Hijack.Host-false positive

[SKIBA]

I wanted to report incorrect detection Hijack.Hosts. I use the program Hosts Block, where he added the entries dangerous websites, which represent a threat to your computer.

 

[blender]

Hello,

 

Can you post the log file please for this scan?

Instructions on this page if needed.

https://forums.malwarebytes.org/index.php?/topic/3228-please-read-before-reporting-a-false-positive/

 

Thanks!

[MysteryFCM]

Can you also confirm which HOSTS file provider you're using please?

 

Note: if hpHosts, please specify whether it's the "full fat" HOSTS or a merging of the custom options.

 

/edit

 

Please also provide the URL for "Hosts Block".

[pchater]

I get the same problem on 2 computers. They are used for different things so its highly unlikely to be Malware. I will try and upload the logfile.

[JustL013]

Same thing at this end?

 

From what I can see, there's nothing wrong with it, but can't be sure.

 

I'm using spybot - could that be the source?

 

I am not using a host blocker

See attached for report

Malware-012216.txt

[pchater]

I give up. It took me 4 goes to post the first time. I now try to attach the log file and I get

 

Your secure key, used to verify you are posting the topic, did not match the one submitted. Please go back, reload the form, and try again

 

this happened over and over again first time. it seems it logs me out each time. you have a faulty web site as well

 

by the way I ran n spybot, herd protect and 360 security and they were clean

[snakethesniper]

Same thing today for me.

It detects some hosts setted by Spybot Search & Destroy.

Entries like: 127.0.0.1 "malicious url".

So yes, it's a false positive.

[S!Ri]

Hello

 

FP will be fixed on next update.

Thank you for reporting it.

[scottvs]

I am also seeing what I suspect is a false positive on my C:\Windows\System32\drivers\etc\hosts file.

 

Please find the scan log attached, as well as a copy of the suspect file in zip format.

 

Thanks,

Scott

false-positive.txt

hosts.zip

[shadowwar]

Most of these should be fixed in 07 update and later. Which should be out now.

 

Only problem is Spybot has this listed.

 

http://whois.domaintools.com/aantivir.de

 

aantivir.de is owned by Avira antivirus and they should not be blocking that.

[TNKEG]

 I too found the six files with Malwarebytes this morning  in c/Windows/system/system32/etc/hosts. I quarantined them.Do I need to restore them?I was skeptical because my system is relatively fresh install.Found this forum before I deleted.

[TNKEG]

 I too found the six files with Malwarebytes this morning  in c/Windows/system/system32/etc/hosts. I quarantined them.Do I need to restore them?I was skeptical because my system is relatively fresh install.Found this forum before I deleted.

I mis- typed it is C/Windows/System32/drivers/etc/hosts

[shadowwar]

these are not files but entries in your hosts file. Spybot will just put them back.

[ElPiedra]

This should be fixed shortly when the following update goes live.
v2016.01.22.08


Tnks!
 
 

[scottvs]

I am continuing to receive the findings on the hosts file, even after the update.  Should I consider these are indeed a problem and need to be quarantined and/or removed?

 

Latest scan results attached.

 

Thanks,

Scott

continued-false-positives.txt

[FabioM]

I am on version 22.07 and I'm still receiving false positives from the changes I made on my hosts file.

 

My hosts file is from: http://someonewhocares.org/hosts/, with an small edit I made.

 

Attached both my hosts and the scan log.

Thanks!

falsepositive.txt

hosts.txt

[shadowwar]

@fabioM

 

Being these are custom changes i would recommend you add them to our ignore list. When the results come up simply select them to be ignored in the future.

 

The others i am looking at.

[shadowwar]

08 has a few more fixes.

 

If you are blocking ads on legit av sites i cant unblock these as malware usually blocks the whole domain. I recommend adding it to malwarebytes ignore list if want to keep these blocked.

[SKIBA]

Can you also confirm which HOSTS file provider you're using please?

 

Note: if hpHosts, please specify whether it's the "full fat" HOSTS or a merging of the custom options.

 

/edit

 

Please also provide the URL for "Hosts Block".

http://winhelp2002.mvps.org/hosts.htm

 

I see that not only I had such a problem. You see, last updated databases found that the HOSTS file has been modified by malware. Earlier scan did not detect anything. I hope it was fixed.

[mig0]

I've updated my MWB to 2016.1.22.09 and it's happening again.  My hosts files have entries created by spywarebot anti beacon, even deleting the host file doesn't stop the errors I'm getting.

[blender]

Mig0:

 

Can you post the new MBAM log please? Instructions here if needed:
https://forums.malwarebytes.org/index.php?/topic/3228-please-read-before-reporting-a-false-positive/

Just in case it is needed, please also post your hosts file (zipped) (fresh one from the Hosts product you use (be it Spybot or .. ?)

 

Thanks!

[mig0]

Ive added a zip file containing a copy of my hosts file and the log.

 

 

 

archive.zip

[tomoz]

Running V 2016.01.22.09 on Win 7 using Hostsman and MVPS Hosts and having the same issues ongoing. Log file and Hostfile attached. 

MwB.txt

HOSTS.zip

[blender]

Hello mig0,

 

That looks to be a rather custom hosts file for those concerned about privacy as far as Microsoft telemetry stuff..

These you can tell MBAM next time to "ignore always" next time they come up in a scan.

[blender]

Looking further into the issue.. there will be another small fix that will go out in the next database update that should resolve a bunch of the issues you folks are seeing.

 

Researching a few of the entries in the hosts files.. I can see why now they are there in the first place..

Most AV products, Microsoft, etc collect some data on how users use the product(s), as for AV - threats found and so on.

Most of this is all for telemetry purposes. An example being, if we visit Symantec to see what the top 10 threats are, this info is only available because of telemetry collected from real live user machines. Some will find this useful, some find it intrusive to privacy.

 

Some refer to it as "data mining" and are concerned about it, so HOSTS files were created so this telemetry collections cannot occur.

 

So really, these connections would normally happen as designed by the products we use.

Often malware will insert into the HOSTS file blocks on common AV products so you can't get updates or download the product.

Therefore a good many AV/AS products remove entries in hosts files pointing to AV/AS & Microsoft domains.

It is often difficult to tell whether this is a custom entry put there by the user or something malicious did it.

 

If you want to keep the entries in the hosts files, have MBAM ignore the detections.

If you ignore these (always), the next scan should not show them.