Jump to content

Another Trojan.agent.e.generic is stuck in Windows Hosts file even after multiple quarantines

miranda
 Share

Recommended Posts

miranda

miranda

Posted
Posted

Hello, 

Several of our PCs have been infected with malware. So far, all seem to have been removed successfully except on one PC. This is a Windows 7 PC.. Each time I run Malwarebytes, it finds trojan.agent.e.generic in the windows hosts file; we quarantine it, Malwarebytes says successful, restart to finish the deletion. Restart to finish deletion results in failure. I'm attaching one of the Malwarebytes scans and files from Farbar.

mbscan3.txt

Addition.txt

FRST.txt

Link to post
Share on other sites
miranda

miranda

Posted
  • Author
Posted

Hi Aura,

A little background - Although Malwarebytes has been consistent in reporting the Trojoan.agent.e.generic on a scan and in quarantine, I have not been able to see the trojan file in hosts, only in quarantine. (I have the Folder Options settings set to Show all hidden files and Hide operating system files is unchecked.)  I have recreated the hosts file several times, so am attaching various versions. Spybot Search and Destroy was run on the PC, so the original hosts file had a lot of Spybot immunization entries. Spybot Search and Destroy was uninstalled later. 

Thanks.

 

hosts.zip

hosts.20170620.zip

hosts.20170620-123726.zip

hosts.20170620-165239.zip

Link to post
Share on other sites
Aura

Aura

Posted
Posted
Quote

Spybot Search and Destroy was run on the PC, so the original hosts file had a lot of Spybot immunization entries. Spybot Search and Destroy was uninstalled later. 

This is what's causing the issue. For an unknown reason, Spybot decides to create an hosts file at a different location than the default one (which is C:\Windows\system32\drivers\etc\hosts), hence why Malwarebytes is flagging it as malicious. If you uninstall Spybot from the system, and delete the C:\Windows\Hosts file, the detection shouldn't come back.

This is from the hosts.20170620.zip you provided me: 

# Start of entries inserted by Spybot - Search & Destroy

Your issue is similar to the one in this thread (this time, Spybot Anti-Beacon was the culprit):

https://forums.malwarebytes.com/topic/202828-trojanagentegeneric-is-stuck-in-cwindowshosts-even-after-multiple-quarantines/?do=findComment&comment=1140172

 

Link to post
Share on other sites
miranda

miranda

Posted
  • Author
Posted

Thank you. That solved it.

So Malwarebytes was picking up the trojan file from the file that I had renamed hosts.20170620.old, with an entry for it from Spybot immunization? I had looked but didn't see it there.

In any case, it's all good now.

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Malwarebytes was detecting the threat since there was a file called "Hosts" in a non-standard location (C:\Windows\Hosts), which was created by Spybot Search and Destroy. And the file kept coming back because Spybot kept creating it when Malwarebytes was quarantining it.

And no problem miranda, you're welcome :) 

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.