file is also slightly different for different versions of windows, but not much. It is "written" in English for what it is needed and how to make exceptions with one example. All lines that begin with a # sign mean that they are commented out and do not affect the file.
    The contents of the original hosts file for Windows XP:


    #

    #




    #space.
    #


    #
    # For example:
    #



    127.0.0.1 localhost


    Contents of the original hosts file for Windows Vista:

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    #space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a "#" symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost::1 localhost


    The contents of the original hosts file for Windows 7:

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    #space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a "#" symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1localhost
    # ::1 localhost


    The contents of the original hosts file for Windows 8:

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    #space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a "#" symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1localhost
    # ::1 localhost


    As you can see, there are no special differences in the content of the host file for different versions of windows.

    How to open and edit the hosts file?
    The hosts file can be found in standard Windows Notepad.
    This is probably the most interesting part of the article.
    First of all, you need to understand why change this file at all? Yes, in order to deny access to certain sites. Thus, by changing this file and writing the site address into it, the user will not be able to access it through any .
    In order to change the hosts file, it is advisable to open it as an administrator () by right-clicking on the file and selecting "Run as administrator". Or open Notepad in this way and open the file in it.

    For quick action, you can simply click the Start button and select Run ( win+r) () and enter in the line:

    notepad %windir%\system32\drivers\etc\hosts



    This will open the file in Notepad.

    In order to block access to the site(suppose it will be test.ru ), you just need to add a line with this site to the very bottom:

    127.0.0.1 test.ru


    As a result, the file will have the following content:

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    #space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a "#" symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # This HOSTS file created by Dr.Web Anti-rootkit API

    # 127.0.0.1localhost
    # ::1 localhost
    127.0.0.1 test.ru


    Each new site that you want to block, you need to start on a new line and write, not forgetting the local IP address 127.0.0.1

    Also, to edit the hosts file, there is a program HOSTS EDITOR, which you can download and read the description from.
    The principle of her work is that she helps to edit the hosts file.
    From the screen below, the principle of its operation is clear, everything is done in a couple of clicks. Adding is done by clicking on + .


    After editing, do not forget to click on the save button (2 "Save changes" button to the left of the "+" button).

    You can also change this file for good purposes, for example speed up website loading.
    How it works?
    When you enter the site, you see its domain name, which has letters. But all sites on the Internet have an IP address, and the names are already assigned using DNS. I will not go into the details of this process, the article is not about that. But here you need to know that the hosts file has priority when accessing sites, and only after it is a DNS request.
    In order to speed up the loading of the site, you need to know its IP address and domain.
    The IP address of a site can be found using various services, for example, or.
    Domain is the name of the site.
    For example, let's speed up the loading of this site on which you are reading an article by explicitly specifying the IP address and domain for the file.
    Then the added line will be:

    91.218.228.14 site


    This speeds up the loading of the page in a couple of seconds, and sometimes it can give access if you cannot access the site using standard means.

    More with possible redirect to another site using the hosts file.
    To do this, you need to know the IP address of the site and its domain (as in the case described above), then the added line will be like this:

    91.218.228.14 test.ru


    And now, after entering the site test.ru into the address bar of the browser, you will be redirected to the site specified in the IP address..

    If you want to clean hosts file, then you can do this by simply deleting the content and inserting the original text into it, from the description above (under the spoilers).

    Some nuances in the hosts file:

  • Always make sure you have a scroll bar on the side and always scroll down the window. this is due to the fact that some viruses are registered in the area hidden outside the window.
  • In some cases, usually if you can't save the file, you need to log in with an Administrator account.
  • Sometimes, due to viruses, this file may be hidden. Read the article.
  • In the two methods described (redirection and acceleration), the desired result may not be obtained. The fact is that several sites can be located on one IP address, this is especially true for external IP addresses that provide services.
  • Due to the fact that viruses love this file, its attributes can be changed to Hidden And Read-only.
  • Check the file attributes if you cannot save the hosts file.

    Thus, you can easily and free of charge block access to sites in Windows by editing the hosts file.

    • Some terminology

    DNS(English abbreviation for Domain Name System) – Domain Name Service. Sets a correspondence between numeric IP- addresses and text names.

    DNS(English abbreviation for Domain Name Server) – domain name server; a service computer on the local or global network that translates computer names in domain records into .

    DNS cache(resolver cache DNS) is a temporary storage of the previous DNS-requests on local . Reduces query execution time, reduces network and Internet traffic.

    host(English) - the main computer; host, any device connected to the network and using protocols TCP/IP.

    IP(English) Internet Protocol) – Internet protocol; a network layer protocol from the Internet protocol suite.

    IP address(English) IP address) is used to identify a node in a network and to determine routing information. Consists of a network ID ( network ID) and host ID ( host ID).

    name resolution(English) – domain name resolution; the process of converting a computer name to an appropriate.

    Name Resolution Service– name resolution service; in networks TCP/IP converts computer names to and vice versa.

    TCP/IP(English abbreviation for Transmission Control Protocol/Internet Protocol) is a transmission control protocol, the main protocol of the transport and session layers, providing reliable full-duplex streams. Designed for use in the global network and for combining heterogeneous networks.

    URL(English abbreviation for Uniform Resource Locator) – uniform index of information resource; a standardized character string that specifies the location of a resource on the Internet.

    What's happened hosts-file

    hosts-file in Windows and other operating systems is used to associate (match) host names (hosts, servers, domains) with their (name resolution).

    IN hosts-by default, only one is registered in the file(127.0.0.1) reserved for localhost, that is, for the local.

    File hosts is a plain text file (no extension).

    Disk address of the file hosts:

    Windows 95\98\ME\WINDOWS\;

    Windows NT\2000\ \ \ – \Windows\System32\drivers\etc\.

    When an Internet user types an address ( URL) of any site (web page) and clicks Enter:

    – the user's browser checks in hosts-file, whether the entered name is a proper computer name ( localhost);

    - if not, then the browser looks for the requested address (hostname) in the file hosts;

    - if a hostname is found, the browser accesses the corresponding hostspecified in hosts-file;

    - if the hostname is not found in the file hosts , then the browser accesses ( DNS-cache);

    - if the host name is found in the cache, the browser accesses the corresponding hostcached DNS;

    – if the hostname is not found in the resolver cache DNS, the browser accesses DNS-server;

    – if the requested web page (site) exists, DNS-server translates user-specified URL-address in ;

    – The web browser downloads the requested resource.

    History of occurrence hosts-file

    # Copyright (c) 1993-1999 Microsoft Corp.

    #

    #

    #space.

    #

    #

    # For example:

    #

    127.0.0.1 localhost

    # Copyright (c) 1993-2006 Microsoft Corp.

    #

    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

    #

    # This file contains the mappings of IP addresses to host names. Each

    # entry should be kept on an individual line. The IP address should

    # be placed in the first column followed by the corresponding host name.

    # The IP address and the host name should be separated by at least one

    #space.

    #

    # Additionally, comments (such as these) may be inserted on individual

    # lines or following the machine name denoted by a "#" symbol.

    #

    # For example:

    #

    # 102.54.94.97 rhino.acme.com # source server

    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    ::1 localhost

    # Copyright (c) 1993-2009 Microsoft Corp.

    #

    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

    #

    # This file contains the mappings of IP addresses to host names. Each

    # entry should be kept on an individual line. The IP address should

    # be placed in the first column followed by the corresponding host name.

    # The IP address and the host name should be separated by at least one

    #space.

    #

    # Additionally, comments (such as these) may be inserted on individual

    # lines or following the machine name denoted by a "#" symbol.

    #

    # For example:

    #

    # 102.54.94.97 rhino.acme.com # source server

    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.

    # 127.0.0.1localhost

    # ::1 localhost

    Usage hosts-file

    hosts-file can be used to speed up work on the global network and reduce traffic - due to a decrease in requests to DNS-server for frequently visited resources.

    For example, do you often download resources google.ru And google.com. Open file hosts and after the line127.0.0.1 localhost enter strings

    209.85.229.104 google.ru

    74.125.232.20 google.com

    This will prevent the web browser from accessing the server DNS, and immediately establish a connection with sites google.ru And google.com.

    Sometimes hosts-file is used to block unwanted resources (for example, senders and malicious software). To do this, after the line 127.0.0.1 localhost enter a string

    127.0.0.1 Blocked_resource URL

    The essence of this manipulation is that the blocking resource is compared with127.0.0.1 which is the address of the local machine - so the unwanted resource will not be loaded.

    Editing rules hosts-file

    1. Each element must be on a separate line.

    2. must start at the first position of the line, followed (on the same line) by its corresponding hostname.

    3. and host name must be separated by at least one space.

    4. Comments must be preceded by a symbol # .

    5. If comments are used in domain name match strings, they must follow the hostname and be separated from it by the character # .

    Usage hosts-file by virus writers

    Attackers have long been chosen hosts-file - with its help, the real addresses of web resources are substituted on the infected person. After that, the web browser redirects the user to sites with malware, or, for example, blocks access to sites of antivirus manufacturers.

    Malware disguises modification hosts-file as follows:

    - in order to make it difficult to detect lines added by a virus, they are written to the end of the file - after a large empty area formed as a result of multiple line feeds;

    - after that the original hosts attribute is assigned to the file Hidden(by default, hidden files and folders are not visible);

    - false is created hosts- a file that, unlike a real file hosts(without extension) has extension .txt(by default, extensions are not displayed for registered file types):


    hosts-file: how to eliminate the consequences of a virus attack

    open hosts-file (if the virus installed the fileattribute Hidden, will be required in Folder Options enable option Show hidden files and folders) ;

    - a window will appear Windows with a message "The following file could not be opened...";


    - set the switch Selecting a program from the list manually –> OK;

    - in the window Program selection in a scrollable list Programs highlight Notepad –> OK;

    - file hosts will open in notepad;

    - remove all lines except 127.0.0.1 localhost;

    - save hosts-file.

    Valery Sidorov

    Read more: