Author Topic: host file got hijacked ? (solved)  (Read 40018 times)

0 Members and 1 Guest are viewing this topic.

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
host file got hijacked ? (solved)
« on: May 10, 2015, 09:51:40 am »
I have a serious problem and I need help because of that something strange is change the host files on my system ! and i have already done a malware scanning with many Portable protection programs and Some of these programs have a feature to check and cleanup/restore the host file and i have also ran Tweaking.com - Windows Repair and unable to rest my host !


Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/10/2015 07:45:52 PM in x86 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\b\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe (PID: 2280) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
  0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
  0.0.0.0 media.opencandy.com
  0.0.0.0 cdn.opencandy.com
  0.0.0.0 tracking.opencandy.com
  0.0.0.0 api.opencandy.com
  0.0.0.0 installer.betterinstaller.com
  0.0.0.0 installer.filebulldog.com
  0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
  0.0.0.0 inno.bisrv.com
  0.0.0.0 nsis.bisrv.com
  0.0.0.0 cdn.file2desktop.com
  0.0.0.0 cdn.goateastcach.us
  0.0.0.0 cdn.guttastatdk.us
  0.0.0.0 cdn.inskinmedia.com
  0.0.0.0 cdn.insta.oibundles2.com
  0.0.0.0 cdn.insta.playbryte.com
  0.0.0.0 cdn.llogetfastcach.us
  0.0.0.0 cdn.montiera.com

  20 out of 35 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 05/10/2015 07:47:40 PM
Execution time: 0 hours(s), 1 minute(s), and 47 seconds(s)
« Last Edit: May 13, 2015, 08:59:35 am by Gamezertruth »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #1 on: May 10, 2015, 10:45:05 am »
Gamez, do you use/ have "Unchecky" installed? Those host file entries look like they are from Unchecky, blocking connections to those sites.

"The latest version of Unchecky adds entries to the Windows hosts file which block access to select servers used by installers to deliver third party offers. This is done automatically and without option to block this from happening. The entries are removed again when you uninstall the program."

Samson.
« Last Edit: May 10, 2015, 10:50:30 am by Samson »

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #2 on: May 10, 2015, 11:09:07 am »
aha I don’t know that and i don’t have Unchecky  Installed on my pc/i don’t use Unchecky !

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #3 on: May 10, 2015, 11:33:29 am »
If not Unchecky then some other security program? Those entries in the Hosts file are not malicious, they are entries that have been added by a security program to block advertising software.

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #4 on: May 10, 2015, 11:51:51 am »
If not Unchecky then some other security program? Those entries in the Hosts file are not malicious, they are entries that have been added by a security program to block advertising software.

I don’t think so , but If that is one of the security software does add host files (then, which security program is to do this?) And I honestly do not feel safe because of these entries  :sarcastic:
« Last Edit: May 10, 2015, 11:54:08 am by Gamezertruth »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #5 on: May 10, 2015, 12:02:04 pm »
http://www.tweaking.com/content/page/repair_hosts_file.html

Standalone here
http://www.majorgeeks.com/files/details/tweaking_com_repair_hosts_file.html

Or, the MS fixit
https://support.microsoft.com/en-us/kb/972034

Hosts file location is C:\WINDOWS\system32\drivers\etc open HOSTS with notepad may reveal what program edited it.
Here is a short section from mine. (attached) using MVPS Hosts file.
« Last Edit: May 10, 2015, 12:21:44 pm by Samson »

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #6 on: May 10, 2015, 12:18:23 pm »
for Tweaking.com - Repair Hosts File 1.9.10  no longer working properly (it got Stuck or hang )

for Microsoft host repair tool It is failed to fix my host
« Last Edit: May 10, 2015, 12:20:19 pm by Gamezertruth »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #7 on: May 10, 2015, 12:23:32 pm »
Sorry I don't read Arabic  :shy:

So use the version within Tweaking.com - Windows Repair
http://www.tweaking.com/content/page/repair_hosts_file.html

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #8 on: May 10, 2015, 12:24:10 pm »
here you go

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#   127.0.0.1       localhost
#   ::1             localhost

127.0.0.1       localhost


Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #9 on: May 10, 2015, 12:26:07 pm »
That shows no additional items, it is "vanilla".

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #10 on: May 10, 2015, 12:30:16 pm »
Sorry I don't read Arabic  :shy:

So use the version within Tweaking.com - Windows Repair
http://www.tweaking.com/content/page/repair_hosts_file.html

already ran all repairs more 3 time today and yesterday

lol i will get other screenshot for you !

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #11 on: May 10, 2015, 12:33:58 pm »
That shows no additional items, it is "vanilla".

when i restart the computer the additional host files coming back yet again ! lol

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #12 on: May 10, 2015, 12:47:16 pm »
List your security programs, it is likely that one of them installed the items in the hosts file and then locks it so they cannot be deleted/ edited......from memory Adaware by Lavasoft used to do this, so others probably do too. Grab a screenshot of the Hosts file when the items are showing up.

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #13 on: May 10, 2015, 12:58:29 pm »
ok i will do if i get it and here you go a new logs show the same host file

MiniToolBox by Farbar  Version: 14-04-2015
Ran by b (administrator) on 10-05-2015 at 22:53:47
Running from "C:\Users\b\Downloads"
Microsoft Windows 7 Ultimate  Service Pack 1 (X86)
Model: Aspire 4738 Manufacturer: Acer
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

0.0.0.0 0.0.0.0 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com
0.0.0.0 cdn.bisrv.com
0.0.0.0 cdn.cdndp.com
0.0.0.0 cdn.download.sweetpacks.com
0.0.0.0 cdn.dpdownload.com
0.0.0.0 cdn.visualbee.net



**** End of log ****





Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/10/2015 10:50:24 PM in x86 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\b\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe (PID: 3136) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
  0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
  0.0.0.0 media.opencandy.com
  0.0.0.0 cdn.opencandy.com
  0.0.0.0 tracking.opencandy.com
  0.0.0.0 api.opencandy.com
  0.0.0.0 installer.betterinstaller.com
  0.0.0.0 installer.filebulldog.com
  0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
  0.0.0.0 inno.bisrv.com
  0.0.0.0 nsis.bisrv.com
  0.0.0.0 cdn.file2desktop.com
  0.0.0.0 cdn.goateastcach.us
  0.0.0.0 cdn.guttastatdk.us
  0.0.0.0 cdn.inskinmedia.com
  0.0.0.0 cdn.insta.oibundles2.com
  0.0.0.0 cdn.insta.playbryte.com
  0.0.0.0 cdn.llogetfastcach.us
  0.0.0.0 cdn.montiera.com
  0.0.0.0 cdn.msdwnld.com

  20 out of 34 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 05/10/2015 10:52:18 PM
Execution time: 0 hours(s), 1 minute(s), and 54 seconds(s)





RogueKiller V10.6.2.0 [May  4 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : b [Administrator]
Started from : C:\Users\b\Downloads\RogueKiller.exe
Mode : Scan -- Date : 05/10/2015  23:13:02

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[Suspicious.Path] HKEY_USERS\S-1-5-21-514264213-2229734732-364638501-1000\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Installer : "C:\Users\b\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe" /c [-]
  • -> Found


¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - NlsAnsiCodePage : Unknown @ 0xffffffffcb718159 (call 0x54000009)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3265GSX +++++
--- User ---
[MBR] 7030807e5d6303089fdba77edec97688
[BSP] bf4b40ef244bc7ef2f46fa3dd96446e8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 119900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245762048 | Size: 185243 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_09082014_134759.log - RKreport_DEL_09082014_141307.log - RKreport_SCN_09142014_045915.log - RKreport_DEL_09142014_050125.log
RKreport_SCN_09202014_085423.log - RKreport_SCN_09202014_090119.log - RKreport_SCN_09252014_052050.log - RKreport_DEL_09252014_052202.log
RKreport_SCN_09282014_125600.log - RKreport_DEL_09282014_125744.log - RKreport_SCN_09292014_110602.log - RKreport_DEL_09292014_110652.log
RKreport_SCN_10012014_070817.log - RKreport_DEL_10012014_070932.log - RKreport_SCN_10042014_142209.log - RKreport_DEL_10042014_142257.log
RKreport_SCN_10062014_192927.log - RKreport_DEL_10062014_193014.log - RKreport_SCN_10102014_164710.log - RKreport_SCN_10112014_132953.log
RKreport_DEL_10112014_133430.log - RKreport_SCN_10132014_124344.log - RKreport_DEL_10132014_124401.log - RKreport_SCN_10142014_002827.log
RKreport_SCN_10142014_170018.log - RKreport_SCN_10152014_113619.log - RKreport_SCN_10182014_051907.log - RKreport_DEL_10182014_060018.log
RKreport_SCN_10182014_113052.log - RKreport_DEL_10182014_113117.log - RKreport_SCN_10222014_175555.log - RKreport_DEL_10222014_181836.log
RKreport_SCN_10232014_093252.log - RKreport_SCN_10292014_005639.log - RKreport_DEL_10292014_005746.log - RKreport_SCN_11012014_001900.log
RKreport_DEL_11012014_002142.log - RKreport_SCN_11032014_210837.log - RKreport_DEL_11032014_210940.log - RKreport_SCN_11092014_134242.log
RKreport_DEL_11092014_134329.log - RKreport_SCN_11102014_193648.log - RKreport_DEL_11102014_193751.log - RKreport_SCN_11122014_074203.log
RKreport_SCN_11142014_192803.log - RKreport_DEL_11142014_192947.log - RKreport_SCN_11202014_164638.log - RKreport_DEL_11202014_164753.log
RKreport_SCN_11222014_101746.log - RKreport_DEL_11222014_101813.log - RKreport_SCN_12022014_112818.log - RKreport_DEL_12022014_112945.log
RKreport_SCN_12102014_093334.log - RKreport_DEL_12102014_093422.log - RKreport_SCN_12162014_111913.log - RKreport_DEL_12162014_112008.log
RKreport_SCN_12162014_123912.log - RKreport_DEL_12162014_124241.log - RKreport_DEL_12162014_124305.log - RKreport_SCN_12162014_130710.log
RKreport_DEL_12162014_130746.log - RKreport_DEL_12162014_130814.log - RKreport_SCN_12162014_133745.log - RKreport_DEL_12162014_133848.log
RKreport_SCN_12242014_103924.log - RKreport_DEL_12242014_104004.log - RKreport_SCN_12262014_185524.log - RKreport_DEL_12262014_185618.log
RKreport_SCN_12292014_155510.log - RKreport_DEL_12292014_155551.log - RKreport_SCN_01052015_103632.log - RKreport_DEL_01052015_103731.log
RKreport_SCN_01052015_124359.log - RKreport_DEL_01052015_124428.log - RKreport_SCN_01092015_152536.log - RKreport_DEL_01092015_152631.log
RKreport_SCN_01172015_130653.log - RKreport_DEL_01172015_130854.log - RKreport_SCN_01202015_212136.log - RKreport_DEL_01202015_212224.log
RKreport_SCN_01272015_043636.log - RKreport_SCN_01292015_082750.log - RKreport_DEL_01292015_082847.log - RKreport_SCN_02022015_045048.log
RKreport_SCN_02082015_100507.log - RKreport_DEL_02082015_100549.log - RKreport_SCN_02102015_063122.log - RKreport_DEL_02102015_063202.log
RKreport_SCN_02112015_145138.log - RKreport_SCN_02122015_154735.log - RKreport_DEL_02122015_154920.log - RKreport_SCN_02152015_110343.log
RKreport_SCN_02202015_090030.log - RKreport_DEL_02202015_090117.log - RKreport_SCN_02242015_135722.log - RKreport_DEL_02242015_140046.log
RKreport_SCN_03012015_195745.log - RKreport_SCN_03122015_020406.log - RKreport_DEL_03122015_020506.log - RKreport_SCN_03152015_005025.log
RKreport_DEL_03152015_005105.log - RKreport_SCN_03232015_060732.log - RKreport_DEL_03232015_060807.log - RKreport_SCN_04012015_020539.log
RKreport_DEL_04012015_024505.log - RKreport_SCN_04072015_044626.log - RKreport_DEL_04072015_044744.log - RKreport_SCN_04182015_115134.log
RKreport_SCN_04222015_111446.log - RKreport_DEL_04222015_111902.log - RKreport_SCN_04262015_173727.log - RKreport_DEL_04262015_173817.log
RKreport_SCN_04302015_031829.log - RKreport_DEL_04302015_031903.log - RKreport_DEL_04302015_031926.log - RKreport_SCN_05062015_201516.log
RKreport_DEL_05062015_201946.log - RKreport_SCN_05082015_124920.log - RKreport_DEL_05082015_124942.log
« Last Edit: May 10, 2015, 01:15:54 pm by Gamezertruth »

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #14 on: May 10, 2015, 01:21:59 pm »
i have no antivirus Installed on my system

all i have is an anti-malware & anti-spyware software Installed on my system (superantispyware & malwarebytes & Panda Cloud Cleaner & http://9-lab.com/)

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #15 on: May 10, 2015, 01:51:28 pm »
i have no antivirus Installed on my system

Your choice, but risky.

all i have is an anti-malware & anti-spyware software Installed on my system (superantispyware & malwarebytes & Panda Cloud Cleaner & http://9-lab.com/)

May well be one of those that has added to/ locked the Hosts file.

It looks like you can delete the entries (or try) using Comodo Cleaning Essentials or Rogue Killer, but you can see that they are low risk and are probably doing you more good than harm, preventing connections to unwanted sites/ servers.


Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #16 on: May 11, 2015, 01:21:53 pm »
In fact, the additions of host files was probably added by this suspicious programs (Proxy Switcher https://www.proxyswitcher.com/) as I suspected it!

I had to uninstall this program a few days ago! However, the program does not function properly ! and i still need help to clean my host !

Edit : Correction link
« Last Edit: May 11, 2015, 01:24:55 pm by Gamezertruth »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #17 on: May 11, 2015, 01:30:45 pm »
I doubt that. The entries in your hosts file are actually blocking access to adware servers, so they are doing you a favour, more likely that they were added by a benign program like super anti spyware or similar.

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #18 on: May 11, 2015, 01:38:30 pm »
So what are your recommendations  ?  :wink:

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #19 on: May 11, 2015, 01:49:25 pm »
So what are your recommendations  ?  :wink:

For what exactly? The hosts file entries? restore to default if you want/ can, but those entries are doing no harm. The scan results are just notifying you that additions have been made, not saying that they are malicious.

Don't just rely upon on-demand malware scanners, get a real time antivirus installed as you say you have none.

Be a little more cautious about what you are installing and from where.

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #20 on: May 11, 2015, 02:22:19 pm »
So what are your recommendations  ?  :wink:

For what exactly? The hosts file entries? restore to default if you want/ can, but those entries are doing no harm. The scan results are just notifying you that additions have been made, not saying that they are malicious.

Don't just rely upon on-demand malware scanners, get a real time antivirus installed as you say you have none.

Be a little more cautious about what you are installing and from where.

thank you for your recommendations/advice  :smiley: yes i want to restore host file to default or removing all of them but the problem is These entries from the host files are coming back even when i ran a malware scanning with Dr-web ! by the way Dr-web have to detected These entries of host file but all Above tools is unable to care of it !

note: I have all of these security software installed on my computer, however I did not notice any of this software to add or change the host files! I'm sure about that!

The problem also is that can not be restored "Host Files" to the default because there is something that hinders the process of restoring the host file!

So I will try to remove all security software as a test!
« Last Edit: May 11, 2015, 02:24:37 pm by Gamezertruth »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: host file got hijacked ?
« Reply #21 on: May 11, 2015, 02:57:33 pm »

The problem also is that can not be restored "Host Files" to the default because there is something that hinders the process of restoring the host file!

So I will try to remove all security software as a test!

My hunch is that the program that added the entries is also locking the file. If you go ahead with your plan, then do them one at a time and then check the hosts file to find out which one added the entries. Of course it is also possible that you have already uninstalled the program that did this and the changes have remained. I prefer to keep my security as light as possible, it uses less resources and the chances of conflicts are reduced..... Sometimes less is more  :wink:
« Last Edit: May 11, 2015, 03:05:32 pm by Samson »

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: host file got hijacked ?
« Reply #22 on: May 11, 2015, 07:48:44 pm »
So I looked at most of those that are added to the host file, they are bad websites, and in the host file they point to 0.0.0.0, which will keep the system from being able to access those crap sites.

So it isnt a bad thing, so that means you must have some sort of program on the system that is setting it and trying to protect you (Maybe) so I would check to see what you have in startup.

You can also use process monitor to see what program is hitting the host file as well.

And if the host file is locked by another program then my repair would fail since it couldnt write to it.

Most bad programs that modify the host file have good sites redirect to a bad IP, but in this case it is the opposite. So that should give you an idea of which one of your programs you have installed might be doing it.

Shane

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #23 on: May 13, 2015, 08:45:39 am »

The problem also is that can not be restored "Host Files" to the default because there is something that hinders the process of restoring the host file!

So I will try to remove all security software as a test!

My hunch is that the program that added the entries is also locking the file. If you go ahead with your plan, then do them one at a time and then check the hosts file to find out which one added the entries. Of course it is also possible that you have already uninstalled the program that did this and the changes have remained. I prefer to keep my security as light as possible, it uses less resources and the chances of conflicts are reduced..... Sometimes less is more  :wink:

More information about the problem are good, anyway, you're certainly right there one of the security software does add and locked the host files ! and I never seen an security software doing this before ! Also what are your recommendations for the sake do I install anti-virus program  :wink: which one ?

my problem now got fixed by Remove all security software  :smiley: :cheesy: :tongue:

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
Re: host file got hijacked ?
« Reply #24 on: May 13, 2015, 08:55:32 am »
So I looked at most of those that are added to the host file, they are bad websites, and in the host file they point to 0.0.0.0, which will keep the system from being able to access those crap sites.

So it isnt a bad thing, so that means you must have some sort of program on the system that is setting it and trying to protect you (Maybe) so I would check to see what you have in startup.

You can also use process monitor to see what program is hitting the host file as well.

And if the host file is locked by another program then my repair would fail since it couldnt write to it.

Most bad programs that modify the host file have good sites redirect to a bad IP, but in this case it is the opposite. So that should give you an idea of which one of your programs you have installed might be doing it.

Shane

thank you for heads up and your info and you're certainly right as Samson ! there one of the security software does add and locked the host files and i just do removing all my security software and i have been Install some of crap anti-malware software And probably some of them are rogue programs/spyware program for spaying on people  !
and can you gave my a link for process monitor ?  :wink: :cheesy: also my problem now got fixed by Remove all junk/Legitimate security software !  :smiley:
« Last Edit: May 13, 2015, 09:01:38 am by Gamezertruth »