logo

Home page
Articles for Windows, Linux, OS X
Mac tips and articles
Mac tips
Windows 8 tips and articles
Windows 7 tips and articles
Vista Tips
XP Tips
Linux tips and articles
Read the blog
Online store
Windows, Linux, OS X programs
Links
About

Check the hosts file for malware on Windows

When you want to visit a website with your web browser, you type the URL into the address box, such as www.google.com. Computers don't work with URLs like this and instead they identify the computer you want to access by its IP address. This looks something like 66.102.9.106 and every computer that is connected to the internet has an IP address. The website sends back the information you requested, such as a web page, because it knows your computer's IP address. When you enter a URL the web browser must convert it to an IP address in order to communicate with the right computer. It looks this up at a domain name server. Well, actually, it first looks at a file on the hard disk drive called hosts. If it contains the URL and corresponding IP address then that is used instead and it doesn't look it up in the domain name server. The problem is that malware like viruses, Trojans, adware and spyware can hijack the hosts file and fill it with bogus entries. So a virus might add entries for websites virus removal tools that send the web browser somewhere else. This makes it impossible to download anti virus software.

You should regularly check the hosts file to make sure that it hasn't been hijacked by malware. It is easy to do and since it is a text file, it can be loaded into Notepad. You will find it in the C:Windows\System32\Drivers\etc folder. In the Open dialog, you do need to set the file type to All Files (*.*) though, because hosts doesn't have a .txt extension.

In the hosts file, any line that starts with a hash (#) is a comment that is ignored. The default contents of the hosts file contains brief help and examples from Microsoft, but you'll find that they are all comments. You can usually delete every line in hosts because there is rarely anything useful in it. People that run special software, such as their own web server, will find

127.0.0.1        localhost

This simply means that if you enter http://localhost into a web browser then it will look to the same PC for a response. It's useful for testing your own hand built website on a web server running on your PC before uploading it live to the web.

Any other lines in hosts should be treated with suspicion and if you find lots of entries or URLs of anti virus vendors then hosts has been hijacked and you probably have, or have had, a virus. Delete everything in hosts and scan your computer for malware.



copyright