Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes detected Hijack.Host and can't remove it


  • Please log in to reply
10 replies to this topic

#1 webrat

webrat

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:59 PM

Posted 22 January 2016 - 12:35 PM

Hey folks,

 

As the title suggests I've just run a malwarebytes scan and the above was detected. There are 2 seemingly identical detections in the same place, both within the System32 folder. If anyone could advise on removing these it would be greatly appreciated.

 

Cheers

 

Edit - It'd also be nice to have some idea what I'm dealing with. Not a lot of info on google.


Edited by webrat, 22 January 2016 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 webrat

webrat
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:59 PM

Posted 22 January 2016 - 01:35 PM

I've done some reading and found that Malwarebytes can trigger for this if Spybot host file entries are in place. Sure enough after checking the host file I found a stack of them. Following deletion of those entries and a restart I'm getting no alerts from Malwarebytes. Could this really be the issue, given that those entries have been there for months and Malwarebytes has been run dozens of times, or am I missing something?

 

Cheers



#3 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:11:29 PM

Posted 22 January 2016 - 05:52 PM

Quite possibly, just continue using your computer for now and post back here is anything else is detected


they call me te java mayster


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:59 PM

Posted 23 January 2016 - 03:05 AM

Depending on what the modification is... Can you post the scan or protection log of Malwarebytes that show the detection here? Logs are in History -> Application Logs.

#5 webrat

webrat
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:59 PM

Posted 23 January 2016 - 07:29 AM

Thanks for the response. Unfortunately after the malware report and fixing the host file I ran Ccleaner. That deleted the log file with the Hijack.Host result...  I ran a second scan immediately after the restart with malwarebytes and AVG Cloudcare. The logs show 0 results across the board for these. I'm now wondering if uninstalling Malwarebytes and starting fresh is worth a go just to be 100% sure. The more I read about this Hijack.Hosts the less I like it.

 

Cheers



#6 Mr. Clean44

Mr. Clean44

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mentor On The Lake, Ohio
  • Local time:08:59 AM

Posted 23 January 2016 - 09:08 AM

I noticed the same thing this morning after a scan. Here's the scan log.

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/22/2016
Scan Time: 8:46 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.22.09
Rootkit Database: v2016.01.20.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Edward
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 566777
Time Elapsed: 25 min, 50 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 9
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (127.0.0.1 analytics.microsoft.com), Replaced,[b3fe50eccbcee45257e3fcf019eb4db3]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (vem.pl
127.0.0.1 affiliate), Replaced,[ded3e25aebaeb3830535dd0f947028d8]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (0.1 localhost
::1 localhost #[IPv6), Replaced,[961ba696108964d2d5654aa2de260cf4]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (127.0.0.1 om.symantec.com), Replaced,[f7ba8fad8e0bbc7a86b78c6064a06d93]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (127.0.0.1 wdcs.trendmicro.com), Replaced,[179aeb51dcbdb77fac92ea02e321fb05]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (127.0.0.1 ads.mcafee.com), Replaced,[0ba6c27a5f3ab6808ab930bc1be95ea2]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (7.0.0.1 localhost
::1 localhost #[IPv6]
127.0.0), Replaced,[e0d1e05c4f4a3df9271c2dbfd62e0ff1]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (t.122.2o7.net
127.0.0.1 aol), Replaced,[bbf6fa429207d3631c27b03cbd478c74]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: ( ns2.w3open.com
127.0.0.1 gtb5.acecounter.com
127.), Replaced,[2a87e25a6a2fcf677cc77973b054d030]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 23 January 2016 - 04:56 PM

@ Mr. Clean44

If you need assistance, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the possible presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff


@ webrat

Just so you know, there are several legitimate security programs which can add numerous entries to the HOSTS file. Spybot S&D offers four levels of protection to include...Immunization and Hosts file protection (adding entries).

The fourth level of protection is through the addition of HOSTS file entries. This is a passive protection. The HOSTS file contains the mappings of IP addresses to host names and is loaded into memory at startup. The HOSTS file must contain one entry: "127.0.0.1 localhost". The IP address 127.0.0.1 is the local machine. Windows checks the HOSTS file before it queries any DNS (Domain Name System) servers, which enables entries in the HOSTS file to override addresses in the DNS. Adding an entry such as “127.0.0.1 malware.com” to the HOSTS file prevents the access of “malware.com” through IE because any connection attempts are redirected back to the local machine. HOSTS file entries can also be used to block other applications from connecting to the Internet.


If you used Spybot S&D's Immunization (or Spybot 2 Immunization) feature, the "Global (Hosts)" profile typical adds about 15493 entries to the HOSTS file starting with 127.0.0.1. Any inactive domains and those reported as false positives will be removed when doing immunization. However, the large size of the Hosts file created by immunization has sometimes been reported to cause problems such as a significant delay when opening Internet Explorer.

There was no need to manual remove them. If you perform an "Undo" via the Immunize button on the Spybot main screen, the entries Spybot added should be removed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 MoxieMomma

MoxieMomma

  • Members
  • 471 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 23 January 2016 - 05:20 PM

Hi, @webrat, et al:

 

The behavior your report seems to relate to recent False-Positives that were corrected with database 2016.01.23.02, approximately 12 hours ago.

 

Hijack.Host-false positive and hijack.host - malware or not?

 

See here:

 

 

If you had MBAM remove the entries already, re-installing whatever HOSTS file you use should put them back.

If you have done nothing yet with these entries, please wait until new update goes out & re-scan.

 

Thanks,

 

MM

 



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:59 PM

Posted 24 January 2016 - 03:43 AM

Some of the entries removed by MBAM are used to block MS analytics sites, so I thought it was a FP too.

Good to know that it is fixed.

#10 webrat

webrat
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:59 PM

Posted 24 January 2016 - 11:27 AM

Thanks a lot folks. Definitely worth knowing. Everything seems to check out now. 



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 24 January 2016 - 02:29 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users