IPB

Welcome Guest ( Log In | Register )

3 Pages V   1 2 3 >  
Closed TopicStart new topic
> KIS 2012 Now Detects mvps Hosts File as a Trojan, merged.
mfn
post 15.03.2013 07:19
Post #1


Advanced Member I
***

Group: Members
Posts: 75
Joined: 13.10.2006




Starting a couple of hours ago, KIS 2012 has detected my HOSTS file as a "Trojan.Win32.Hosts2.gen". I've been using the mvps hosts file for years without any problems from Kaspersky. (I use the mvps file found here: http://winhelp2002.mvps.org/hosts.htm).

I compared my HOSTS file with a backup, and no changes have been made to this file since February 25, which is when I updated the file to the current latest mvps file.

Because I do regular full system image backups, I allowed KIS to "disinfect" and quarantine what it wanted to do. The result was that KIS overwrote the file to put it back to its Windows XP default version and did not make a quarantine file copy for restoration if needed.

For the moment, I have added the HOSTS file to KIS's exclusion list, but I would prefer KIS to monitor the file as it always has before without issues.

I also noticed a similar post made today in the Kaspersky PURE forum found here: Kaspersky PURE Forum Post.

My question is - is anybody else having this problem?

Go to the top of the page
 
+Quote Post
xvvvz
post 15.03.2013 07:58
Post #2


Member
**

Group: Members
Posts: 32
Joined: 4.11.2007




Yes, I am experiencing the exact same problem as of today. The MVP hosts file has been a great tool for years. Please fix this Kaspersky!

>>For the moment, I have added the HOSTS file to KIS's exclusion list, but I would prefer KIS to monitor the file as it always has before without issues.<<

How do you do this, please? I have been trying to figure this out on my own before I ventured into the forums looking for help. Also, how much risk are you taking to go this route?

Thanks!
Go to the top of the page
 
+Quote Post
edge10
post 15.03.2013 08:27
Post #3


Advanced Member I
***

Group: Members
Posts: 70
Joined: 29.04.2007




Same here, I use mvps host. My host file was 4 months old, but Winpatrol and notified me there was a change, so I thought this was a threat and allowed KIS to disinfect. MBAM found no infection.
Go to the top of the page
 
+Quote Post
richbuff
post 15.03.2013 08:39
Post #4


Oldtimer
****************

Group: Moderators
Posts: 48920
Joined: 14.06.2007




Please send full details to the Lab, instructions are located in point 1 of the third important topic located near the top of the Virus section of this forum. And here:
http://forum.kaspersky.com/index.php?showtopic=13881


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
sanctioned
post 15.03.2013 15:05
Post #5


Newbie
*

Group: Members
Posts: 4
Joined: 8.08.2009




Same issue here but I update the host via spywareblaster. Almost like kaspersky sees the bad urls in the file and block it.
Go to the top of the page
 
+Quote Post
Darkness Knight
post 15.03.2013 15:33
Post #6


Advanced Member II
****

Group: Members
Posts: 391
Joined: 18.04.2010
From: Algún punto de La Tierra




Today I have had the same problem with my KIS 2013:

Trojan.Win32.Host2.gen detected
Objet: c:\Windows\System32\Drivers\etc\hosts

I think maybe the problem is related to Spybot S&D. I have this program installed on my computer and I remember you that this program records in the HOSTS file many fraudulent webpages pointing to 127.0.0.1 in order to avoid the redirectioning of our PC to these webpages)

Maybe in Kaspersky have modified something and from now on these registers recorded by Spybot are considered as "recorded" by a malware. I have my computer clean, updated and this message has been very strange.

Regards

This post has been edited by Darkness Knight: 15.03.2013 15:53
Attached File(s)
Attached File  Imagen1.jpg ( 25,21K ) Number of downloads: 29
Attached File  Imagen2.jpg ( 157,72K ) Number of downloads: 24
 


--------------------
Portátil Intel ® Core i7 (1ª Generación) CPU Q 720 1.60 GHz. 8 GB Ram DDR3 HDD 500 GB Nvidia Geforce GT 230M with CUDA (1 GB de memoria dedicada)
Windows 8.1 U1 Pro 64 bits with Media Center
KIS 2014 - Versión 14.0.0.4651 (g)
Go to the top of the page
 
+Quote Post
ijen360
post 15.03.2013 16:54
Post #7


Member
**

Group: Members
Posts: 14
Joined: 24.07.2007
From: KL




I did experiencing the same problem like others here and now my pc running KIS 2013 full scan after a reboot by advanced detection. I think it have something to do with latest detection database and i'm just guessing smile.gif Pls fix this. thanks in advance.
Go to the top of the page
 
+Quote Post
jasonheyd
post 15.03.2013 17:11
Post #8


Newbie
*

Group: Members
Posts: 2
Joined: 11.12.2012




Same problem here. There must be a URL in the latest MVPS file that Kaspersky detects as a malware target/source, so it responds by blocking the connection on update. If you actually already have the updates in your HOSTS file, Kaspersky blocks access to the file until you add it as an exclusion or allow a complete overwrite of your HOSTS file.

This same thing happened a couple of years back. How it was resolved, I don't know, but the problem "went away" after a while.

Adding an exclusion for HOSTS isn't the greatest idea in the world... It's definitely a file that malware will tamper with.

Blowing the file away completely instead of surgically removing the offending line is also not a good approach.

... and the lack of detail about which line of a text file is causing the alert is annoying to say the least.

For now, you can "work around" the issue by pausing Kaspersky, adding an exclusion for your HOSTS file, downloading the MVPS update, and resuming Kaspersky.

But yeah.. Kaspersky, please fix ASAP. smile.gif

This post has been edited by jasonheyd: 15.03.2013 17:12
Go to the top of the page
 
+Quote Post
Snakethesniper
post 15.03.2013 17:16
Post #9


Member
**

Group: Members
Posts: 35
Joined: 27.12.2009




I have the exact same problem on all the 3 PCs that use Kaspersky. Kaspersky "fixed" the issue, but now I'm worried that it has deleted/changed files that were working correctly.
Btw, what does MVPS stands for? As far as I know, the only program that editet the hosts file is Spybot S&D

This post has been edited by Snakethesniper: 15.03.2013 17:19
Go to the top of the page
 
+Quote Post
Doop
post 15.03.2013 17:29
Post #10


Newbie
*

Group: Members
Posts: 7
Joined: 15.03.2013




Experiencing the same issue since this morning. I would say it's down to an update, that for some reason (known only to Kaspersky), they thought they could do with some more adverse publicity from all users who have, before this, been enjoying

the benefits of having this (MVPS file) useful tool.

I'm now suffering the onslaught of banner ads and all the other crap that the host file dealt with. I've been using this Host File set up for years now without a problem so, " if it aint broke, don't fix it!!" I really hope they get their act together and fix

this issue REAL SOON!

Regards

Doop
Go to the top of the page
 
+Quote Post
Doop
post 15.03.2013 17:39
Post #11


Newbie
*

Group: Members
Posts: 7
Joined: 15.03.2013




QUOTE(Snakethesniper @ 15.03.2013 16:16) *
I have the exact same problem on all the 3 PCs that use Kaspersky. Kaspersky "fixed" the issue, but now I'm worried that it has deleted/changed files that were working correctly.
Btw, what does MVPS stands for? As far as I know, the only program that editet the hosts file is Spybot S&D



I think you will find that Kaspersky "fixed" the issue by disinfecting "deleting" the altered host file and replacing it with the default copy.

To check just go onto the net and see if all the banner ads start appearing again and that will confirm what I suspect has happened.

When they get around to solving this issue you will need to download another copy of the Host File from http://winhelp2002.mvps.org/hosts.htm) and follow the instructions. You

won't be able to install it until they fix this as it will be disinfected each time it's detected, so we will all have to be waiting on this to be fixed soooon!!!

Regards

Doop
Go to the top of the page
 
+Quote Post
eljay376
post 15.03.2013 18:24
Post #12


Advanced Member I
***

Group: Members
Posts: 73
Joined: 11.11.2007
From: South East UK




QUOTE(ijen360 @ 15.03.2013 15:54) *
I did experiencing the same problem like others here and now my pc running KIS 2013 full scan after a reboot by advanced detection. I think it have something to do with latest detection database and i'm just guessing smile.gif Pls fix this. thanks in advance.


Ditto this, have allowed KIS2013 to "disinfect", re-boot and re-scan with negative result. Have also run Trend Micro Housecall for a second opinion and that is negative too.
Like the others, I am of the (non-expert) opinion that this is a "bug" in the latest update.
Go to the top of the page
 
+Quote Post
nyderic
post 15.03.2013 18:28
Post #13


Member
**

Group: Members
Posts: 13
Joined: 17.07.2010




I just had the same problem a few minutes ago after a rootkit search. Kaspersky disinfected the file and is now running a full search, without results so far.

The hosts file was the one from Spybot Search & Destroy.
Go to the top of the page
 
+Quote Post
Aggressio
post 15.03.2013 18:50
Post #14


Newbie
*

Group: Members
Posts: 1
Joined: 15.03.2013




My old MVPS hosts also was detected by Kaspersky Internet Security 2012 today. And "disinfected" by deletion. Also blocks access to mvps site in browser.

Can't verify that my hosts file was modified since it was deleted, but I downloaded the new (and also blocked by kaspersky) mvps hosts file from another computer and didn't find anything suspicious in it (all were 127.0.0.1 etc..)

Updated to 2013 and same thing happens. (Except that Kaspersky Internet 2013 seems to take ages to start up. (Protection starting...))
Go to the top of the page
 
+Quote Post
Caniac
post 15.03.2013 19:08
Post #15


Member
**

Group: Members
Posts: 42
Joined: 15.10.2009




I just fought with KIS 13.0.1.4190 (f) over this for a while.
It fixes by deleting my hosts file. Doop it left me without a hosts file at all.
I disabled System Watcher, already had it limited to 1MB after watching what the Pure3 RC did with that module (100MBs).

I keep the last few iterations of Hostsmvps on my storage drive and KIS didn't like any of the four I tried to unzip either.

Would prefer that the world renowned Kaspersky programmers didn't create this mistake in the first place.

Would accept that the same folks fix this without all of us doing their legwork, we pay them I believe.

Yep, I'm in a bad way and it's almost noon here, this issue rubbed me the wrong way today.

Just now it came up again, I'll ignore and turn the sys watcher back on, that obviously affects heuristics.


**Ignore didn't help much, my browser became unusable when I went to update specs in my control panel here. I've had to turn KIS off.

This post has been edited by Caniac: 15.03.2013 19:22


--------------------
Win7x64pro, Asus CH5Z, 8350 Vishera @ 4.6Ghz, 8Gb 2140Mhz DDR3, 7970 OC, 840Pro 200GB after OP
Go to the top of the page
 
+Quote Post
edge10
post 15.03.2013 19:18
Post #16


Advanced Member I
***

Group: Members
Posts: 70
Joined: 29.04.2007




I installed a new host file from a different source hpHOST and KIS detected a Trojan also. So it looks like at least MVPS and hpHOSTHost files if not all host files could be a false positive except the KIS replacement file . A temporary work-around I am using is to enable Exclusion on the MVPS Hosts file and use system change monitor application such as Winpatrol. This app will indicate/prevent a Host file is change and will provide some security while on Host file is on the Exclusion list and a permanent fix is in place. I submitted my Host file to KIS virus lab.

This post has been edited by edge10: 15.03.2013 19:20
Go to the top of the page
 
+Quote Post
Stuartm80127
post 15.03.2013 19:33
Post #17


Newbie
*

Group: Members
Posts: 2
Joined: 16.01.2013




In my specific case I had Windows XP that previously had Spybot Search and Destroy but it had been removed prior to installing Kaspersky Internet Security 2013. Spybot S&D adds and apparently after uninstall, leaves a bunch of well delineated entries in the ..System32/drivers/etc/hosts file. When removed, which I did, Kaspersky no longer complains. Kaspersky product for the first time, flagged this file and these entries as a trojan. So I used Kaspersky to restore the file as hosts.orig and then edited it to remove the spybot-added entries, and then restored as hosts.xyz. Then deleted hosts and renamed hosts.xyx to hosts and rebooted system. Now if you are still running Spybot S&D then I would check the hundreds of entries for consistency and then tell kaspersky to restore hosts and then ignore this until Kaspersky resolves the issue.

Go to the top of the page
 
+Quote Post
Caniac
post 15.03.2013 20:12
Post #18


Member
**

Group: Members
Posts: 42
Joined: 15.10.2009




QUOTE(Caniac @ 15.03.2013 11:08) *
I disabled System Watcher, already had it limited to 1MB after watching what the Pure3 RC did with that module (100MBs).


Pure3 RC ate up 100 GB not MB.

Fired up the pc again, added the object only to exclusions, things are smooth again.
Props to you edge 10 for the submission, and being of sound mind about this. dry.gif


--------------------
Win7x64pro, Asus CH5Z, 8350 Vishera @ 4.6Ghz, 8Gb 2140Mhz DDR3, 7970 OC, 840Pro 200GB after OP
Go to the top of the page
 
+Quote Post
Timeking
post 15.03.2013 20:23
Post #19


Member
**

Group: Members
Posts: 10
Joined: 22.05.2011




KIS2013 detected this, ran some special scan, supposedly fixed it, rebooted, and ran full scan again without detecting anything. Due to the severity of this potential identity-stealing infection, I'd like confirmation that I don't have to format this drive to make sure it is gone.

http://www.getsysteminfo.com/read.php?file...752468ca73e22d3
Go to the top of the page
 
+Quote Post
eljay376
post 15.03.2013 20:58
Post #20


Advanced Member I
***

Group: Members
Posts: 73
Joined: 11.11.2007
From: South East UK




QUOTE(eljay376 @ 15.03.2013 17:24) *
Ditto this, have allowed KIS2013 to "disinfect", re-boot and re-scan with negative result. Have also run Trend Micro Housecall for a second opinion and that is negative too.
Like the others, I am of the (non-expert) opinion that this is a "bug" in the latest update.


Whilst in no way advocating that others follow the same route, I have just used the Microsoft FixIt application to restore my host file with some success.
As I type, KIS2013 is no longer flagging the Trojan.
http://support.microsoft.com/kb/972034 (for Windows XP Home SP3).
Go to the top of the page
 
+Quote Post

3 Pages V   1 2 3 >
Closed TopicStart new topic

 



Lo-Fi Version Time is now: 1.09.2014 22:33