Sample Macro

Protect your HOSTS File

Written by Kevin Heaton, Insight Software Solutions, Inc.

What it does

Some recent viruses, trojans and other malware have been modifying the HOSTS file on infected computers. Among other things, one result of this tampering is access is blocked to anti-virus, anti-apam and spyware update sites. These programs either alter the original HOSTS file or make a change to your registry to cause your computer to use a HOSTS file in a different location.

This macro notifies the user when the HOSTS file has been altered.

To install

Download the macro file umprothosts.zip and save it to your hard drive. Unzip the files and save them in the folder where you store your macro file(s). Import the macros into your existing macro file by clicking File, Import, Import Macros.

To use

Run the macro by pressing Win+Alt+H. A message is spoken and a dialog displayed if the hosts file that Windows is currently using does not match the saved copy of the hosts file. You may want to change this to a scheduled macro. If you do, you would want to either mute the spoken messages or remove the ‘done’ message that is spoken when the macro ends.

How it works

This macro is designed to protect your HOSTS file in two ways. First, it checks your registry to make sure that the path to the HOSTS file has not been altered. Second, it keeps a copy of your HOSTS file and notifies you if the HOSTS file in use does not match the saved copy of the HOSTS file.
The HOSTS file is saved in the Windows folder for some versions of Windows while other versions of Windows save the HOSTS file in %Systemroot%\System32\drivers\etc. This macro calculates the expected location of the HOSTS file and compares that path with the one saved in the Windows Registry. If different, the user is warned.

The HOSTS file is then compared with a saved copy of the HOSTS file. If a difference is found, the HOSTS file and the saved copy of the HOSTS file are both displayed so you can compare them. Then you are asked if you want to restore the HOSTS file from the saved copy. If not, you are then asked if you want to copy the current HOSTS file for future comparisons.

The first time you run the macro you will be asked if you want to save the current HOSTS file for future comparisons.

Another feature of this macro is the ability to tell the user what is going on using several sound files. By modifying the macro you can choose one of three voices to use for the spoken messages.

Limitations

This macro will offer to restore the HOSTS file from the saved copy. It will not fix the registry entry pointing to the HOSTS file if it has been altered. It only warns you if a change has been made.

This macro is intended to supplement, not replace, other protection software such as anti-virus and spyware detection and removal programs. Use of this macro may provide an early warning of malware.

Requirements

– Macro Express 3.5 or later
– ErrorF1.wav, errorM1.wav or errorF3.wav
– DoneF1.wav, doneM1.wav or doneF3.wav