jpkogelman Posted November 6, 2022 ID:1540844 Share Posted November 6, 2022 Greetings, In the last three or four days, my daily scans pick up a risk; windows\system32\drivers\etc\hosts - which I have replaced and deleted. The issue is this seems to keep coming back, however there are a number of older replies pointing to this being a false positive by MWB. I have run an advance full scan with no other detections but it seems to return with each restart. Attached is the daily scan report including the detection of this host file. I've already deleted the file, so I don't have a copy atm. At this point I am hoping to find out if this may be a new false positive or if I need to try a scan with a different tool to see if something is running that MWB can't detect currently. Log.txt Link to post Share on other sites More sharing options...
1PW Posted November 6, 2022 ID:1540845 Share Posted November 6, 2022 Hello @jpkogelman and welcome back: While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following: I am infected - What do I do now? Remember, please be certain to attach (not Copy and Paste) the three (3) resultant report files in your next reply to this topic. Also, please turn-on the "Follow topic" toggle switch at the bottom left of your next reply. Thank you. Link to post Share on other sites More sharing options...
jpkogelman Posted November 6, 2022 Author ID:1540846 Share Posted November 6, 2022 Ran the recommended program and the log files are attached to this post. I did remove the user name as well as windows shortcuts as that information is not relevant to this inquiry. Thank you FRST.txt Addition.txt 1 Link to post Share on other sites More sharing options...
jpkogelman Posted November 6, 2022 Author ID:1540847 Share Posted November 6, 2022 As a test, I removed the hosts file from windows\system32\drivers\etc and restarted, scanned just the \etc file and getting another item detected. So I am not sure what is re-creating the hosts file or if this is still a false positive. I've made a copy of the hosts file that is being flagged, added .txt and attached it here. hosts.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 7, 2022 Root Admin ID:1540911 Share Posted November 7, 2022 Hello and @jpkogelman My screen name is AdvancedSetup and I will assist you with your system issues. Let's keep these principles as we proceed. Make sure to read the entire post below first. Please follow all steps in the provided order and post back all requested logs Please attach all log files to your post, unless otherwise requested Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed. Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed. Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system. Before we start, please make sure that you have an external backup, not connected to this system, of all private data. Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing. Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed. Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours. If your system is running Discord, please be sure to Exit it while this case is ongoing. Let me have you run a different scanner to double-check. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on the Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Link to post Share on other sites More sharing options...
jpkogelman Posted November 7, 2022 Author ID:1540958 Share Posted November 7, 2022 Thank you for the reply and I did as instructed, the rather short results are attached for review. A note about the instructions on using the program that was suggested, it required "Run as Administrator" in order to properly run, otherwise the application would randomly quit trying getting it to run. Maybe something worth reviewing going forward. The ESET scanner that was suggested, as well as my own Malwarebytes and Avast full scans have shown nothing on the PC in question. While I am tempted run a in Windows Safe mode, I am more inclined to believe Malwarebytes has been reporting a false positive at this point. ESET Results.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 7, 2022 Root Admin ID:1540962 Share Posted November 7, 2022 I'm going to be away for most of the day. Will reply back either much later tonight, or tomorrow. Please run the following. @jpkogelman Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool How to run a scan with Kaspersky Virus Removal Tool 2020https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced modehttps://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scanhttps://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencryptC:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Link to post Share on other sites More sharing options...
jpkogelman Posted November 7, 2022 Author ID:1540969 Share Posted November 7, 2022 I will not have that program on my PC, due to concerns in the IT security circles. If you have an alternative to Kaspersky, I will be happy to move forward. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 7, 2022 Root Admin ID:1540970 Share Posted November 7, 2022 Please try the following. You will need to send them an email address to get the download link. You can send a throwaway email address if wanted. Sophos Scan & Clean Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your next reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Please attach that log on your next reply Thank you Link to post Share on other sites More sharing options...
jpkogelman Posted November 7, 2022 Author ID:1540977 Share Posted November 7, 2022 I ran the program above and the only thing identified was browser cookies, the log is attached below. Some of the information on the use of the Sophos program may be a bit dated; it does not install it is a run and scan tool and the log file location is a prompt instead of needing to be located. SophosScanAndClean_20221107_0914.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 8, 2022 Root Admin ID:1541136 Share Posted November 8, 2022 Hello @jpkogelman Great that the computer is not showing an infection. Malwarebytes is alerting because you have an entry for our site in the hosts file. 0.0.0.0 telemetry.malwarebytes.com If you remove that then we won't alert on it anymore. You can disable Telemetry within the program. However, if you're having the hosts file modified without your knowledge we should look into your logs a bit deeper to see what's going on there. Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted November 8, 2022 Root Admin Solution ID:1541137 Share Posted November 8, 2022 Looking at your logs I see that Windows Defender is also alerting, or detecting as well. Windows Defender: ================ Date: 2022-11-06 04:35:27 Description: Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following:https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0 Name: SettingsModifier:Win32/PossibleHostsFileHijack Severity: Medium Category: Settings Modifier Path: file:_C:\Windows\System32\drivers\etc\hosts Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection Process Name: C:\Program Files\LGHUB\lghub.exe Security intelligence Version: AV: 1.377.1333.0, AS: 1.377.1333.0, NIS: 1.377.1333.0 Engine Version: AM: 1.1.19700.3, NIS: 1.1.19700.3 [ 1 ] I think this program is the main culprit. I would recommend that you go to Control Panel, Programs, Programs and Features and uninstall the following. Spybot Anti-Beacon [ 2 ] Your DNS Servers: 75.75.75.75 - 75.75.76.76 Please consider changing your default DNS Server settings. Please choose one provider only DNS is what lets users connect to websites using domain names instead of IP addresses Google Public DNS: IPv4 8.8.8.8 and 8.8.4.4 IPv6 2001:4860:4860::8888 and 2001:4860:4860::8844 Cloudflare: IPv4 1.1.1.1 and 1.0.0.1 IPv6 2606:4700:4700::1111 and 2606:4700:4700::1001 OpenDNS: IPv4 208.67.222.222 and 208.67.220.220 IPv6 2620:119:35::35 and 2620:119:53::53 DNSWATCH: IPv4 84.200.69.80 and 84.200.70.40 IPv6 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b The Ultimate Guide to Changing Your DNS Serverhttps://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/ Here is a YouTube video on Changing DNS settings if needed [ 3 ] Please run the following fix. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
jpkogelman Posted November 8, 2022 Author ID:1541158 Share Posted November 8, 2022 Thank you for the detailed information. I will check with Logitech to see if there is a different version of their driver software, as I use a few of their devices and the program was meant to keep them up-to-date. As for Spybot-anti-beacon software, this is a program that prevents Microsoft from collecting information from Windows 10/11 and relaying it back to them, without user permission or knowledge of the events happening. It is something I trust overall, though I can check that it isn't effecting Malwarebytes. I went ahead and updated the DNS, usually I do have Google and one other as my default; I suspect a Windows update did a change recently.. I will look at the last item as I have more time this evening. I do very much appreciate all the time and effort on reviewing this information and providing recommendations! Link to post Share on other sites More sharing options...
jpkogelman Posted November 8, 2022 Author ID:1541159 Share Posted November 8, 2022 2 hours ago, AdvancedSetup said: 0.0.0.0 telemetry.malwarebytes.com If you remove that then we won't alert on it anymore. You can disable Telemetry within the program. However, if you're having the hosts file modified without your knowledge we should look into your logs a bit deeper to see what's going on there. I did confirm that Spybot Anti-Beacon was blocking the telemetry data, which was modifying the host file. I will check the change log to see if that was implemented towards the end of last week, which would explain a great deal. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 8, 2022 Root Admin ID:1541167 Share Posted November 8, 2022 Well, up to you at this point. You're aware of what's going on so there isn't much else I can offer to help you at this point. That's the beauty of using a Personal Computer. We all get to decide for ourselves what we run and how we run it both good and bad. If there is nothing else I'll go ahead and close your topic soon and wish you well. Cheers 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 8, 2022 Root Admin ID:1541173 Share Posted November 8, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts