A Question from Bill
(I get) a small screen pop up saying "A change has been detected in your Internet "Hosts" file. Entries in this file can redirect your browser to alternate web sites. Would you like to examine? Yes? NO? Could you please tell me what this is all about, and how to correct it? Thank you Bill

Answer
When you type in a domain, such as www.thundercloud.net the browser contacts a central server on the web to look up the real address (the name "Thundercloud.net" is called a domain name but real address is a series of numbers, which in our case is 208.62.160.26. If you click http://208.62.160.26/ it is the same as clicking http://thundercloud.net/ . Think of the real address like a phone number and the domain name as an easy way to "call" without remember a series of numbers). The browser then uses the address to retrieve the page, and display it. Every site on the web has a real IP address that users can find. The central server(s) that look up the "real address" (i.e. the numbers) DNS (Domain Name Services) server(s), and they have one simple function: To look up a domain and return an IP address. There are also reverse DNS servers which can do "reverse" lookups for an IP (numbered) address as well.

In Windows there is a miniature DNS called the "HOSTS" file, and this file is checked first by your browser before it checks with the central DNS on the web. This is meant to save time connecting to a distant server to look up IP addresses and to provide advanced users with a means of blocking certain site (like Doubleclick.com and hence all the advertisements it serves). However it has become a burden rather than a benefit because it has become a favorite target for viruses, spyware and browser hijackers. If your "HOSTS" file contains a domain/IP address match then the browser never goes to the web to look up the number and can "redirect" you to a site other than the one you intended. For example, a browser hijacker can use the Hosts file to redirect all search requests for Yahoo, Google, AltaVista, etc. to their own search page by listing the domains, but pointing all to a single (the hijacker's) IP address. For example if your default search engine is Google, the spyware/hijacker program would write an entry in your "HOSTS" file to read 63.250.206.138 google.com. In this example, when you typed in www.google.com in your browser, you would be redirected to www.yahoo.com . The spyware/malware/hijacker developer of course would redirect all searches through their own "search engine" and bedevil you with advertisements, not to mention very skewed and possibly worthless search results.

Luckily the HOSTS file can be easily edited using Notepad or any other text editor. You can also delete it completely if you suspect you're browser is not going where you tell it to. The HOSTS file is located in C:\Windows\System32\Drivers\etc (on Windows XP). For other versions of Windows you can do a search for HOSTS. Be careful you don't delete the wrong file. Open the file with Notepad. It should look like this. The HOSTS file has NO extension. If you modify it, save it that way.

So, Bill, if you suspect your browser has been hijacked, say "NO". If you're not sure say "NO". The HOSTS file was included with Windows to speed up browsing but it never really did speed up anything noticeably (if you're on a broadband connection). The dangers of it being misused outweigh any benefits it has. I don't see any circumstances under which you would ever say "Yes" unless your anti-spyware program was trying to correct the entries. If this is the case then say "Yes". Or else delete the HOSTS file all together. (We have deleted our HOSTS files). For more information about the HOSTS file, what it does, how you can use it to your benefit, and other detailed information, please click here.