Protecting the HOSTS File with Spybot Search & Destroy

Fortunately, there are steps you can take to prevent unwanted modifications to the HOSTS file. Spybot Search & Destroy includes several free utilities that will not only block changes to the HOSTS file, but can also protect the Registry from unauthorized changes, enumerate startup items for quick analysis, and block known bad or alert on unknown ActiveX controls.

What is the HOSTS file?

T. Wilcox

The HOSTS file is the virtual equivalent of the phone company's directory assistance. Where directory assistance matches a person's name to a phone number, the HOSTS file maps domain names to IP addresses. Entries in the HOSTS file override DNS entries maintained by the ISP. By default 'localhost' (i.e. the local computer) is mapped to, known as the loopback address. Any other entries pointing to this loopback address will result in a 'page not found' error. Conversely, entries can cause a domain address to be redirected to a completely different site, by pointing to an IP address that belongs to a different domain. For example, if an entry for pointed to an IP address belonging to, any attempt to access would result in a redirect to

Malware authors are increasingly using the HOSTS file to block access to antivirus and security websites. Adware may also impact the HOSTS file, redirecting access to gain affiliate page view credit or to point to a booby-trapped website that downloads further hostile code.

Spybot Search and Destroy: Advanced Mode

Spybot Advanced Mode

If you do not already have a copy of Spybot Search and Destroy, this free (for personal use) spyware scanner can be downloaded from After downloading and installing Spybot, continue with the steps below.

  1. Open Spybot Search & Destroy
  2. Click Mode
  3. Click Advanced Mode.
    1. Note: You will receive an alert warning that the advanced mode of Spybot contains more options, some of which can do harm if used improperly. If you do not feel comfortable, do not continue with this tutorial.
  4. Click Yes to continue on to Advanced Mode.

Spybot Search and Destroy: Tools

Spybot Tools menu

Now that Advanced Mode has been enabled, look on the bottom left side of the Spybot interface and you should see three new options: Settings, Tools, Info & License. If you do not see these three options listed, go back to the previous step and re-enable Advanced Mode.

  1. Click the Tools option
  2. A screen similar to the following should appear:

Spybot Search and Destroy: HOSTS file viewer

Spybot HOSTS file viewer
Spybot Advanced Mode

Spybot Search & Destroy makes it simple for even the most novice user to guard against unauthorized HOSTS file changes. However, if the HOSTS file has already been tampered with, this lockdown could prevent other protection from reversing the unwanted entries. Thus, before locking down the HOSTS file, first make sure there are no unintended entries currently present. To do so:

  1. Locate the HOSTS file icon in the Spybot Tools window.
  2. Select the HOSTS file icon by clicking it once.
  3. A screen similar to the one below should appear.
    1. Note: The localhost entry pointing to is legitimate. If there are any other entries shown that you do not recognize or did not authorize, you will need to correct the HOSTS file before continuing with this tutorial.
  4. Assuming no suspicious entries were found, proceed to the next step in this tutorial.

Spybot Search and Destroy: IE Tweaks

Spybot IE Tweaks

Now that you've determined the HOSTS file contains only authorized entries, it's time to let Spybot lock it down to prevent any unwanted changes.

  1. Select the IE Tweaks option
  2. In the resulting window (see sample screenshot below), select Lock Hosts file read-only as protection against hijackers.

That's it as far as locking the HOSTS file goes. However, Spybot can also provide some valuable prevention with just a few more tweaks. Be sure to check out the next two steps for using Spybot to lockdown the system Registry and manage your startup items.

Spybot Search and Destroy: TeaTimer and SDHelper

Spybot TeaTimer & SDHelper

Spybot's TeaTimer and SDHelper tools can be used alongside existing antivirus and antispyware solutions.

  1. From the left side of the Advanced Mode | Tools window, select Resident
  2. Under Resident Protection Status select both options:
    1. Resident "SDHelper" [Internet Explorer bad download blocker] active
    2. Resident "TeaTimer" [Protection of overall system settings] active
  3. Spybot will now guard against unauthorized modifications to pertinent Registry and startup vectors, as well as prevent unknown ActiveX controls from being installed. Spybot Search & Destroy will prompt for user input (i.e. Allow/Disallow) when unknown modifications are attempted.

Spybot Search and Destroy: System Startup

Spybot System Startup

Spybot Search and Destroy can allow you to easily see what items are loading when Windows is started.

  1. From the left side of the Advanced Mode | Tools window, select System Startup
  2. You should now see a screen similar to the sample shown below, that lists startup items specific to your PC.
  3. To prevent unwanted items from loading, remove the checkmark next to the corresponding entry in Spybot's list. Use caution and only remove those items you are certain are not necessary for the normal operation of the PC and desired programs.