After entering the required site in the browser, let's say Google.com , the browser sequentially (according to priority) searches for a mapping of this domain name to an IP-shnik (because it is with IP addresses that network devices work).
and) the specified site is checked in the hosts file, if it finds a match (suppose the hosts file contains 1.1.1.1 Google.com), then the contents of IP - 1.1.1.1 will be opened accordingly, if there is no specified domain name, proceed to the next step;
b) the cache dns is checked (if you have opened Google.com before, then most likely the IP of this site has been saved in the DNS cache of your computer / laptop), if the IP of the site is indicated there, then the page opens to you, if not, proceeds to the last stage;
in) the request goes to the DNS server (it is written manually in the network connection settings or is issued via DHCP), if the specified site is not in the DNS server, it will "ask" another DNS server until it finds it (if it exists at all) and the site is successful will open.
The hosts file is located at the path C: \\ Windows \\ System32 \\ Drivers \\ etc \\ hosts (if C is the system drive). You can open it with a regular notepad. If you did not make changes to the hosts file, then the following will be written there:
|
Windows XP hosts file: 127.0.0.1 localhost |
Hosts file inWindows Vista: 127.0.0.1 localhost |
|
Hosts file inWindows 7: # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. |
Hosts file in Windows 8 # Copyright (c) 1993-2009 Microsoft Corp. # localhost name resolution is handled within DNS itself. |
As you can see, regardless of the version, the host file is not very different, but if the virus "worked" on the hosts file, various sites and IP-schnicks can be added there. For instance:
127.0.0.1 ftp.kаspеrskylab.ru
127.0.0.1 ids.kаspеrsky-labs.com
127.0.0.1 vk.com
127.0.0.1 drweb.com
Such additions in the file prevent you from accessing the specified sites.
1.2.3.4 ftp.kаspеrskylab.ru
1.2.3.4 ids.kаspеrsky-labs.com
1.2.3.4 vk.com
1.2.3.4 drweb.com
Such additions in the file when opening the specified sites will redirect you to other sites, possibly infected with viruses (IP 1.2.3.4 are fictitious).
If you find out that the hosts file has changed, you need to fix it. In Windows XP, the file is simply opened with notepad, the necessary changes are made and saved (you must log in as an administrator). On other versions (Windows Vista, 7, 8) it is necessary to give the rights to modify the file. To do this, open the folder where hosts is located C: \\ Windows \\ System32 \\ Drivers \\ etc(if the C drive is system). Right click on hosts and choose "Properties".
Choose a tab "Safety", then select the user under which you work on the computer / laptop (in this example, this is the site) and press the button "Change"... A window will open "Permissions for the hosts group", again select the user and assign full rights to the file, click "OK",in the window "Properties: hosts",also "OK".
After that, open hosts with Notepad and return the file to its original state, when finished, save the changes.
Today, users of social networks like VKontakte or Odnoklassniki are often faced with the problem of entering the site. The system controls this through the HOSTS file, which is located in the C: \\ Windows \\ System32 \\ drivers \\ etc tree. Unfortunately, this is the service most commonly affected by viruses. Let's try to figure out how to fix the situation.
What files are in the C: \\ Windows \\ System32 \\ drivers \\ etc directory and what are they responsible for?
First, let's pay attention to the files in this folder. In addition to the file you are looking for, there should be only four more objects here. If there is something else, you can safely say that or something like that.
As far as file functions are concerned, for example, the C: \\ Windows \\ System32 \\ drivers \\ etc \\ services object and other files, including HOSTS, protocol, lmhosts, and networks, are responsible for some of the user's access to certain resources on the Net.
The considered one determines the correspondence of the database of domain names to IP addresses. In addition, its use involves accelerating the user's access to the most frequently visited pages on the Internet bypassing DNS servers, as well as blocking some unwanted resources or banner links. By default, in addition to the descriptive text part, it contains a single record of interest to us at the end of the text, namely: 127.0.0.1 localhost. Everything! There should be no more additional entries in it.
Checking the IP address of sites
If we talk about an example of matching a domain name to the real IP address of a resource, you can check it in a completely elementary way using the standard input of the ping command in the command line, followed by the URL of the checked resource, separated by a space.
To get the IP of any resource, you must use the following combination: ping www. (Site name). (Domain ownership). For example, for Facebook, this would look like ping www.facebook.com. After executing the command, the required address and statistics of the so-called ping will be displayed on the screen.
What to do if a file is infected with a virus?
Unfortunately, it is the C: \\ Windows \\ System32 \\ drivers \\ etc \\ HOSTS file that viruses infect most often. After that, when a user enters the same social network, he is either redirected to a clone site, or a message is generally issued demanding payment for the entrance. Let's make a reservation right away: not a single "social network" takes money for using the services of a resource. Hence the conclusion: this is a virus (sometimes artificial blocking, which is extremely rare).
If such a misfortune has already happened, you should first check the computer system.In some cases, you should not even use the antivirus installed in the system, since it has already missed the threat, and there is no guarantee that it will detect it and remove it as a result of an on-demand scan.
Better to run some portable utilities like Dr. Web (Cure IT is best!) Or KVRT, which doesn't even require installation. But even such powerful products do not always help, and blocking access to resources written in the file C: \\ Windows \\ System32 \\ drivers \\ etc \\ HOSTS remains and continues to work. Let's see how you can get rid of it.
Correcting file text manually
First, go to the directory C: \\ Windows \\ System32 \\ drivers \\ etc, then select our file and right-click to call the menu with the command "Open with ..." (initially the system file itself will not be opened by double-clicking, since it has no extension) ... Now from the list of available programs select the standard "Notepad" and look at the contents of the text.
As a rule, the infected file may contain entries like 127.0.0.1, followed by the addresses of the resources of the same social networks (for example, 127.0.0.1 odnoklassniki.ru). This is the first sign that they were produced due to the operation of malicious code. It turns out that the control elements of the system, referring to the HOSTS file, are constantly produced when trying to access it.
The simplest correction method is to delete all content when you paste the original text (you can take it from another computer or find it on the Internet). After that, you just need to save the changes (Ctrl + S) and restart the computer terminal. You can, of course, try to replace the desired file with the original one, but the system is unlikely to allow this, even if you have administrator rights. In addition, this option works in about 20-30% of cases.
Problems with HOSTS and the lmhosts.sam object
The problem can often be more serious. The fact is that sometimes when entering the directory C: \\ Windows \\ System32 \\ drivers \\ etc, the HOSTS file we need is visually missing.
First, in the "Explorer" you should use the service menu, then select the folder options, where the option of showing hidden objects (files and folders) is enabled. In addition, you need to remove the "birdies" from the lines of hiding protected system files and extensions for registered types. Now our file is visible.
However, this is where the real problems begin. The fact is that when you try to edit or save, the system displays a message that the C: \\ Windows \\ System32 \\ drivers \\ etc \\ HOSTS file is not writable. What to do in this case?
We apply drastic measures - delete the HOSTS file, preferably from the "Recycle Bin". You can quickly delete it, bypassing the "Recycle Bin", by pressing Shift + Del. Then we right-click on the free space of the window and select the command to create a new text file and call it hosts or HOSTS without the extension, whatever you want, it doesn't matter. We agree with the warning of the system regarding the change of the extension and proceed to editing. As it is already clear, the actions further are similar to the previous option - we just insert the original content and save the newly created document. After that, we delete the lmhosts.sam file (it is it that affects the performance of the desired host file), after which we again reboot the system.
This option will restore access to your favorite sites that were previously blocked. By the way, this method almost always works.
Instead of an afterword
As you can see from the above, it is quite simple to fix the problem with blocking Internet resources, even without having any special knowledge and skills for this. However, before you start editing the HOSTS system object, you should make sure that the standard scan by the antivirus software yielded nothing. Some users try to use utilities like Microsoft Fix It. Please note that if there is a virus in the system, the files will be reinfected, and the corrections will be made only for a while.
The hosts file is a rather vulnerable place in the Windows operating system. This file becomes the number one target for almost all viruses and Trojans that manage to infect a computer. In this article, we will tell you about what the hosts file is, where it is located, what it is used for and how to restore it after a computer has been infected with viruses.
The task of this file is to store a list of domains and their corresponding ip-addresses. The operating system uses this list to translate domains to ip addresses and vice versa.
Every time you enter the address you need for a site into the address bar of your browser, a request is made to convert the domain to an ip-address. This translation is now performed by a service called DNS. But, at the dawn of the development of the Internet, the hosts file was the only way to associate a symbolic name (domain) with a specific ip-address.
Even now, this file has a direct impact on the conversion of symbolic names. If you add an entry in the hosts file that will associate an ip-address with a domain, then such an entry will work fine. This is exactly what the developers of viruses, Trojans and other malicious programs use.
As far as the structure of the file is concerned, the hosts file is a regular text file with the extension. That is, this file is not called hosts.txt, but simply hosts. To edit it, you can use the usual Notepad text editor.
The standard hosts file consists of several lines that begin with a "#" character. Such lines are ignored by the operating system and are just comments.
Also in the standard hosts file there is an entry "127.0.0.1 localhost". This entry means that when you access the symbolic name localhost, you will be accessing your own computer.
Hosts file fraud
There are two classic ways to benefit from making changes to the hosts file. First, it can be used to block access to websites and servers of anti-virus programs.
For example, after infecting a computer, the virus adds in the hosts file the following entry: "127.0.0.1 kaspersky.com". When trying to open the kaspersky.com website, the operating system will connect to the ip-address 127.0.0.1. Naturally, this is the wrong ip address. This leads to access to this site is completely blocked. As a result, the user of the infected computer cannot download the anti-virus or anti-virus database updates.
In addition, developers can use another technique. By adding entries to the hosts file, they can redirect users to a fake site.
For example, after infecting a computer, the virus adds the following entry to the hosts file: “90.80.70.60 vkontakte.ru”. Where "90.80.70.60" is the IP address of the attacker's server. As a result, when trying to go to a well-known site, the user gets to a site that looks exactly the same, but is located on someone else's server. As a result of such actions, fraudsters can obtain usernames, passwords and other personal information of the user.
So in case of any suspicion of a virus infection or substitution of sites, the first thing to do is to check the HOSTS file.
Where is the hosts file
Depending on the version of the Windows operating system, the hosts file may be located in different folders. For example, if you use Windows XP, Windows Vista, Windows 7 or Windows 8, then the file is located in the WINDOWS \\ system32 \\ drivers \\ etc \\ folder.
In Windows NT and Windows 2000 operating systems, this file is located in the WINNT \\ system32 \\ drivers \\ etc \\ folder.
In very ancient versions of the operating system, for example in Windows 95, Windows 98 and Windows ME, this file can be found simply in the WINDOWS folder.
Restoring the hosts file
Many hacked users are interested in where you can download the hosts file. However, there is no need to search and download the original hosts file. You can fix it yourself, for this you need to open it with a text editor and delete everything except the line except "127.0.0.1 localhost". This will unblock access to all sites and update your antivirus.
Let's take a closer look at the process of restoring the hosts file:
- Open the folder where the file is located. In order not to wander through directories for a long time in search of the desired folder, you can use a little trick. Press the Windows key + R key combination to open the Run menu". In the window that opens, enter the command "% Systemroot% \\ system32 \\ drivers \\ etc" and click OK.
- After the folder in which the hosts file is located, make a backup copy of the current file. In case something goes wrong. If the hosts file exists, then simply rename it hosts.old. If the hosts file does not exist at all in this folder, then this item can be skipped.
- Create a new empty hosts file. To do this, right-click in the etc folder and select "Create text document".
- When the file is created, it must be renamed to hosts. When renaming, a window will appear in which there will be a warning that the file will be saved without the extension. Close the warning window by clicking the OK button.
- After the new hosts file is created, you can edit it. To do this, open the file with Notepad.
- Depending on the version of the operating system, the contents of the standard hosts file may differ.
- For Windows XP and Windows Server 2003 add "127.0.0.1 localhost".
- Windows Vista, Windows Server 2008, Windows 7 and Windows 8 need to add two lines: "127.0.0.1 localhost" and ":: 1 localhost".
In this article, we will consider a way to clean this file using the Windows operating system itself, without downloading special programs.
This article was written solely based on the personal experience of the author and co-authors. You follow all the advice given at your own peril and risk. For the consequences of your actions, the author and the Site Administration are not responsible.
Before starting to clean up the file, you need to do the following operations ( necessarily!):
- if no antivirus program is installed, find and install any antivirus program of your choice;
- it is necessary to update the anti-virus databases as of the current day;
- conduct a full system scan for malicious content (in some cases, you may need to scan in Safe Mode or from a Live CD / DVD);
- after checking the antivirus program, disable the antivirus protection while cleaning the hosts file (some antiviruses block changes).
Attention! This instruction for clearing the hosts file ineffective on an "infected" computer... First, you should cure the system from viruses and then start fixing the hosts file.
If you did not change the location of the folder with the hosts file yourself, then I recommend that you first return the value of the registry key to the default value. To do this, open an empty Notepad, paste the text below there and save the file with the name hostsdir.reg on the desktop.
Windows Registry Editor Version 5.00 "DataBasePath" \u003d hex (2): 25,00,53,00,79,00,73,00,74,00,65,00,6d, 00,52,00,6f, 00, 6f, \\ 00.74,00,25,00,5c, 00,53,00,79,00,73,00,74,00,65,00,6d, 00,33,00,32,00,5c , 00, \\ 64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c, 00,65,00,74,00,63,00,00, 00
The text should start without spaces and empty lines, after the line "Windows Registry Editor Version 5.00" there should be one empty line, after all the text you should also put an empty line. In the file, the string "% SystemRoot% \\ system32 \\ drivers \\ etc" is encoded in two-byte hexadecimal code (hex (2) :).
After saving the file, close notepad, find the file on the desktop hostsdir.reg and double click on it. The system will notify you that an attempt is being made to make changes to the registry and will ask for your consent. Answer "Yes", after which the change will be made to the registry.
If the system reports that access is denied or registry modification is blocked, then you do not have administrative rights in the system or your system requires more careful attention, the use of special programs for treatment.
We press (or the same thing: we press the keyboard shortcut Win + R)
A window will appear Running the program
In field Open enter the line:
Notepad% SystemRoot% \\ system32 \\ drivers \\ etc \\ hosts
(just copy the above command text into the box Openwindow Running programs). We press OK
We see a notebook on the screen with approximately similar content:
It also happens that some cunning pests write their malicious addresses outside the Notepad window. Always check if you have a scrollbar on the side and always scroll to the end of the file.
Clear the entire editor window (press Ctrl + A and Delete) and copy one of the following texts, depending on the version of your operating system.
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. 127.0.0.1 localhost
# Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost :: 1 localhost
# Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handle within DNS itself. # 127.0.0.1 localhost # :: 1 localhost
Note that most lines start with a # sign. This sign means the beginning of a comment and the entire text until the end of the line is not perceived by the system. Due to this circumstance, in texts for Windows XP and Windows Vista, only the last line is important, while for Windows 7, 8 and 10 the text can be completely empty.
Then we save the changes made, close the notebook and try to open the previously blocked sites.
Attention! The site administration, as an alternative, does not recommend deleting the etc folder, which contains the hosts file. This can lead to system crash.
After successfully saving the file, you have the following options:
- everything is back to normal and previously blocked sites open normally;
- sites continue to be blocked or open third-party resources. This means that an active Trojan is operating in the system, which at regular intervals checks the contents of the hosts file and changes it.
If after rebooting the system everything returned to the same state of blocking your favorite sites, then you need to return to the beginning of the article and select a different antivirus to scan the system.
Also, there are times when after making changes, you cannot save the file. Open the command line of the system (Start - Accessories - Command line or Win + R - cmd - OK) and in turn enter the commands below:
Cd% SystemRoot% \\ System32 \\ drivers \\ etc attrib -S -H -R hosts notepad hosts
If you cannot save the file on Windows systems (including Windows XP, if you logged in with a limited account), you need to log in with an Administrator account or run Notepad on behalf of the Administrator and edit the file. In more detail, this operation is indicated in the article on our website Can't save hosts file.
If all else fails !!!
Download the attached file below and run. The file was downloaded from the Microsoft website and does not contain any malicious content.
Attention! The attached file is not an antivirus program! It only automatically resets the contents of the hosts file to the default content as described for manual editing in the article.
