Helping people with computers... one answer at a time.

The hosts file can be used to send you to or prevent you from reaching malicious sites. Different anti-spyware tools can bump into each other checking on this.

I tried a different anti-spyware program which reported a stream of different trojans all related to my HOSTS file. This list (1677 in all) are listed on my hosts file as inserted by Spybot. The program I was testing told me to delete them immediately. I am very confused, should I remove all these entries?? I understood that they were placed there by Spybot so that these sites could not be accessed. Each entry follows the loopback address 127.0.0.1

You're bumping into a classic problem that results from running more than one anti-spyware program. One program thinks that the other is itself spyware.

Who do you believe?

In this case, if we understand why the hosts file is so important and how it can be used and misused, we'll have our answer.

Machines on the internet are located by their IP address. The server that hosts Ask Leo! For example is (today) at 72.32.63.173. To avoid needing to remember that, and to enable hosting more than one site on a single IP address, the Domain Name System, or DNS, provides a way to associate names with IP addresses. So when you visit http://ask-leo.com your browser "looks up" ask-leo.com, and then establishes a connection to the machine on the internet at the associated IP address.

"... anything that's present in the hosts file actually overrides whatever the DNS server might have said ..."

That "looking up" is typically itself an internet based request. There are DNS servers who's job it is to respond to questions like "what's the IP address of ask-leo.com?".

The hosts file is a simple text file on your system that can also contain name/IP mappings. It's checked first - before asking a DNS server - so anything that's present in the hosts file actually overrides whatever the DNS server might have said had it been asked.

There are two major ways that the hosts file can be used with respect to malware:

  • By the bad guys: spyware can place fake entries into the hosts file. For example, the spyware might add an entry for "paypal.com". If you then attempt to visit Paypal, the fake IP address from the hosts file overrides the real address from DNS, and you're sent to whatever server the bad guys have set up, all the while thinking you're connecting to paypal.com.

  • By the good guys: anti-spyware programs can place entries into the hosts file that prevent you from even accidentally visiting bad sites. For example, if "somerandomservice.com" were a known malicious site, then by adding a special entry to the hosts file attempting to look up that domain will result in an IP address that simply does not take you there.

Same technique - adding entries to the hosts file - with completely different objectives, good and evil.

So knowing this, we can deduce what's happening to you.

Spybot added information to your hosts file to block sites that it knows are malicious in order to prevent you from even accidentally visiting them. That's actually a pretty nifty approach, in my opinion, particularly if you've got a machine being used by someone who's not perhaps as careful as they should be about web surfing. My test copy of Spybot added over 11,000 different domains to my hosts file.

If you look at the hosts file (it's just a text file, typically in C:\WINDOWS\system32\drivers\etc\hosts), you'll even see Spybot's list:

# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 (domain name)
127.0.0.1 (domain name)
...
127.0.0.1 (domain name)
127.0.0.1 (domain name)
# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

The other software you're testing doesn't know this. It doesn't know that you're running Spybot, or that Spybot does this to the hosts file.

But it does check to see if the hosts file has been modified. And if it has, it simply assumes that the file was modified by spyware.

Hence the warning; the "false positive" warning. In fact, since you point out that the domains are all redirected to the "loop back" address of 127.0.0.1, that further confirms the likelihood of it being a false positive. Had the domains been redirected to a live IP address, then it might be worth further investigation (though Spybot's already watching this for you).

My recommendation works out to be this:

  • Run only one anti-spyware tool regularly. Spybot's good, and there are others.

  • Leave the hosts file entries placed by Spybot.

  • Only run a second anti-spyware tool if you suspect or are specifically battling an infection that the first did not get. In this case, you'll need to carefully understand the reports, as false positives like this are quite possible.

Article C3897 - October 10, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

3 Comments
Alex
October 13, 2009 10:59 AM

Also Leo, you forgot to mention that there are many "bogus" anti-spyware programs out there that would not like Spybot's Hosts file at all at all. There are hundreds of antispy programs that are nothing but spyware in disguise. This may be what the person is using, unless you purposefully left out the name of the offending program, and it is in fact a real antispy program. I run several (Spybot, Adaware, Super Antispyware, Malwarebytes, and none have ever said anything about Spybot's Hosts file.

Anti Spyware
December 7, 2009 6:37 PM

How do i know if the anti virus was already detected by Spybot.

Neale Lehman
May 24, 2011 2:49 PM

Can one anti-spware program delete the additions to the Host File made by another?

Can they? Sure. Do they? Don't know. Depends on the programs in question.
Leo
24-May-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.