Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/PossibleHostsFileHiJack - Help?


  • Please log in to reply
17 replies to this topic

#1 Katrex

Katrex

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 March 2009 - 12:40 PM

Hello... Well, that's the detection name in Windows Defender. Here is what I've done recently:


I went into Safe Mode to do some scanning, as a precaution, and scanned with the following (in this order):

Ad-Aware Anniversary Edition (Free)
Spybot S&D
Malwarebytes Anti-Malware
Windows Defender
SuperAntiSpyware (Quickscan only)

They all came up clean, but due to the bottommost one giving me a message saying I hadn't updated in awhile, I decided to go back into normal mode to update. I updated everything, finally downloading a Windows Update:

Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x64

After this, I went back to Safe Mode. I scanned:

Ad-Aware
Spybot S&D
Malwarebytes
Windows Defender

This is when Windows Defender picked up the following:

SettingsModifier:Win32/PossibleHostsFileHijack

I haven't taken any action with it yet... AVG didn't detect anything and I scanned the folder it locates it in (system32/drivers/etc) and Kaspersky's Online Scanner came up with nothing.

Is this a false positive due to the recent update? Or is this something I should be concerned about? Can someone help me? @.@

Edited by Katrex, 09 March 2009 - 12:40 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 AM

Posted 09 March 2009 - 08:00 PM

Hello,this appears to be a Delf infection. Please run SDFix

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 March 2009 - 08:24 PM

I knew I forgot something - I'm running Windows Vista Home Premium 64-bit.

Um.. May I ask what the common symptoms of a Delf infection are?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:36 AM

Posted 09 March 2009 - 09:12 PM

Malwarebytes Anti-Malware is most effective in normal mode not safe
Chewy

No. Try not. Do... or do not. There is no try.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 AM

Posted 09 March 2009 - 09:28 PM

Hi ..Backdoor.Delf.Family
When a Backdoor.Delf.Family Trojan is executed, it will typically:
Open a network connection.
End processes, such as those belonging to antivirus products.
Copy itself to another file, sometimes deleting the original.
Modify the registry so that the Trojan is executed when you start Windows.

I feel I should also give you this advice now.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 March 2009 - 09:41 PM

Ugh... Is it really that bad? No chance that its' a false positive? >.<

I'm not experiencing anything abnormal. Windows Defender only started listing it after I updated it and downloaded the latest Net Framework (Start Menu > Windows Update.)

I'd like to try and clean it. I don't do anything that important on this computer.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 AM

Posted 09 March 2009 - 10:04 PM

Hi, Ok well it is possible that it's a false positive. I'll try to find more info. In the meantime as the PC is running well and it will take a few days to get help. Post a HJT log and have them certify you are clean. I would hate to leave you with this on your machine if it is hidden or protected. I think it's the best choice. Thanks.

Run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.

Edited by boopme, 09 March 2009 - 10:05 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 March 2009 - 10:07 PM

Okay, thank you. I apologize for being pushy (if I seemed that way, I seem that way to me! >.<) - Simply not the news I expected. I will try posting the log.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 AM

Posted 09 March 2009 - 10:11 PM

No not pushy at all. You got bad news... If it isn't a false positive then we need to get it off. The tools need now for that are in the HJT forum. I only want you to have a clean PC and peace of mind about it. You asked great questions. :thumbsup:

Edited by boopme, 09 March 2009 - 10:13 PM.
I'll learn to type yet,I promise

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 10 March 2009 - 05:30 AM

Ehm...

I downloaded DDS to my desktop and attempted to run in, however, in the black box when it comes up it says:

"This tool does not support your Operating System
Press any key to continue... "

When I hit a button, it closes.

Advice?

(So nobody has to hunt for it: I'm using Windows Vista Home Premium 64-bit.)

Edited by Katrex, 10 March 2009 - 05:30 AM.


#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:36 AM

Posted 10 March 2009 - 06:31 AM

http://community.norton.com/norton/board/m...essage.id=37967

This might be a false positive, defender drops the ball

Vista 64 bit has more false positives than serious infections

http://www.microsoft.com/security/portal/E...608427027806866

was this detection in your hosts file?

Edited by DaChew, 10 March 2009 - 06:35 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 10 March 2009 - 07:20 AM

I think it was:

The location was C:/windows/system32/drivers/etc and I believe that is where it is kept?

From the note on Microsoft.com (my def. file is 1.53.288.0), I guess it was a false positive. The Event Viewer says it updated to that file at 1:45 AM (by then I'd fallen asleep), and there is nothing in the Windows Defender history to indicate a deletion so the automatic scan which started 15 minutes later must have come up clean. (Nothing dated 8th, 9th, or 10th.)

Is it possible to get DDS or something similar working? Although this seems to have turned out to be a FP, the suspicion of that backdoor trojan infection has left me wondering if I could have someone go over the log to ensure my system is clean just for the peace of mind it would grant.. >.>"

Unless all the scans already indicate that, but I'm not an expert on the matter...

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:36 AM

Posted 10 March 2009 - 07:55 AM

I have been studying the 64 bit issue for a few months now, many advanced scanners/tools require drivers to properly find nasty infections, Microsoft will not let those drivers load, whether they are good or bad.

Rootkits are extremely rare in a 64 bit OS and even then they don't function properly.

The location was C:/windows/system32/drivers/etc


That's your hosts file and the false positive with defender was triggered from your immunizing it with spybot?

If you still feel the need to post in the HJT forum this is the tool to use
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please don't post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Boopme, sorry for buttin in :thumbsup:

Edited by DaChew, 10 March 2009 - 07:56 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:36 AM

Posted 10 March 2009 - 04:14 PM

Hello :thumbsup:

PatchGuard effectively stops Rootkits on most 64 bit systems. If your problem was triggered after Spybot inmunization -- Note that Spybot legitimately writes to the hosts file attempting to block a large number of malicious pages.

If that's the case than it's likely the culprit.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 pamperedsammy

pamperedsammy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 10 March 2009 - 08:58 PM

I am not well versed in this kind of thing, but I'm getting a sense that this is message was a false positive triggered by a Microsoft update. Here is what I found on Microsoft's Malware Protection center:

On March 9, 2009 a signature for SettingsModifier:Win32/PossibleHostsFileHijack started detecting certain modified HOSTS files in some environments. On March 9, 2009 Microsoft released a new signature that addresses the issue. Signature versions 1.53.283.0 and higher include this fix. Users affected by this incorrect detection may recover affected systems by adding the line: “127.0.0.1 localhost” to the HOSTS file.

Any thoughts from the experts? I'm not inclined to scrub my hard drive when Defender flags something the day after an update, but maybe I am being careless. <shrug>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users