Infected - SettingsModifier:Win32/HostsFileHijack

[SDGuy73]

Windows Defender found this. I noticed it happen after MB updated. I installed Comodo after Defender found Highjacker. I ran the virus scan and found nothing.

Thanks

MBScan.txt Addition.txt FRST.txt

[Maurice Naggar]

Hi @SDGuy73     

My name is Maurice.  I will be guiding you.  Thanks for the reports.

The last time that Windows Defender flagged the Hosts file was Feb 1

Date: 2021-02-01 23:24:26.621
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/HostsFileHijack&threatid=265754&enterprise=0
Name: SettingsModifier:Win32/HostsFileHijack
ID: 265754
Severity: Severe
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts

 

Lets do what follows as the first steps.

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

.[   2   ]

Using a Elevated Command prompt.   

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

tap Enter-key to proceed.   This should do a Update run for the latest update definitions for Microsoft Defender antivirus.

When done, do this next.

copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

tap Enter-key to have it proceed.   That is to do a Quick scan.  Just let it run, however long it takes.

Make a note of the final display results.

[SDGuy73]

"The last time that Windows Defender flagged the Hosts file was Feb 1" Once I installed Comodo Internet Security Premium, Windows Defender no longer flagged it. I did a scan with Comodo and it found nothing.

I did not see it update definitions for Microsoft Defender antivirus. What did I do wrong? Do I just move to the next step?

Microsoft Windows [Version 10.0.18363.1316]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>%ProgramFiles%\Windows Defender\MpCmdRun.exe
'C:\Program' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

C:\WINDOWS\system32>

[Maurice Naggar]

Hello.  Be aware that by installing Comodo Internet Security it became the resident antivirus program.  and therefore, Microsoft Defender becomes  disabled.

I am a bit curious as to the contents of the Hosts file.

[SDGuy73]

2 hours ago, Maurice Naggar said:

Hello.  Be aware that by installing Comodo Internet Security it became the resident antivirus program.  and therefore, Microsoft Defender becomes  disabled.

I am a bit curious as to the contents of the Hosts file.

I understand that. So what do I do now? what about this?

Microsoft Windows [Version 10.0.18363.1316]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>%ProgramFiles%\Windows Defender\MpCmdRun.exe
'C:\Program' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

C:\WINDOWS\system32>

[Maurice Naggar]

What I had provided before were commands to be used in a Command prompt.   and please be sure you are not taking them out of the order I had tem.

What is missing was the quote marks in this line   ( you gotta copy the entire line exactly as / the whole lot  )

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

[SDGuy73]

On 2/13/2021 at 7:58 AM, Maurice Naggar said:

What I had provided before were commands to be used in a Command prompt.   and please be sure you are not taking them out of the order I had tem.

What is missing was the quote marks in this line   ( you gotta copy the entire line exactly as / the whole lot  )

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

I did it right this time. What info do you need? Can I put it in text doc? Or put it here?

Command Prompt.txt Command Prompt.txt

[SDGuy73]

Tis is the file infected. C:\Windows\System32\drivers\etc\hosts

[Maurice Naggar]

Good morning.  I hope you are doing well.  The situation is as it was from the beginning. The Microsoft Defender does not like "some entry" in the Hosts file.

Lets do these steps to make a copy of the existing Hosts file and then have a new one made;  so that hopefully Microsoft Defender will not complain about the file.

This run will also run the Windows System File Checker tool and a check with the Windows DISM to check the Windows integrity.

This custom script is for SDGuy73  only / for this machine only.

The system will be rebooted after the script has run.

The  custom Fix script is going to be used by the FRST64  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  DESKTOP  folder

The tool named FRST64 .exe   tool    is already on the Desktop
Start the Windows Explorer and then, to the Desktop folder.   KEEP in mind that the FRST will be doing a Update  run so it is the latest  & so do not freak.

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed. 

 Reply YES when prompted to allow to run. Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

 

Fixlist.txt

[SDGuy73]

Before I do the above. My PC is running windows version 1909. I've been trying all week for windows update to offer me new updates. Finally, it is offering me version 20H2. Will updating to 20H2 fix my issue or do I need to fix the host file first?

[SDGuy73]

Does the attached FILELIST.txt go on my desktop or in a folder? I saved it to my desktop

[Maurice Naggar]

You have saved the FIXLIST.txt  to the right place.   The DESKTOP

now, proceed with the FIX run that I outlined before.   We need to do that first.

{   later on, you can accept the 20H2 Windows update }

[SDGuy73]

That was fast. Here you go.

Fixlog.txt

[Maurice Naggar]

The script finished.  You may proceed with the Windows Update run for the 20H2 update.

Note that it seems ( per this last run ) that this just did not have a Hosts file.   Though now after the run, it should have one.

[SDGuy73]

Thank you. I noticed Windows Defender didn't flag it when it restarted.

[Maurice Naggar]

Hoping that the original issue is now moot.  Hoping that the Windows system now has a proper Hosts file.

Keep me advised as to the status overall of the system, including the Windows Update run.

Let me know if you need other help.  I will guide you later on cleanup of the tools I had you use.

[SDGuy73]

I updated windows and now windows defender says the virus is back. GRRRRRRRRRRR.

[Maurice Naggar]

You can do a manual scan with Windows Defender and then see what it "flags".  Until such time as we can see the content of the Hosts file, or else, determine if perhaps the Hosts file is actually missing, OR perhaps, it may be that the Windows Defender has a false positive, or is way out of date....then we should refer to this as just " a allegation".

First, thing, I want to be very sure that you did do the steps to set Windows File  Explorerto show all hidden folders and hidden files.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

NEXT, with File Explorer, go to this folder location 

C:\Windows\System32\drivers\etc

then 1,  is there a file there by the name 

Hosts

2, if yes we need to put that in a ZIP file.   Do a RIGHT-click with your mouse pointer, and select Send to Compressed File

3, you will have a new file named Hpsts.zip.    Attach that ZIP  file with your next reply.

ALSO,

Do a manual run of Windows Update to make doubly sure that Windows Defender ( a.k.a. Microsoft Defender antivirus ) is fully up-to-date.

Windows Settings >>> Update and Security >>> Check for Updates

ALSO,

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Edited February 20, 2021 by Maurice Naggar

[Maurice Naggar]

After you have completed the steps above, Here are some additional adjustment we need to make for the Microsoft Defender Antivirus.

Start a Elevated Powershell command prompt-window.               On the Windows taskbar, on the Search box, type in

powershell

Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".

Then you will see the Powershell window.              Into that, we want to Copy & Paste this entire line as is

Set-MpPreference -PUAProtection 0

then tap the Enter-key and wait and watch the result.   Relay that to me.   If there is a rejection or a glitch, see about getting a screen-grab of that and paste it into your next reply.  

When done, you may close the Powershell window by clicking the X close button at top right corner.

The Microsoft Defender antivirus does monitor the Hosts file.   And has been known to be super touchy ( overly so) about the Hosts file.

I would like to know whether (A) you ever edited or modified or changed or added into the Hosts file

( B )  whether you had had a special copy of the Hosts from a known security source ?

Edited February 21, 2021 by AdvancedSetup
corrected font issue

[SDGuy73]

I took screenshots C:\Windows\System32\drivers\etc. They are dated. Malwarebytes blocks the site for SecurityCheck.

Part one completed. Part two next.

hosts.zip SecurityCheck.txt

[SDGuy73]

I'm not sure I did this right. I've never touched the host file. Questions A and B. No. I noticed this virus popped up when Malwarebytes updated to a new version and NordVPN updated to a new version.

[Maurice Naggar]

Thank you for the info and the files.  I think you should be aware that this is not a case of a infection, nor a case of a "virus". It is more like a false positive from Microsoft Defender Antivirus.  It is very protective of the Hosts file.  Cases like this one have been known before.

But the Hosts file currently on this machine is all good.  It has the minimal entries, the proper content that is expected in a default standard Hosts file.

So that is all fine.  Plus the snapshot above of Windows Security show no threats.

The SecurityCheck report shows that this pc has Spybot Anti-Beacon v.1.5.   I had not spotted that before.  HOWEVER, it is known that the Spybot Anti-Beacon does make modifications into the Hosts file that the Microsoft Defender is known to flag and to ID as Hostsfilehijack

This is the whole source that triggered the false positive !   ->> There was NO infection here.

.

This pc has Webroot SecureAnywhere (enabled and up to date)

You ought to uninstall these 2 applicayions because they are disabled & because pc has Webroot SecureAnywhere

Uminstall COMODO Antivirus

Uninstall COMODO Firewall 

.

These are other applications that need your attention / need updating to the latest versions / patches

Microsoft .NET Framework 4.5.2 v.4.5.51209 Warning! Download Update

WinRAR 5.40 (64-bit) v.5.40.0 Warning! Download Update

GIMP 2.8.22 v.2.8.22 Warning! Download Update

Skype version 8.55 v.8.55 Warning! Download Update

There us a very very old version of Java.  Uninstall it.   Java 8 Update 31 v.8.0.310 

.

Adobe AIR v.24.0.0.180 Warning! Download Update
swMSM v.12.0.0.1 << Hidden Warning! This software is no longer supported. Please uninstall it.

 

Opera Stable 73.0.3856.344 v.73.0.3856.344 Warning! Download Update

[ UnwantedApps ] ---
JDownloader 2 v.2.0 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

FLV Player v.1.0 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

NOTE:  I will guide you to cleaning up on the tools I had you download, as well as FRST tool.

[SDGuy73]

The snapshot above does show the threat. The highjack.

Spybot Anti-Beacon v.1.5 has been on my computer since 6/7/2016. lol. I will uninstall it.

Comodo was uninstalled last week.

Webroot SecureAnywhere was uninstalled over a month ago. I don't know why t shows those.

.NET Framework 4.8 or a later update is already installed on this computer.

WinRAR - Updated

Skype - Removed

Adobe AIR - Removed

swMSM - How do I find it so I can remove it? I don't see it in Programs and Features.

Opera - Updated

JDownloader 2 - Safe

FLV Player - Removed. I no longer use it

Java 8 - Removed

GIMP - Updated

Edited February 22, 2021 by AdvancedSetup
corrected font issue

[SDGuy73]

Is Vivaldi a good browser?

[Maurice Naggar]

Good morning.   Before we cover other issues, we need to revert 1 setting on Microsoft Defender so that it does check for potential unwanted modifications.

Start a Elevated Powershell command prompt-window.               On the Windows taskbar, on the Search box, type in

powershell

Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".

Then you will see the Powershell window.              Into that, we want to Copy & Paste this entire line as is

Set-MpPreference -PUAProtection 1

then tap the Enter-key and wait and watch the result.   Relay that to me.   If there is a rejection or a glitch, see about getting a screen-grab of that and paste it into your next reply.  

When done, you may close the Powershell window by clicking the X close button at top right corner.

.

As to the Vivaldi browser, I am unfamiliar with it.  I do highly recommend the BRAVE browser https://support.brave.com/hc/en-us

We should get a fresh diagnostic report readout from the Farbar FRST tool.   FRST64.exe is on the DESKTOP.

• Double-click to run it. When the tool opens click Yes to the disclaimer.   BE very sure to tick the check-box marked Addition,txt
• Press the Scan button.

• It will make a log (FRST.txt) in the same directory the tool is run.  and a 2nd report file named Addiytion.txt
•  
• Please attach both logs to your reply:   FRST.txt , Addition.txt.   If you wish, you may put both into a ZIP file & then attach that.   Thank you.