• Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
mfn

KIS 2012 Now Detects mvps Hosts File as a Trojan

42 posts in this topic

Starting a couple of hours ago, KIS 2012 has detected my HOSTS file as a "Trojan.Win32.Hosts2.gen". I've been using the mvps hosts file for years without any problems from Kaspersky. (I use the mvps file found here: http://winhelp2002.mvps.org/hosts.htm).

 

I compared my HOSTS file with a backup, and no changes have been made to this file since February 25, which is when I updated the file to the current latest mvps file.

 

Because I do regular full system image backups, I allowed KIS to "disinfect" and quarantine what it wanted to do. The result was that KIS overwrote the file to put it back to its Windows XP default version and did not make a quarantine file copy for restoration if needed.

 

For the moment, I have added the HOSTS file to KIS's exclusion list, but I would prefer KIS to monitor the file as it always has before without issues.

 

I also noticed a similar post made today in the Kaspersky PURE forum found here: Kaspersky PURE Forum Post.

 

My question is - is anybody else having this problem?

 

 

Share this post


Link to post
Share on other sites

Yes, I am experiencing the exact same problem as of today. The MVP hosts file has been a great tool for years. Please fix this Kaspersky!

 

>>For the moment, I have added the HOSTS file to KIS's exclusion list, but I would prefer KIS to monitor the file as it always has before without issues.<<

 

How do you do this, please? I have been trying to figure this out on my own before I ventured into the forums looking for help. Also, how much risk are you taking to go this route?

 

Thanks!

 

Share this post


Link to post
Share on other sites

Same here, I use mvps host. My host file was 4 months old, but Winpatrol and notified me there was a change, so I thought this was a threat and allowed KIS to disinfect. MBAM found no infection.

Share this post


Link to post
Share on other sites

Same issue here but I update the host via spywareblaster. Almost like kaspersky sees the bad urls in the file and block it.

Share this post


Link to post
Share on other sites

Today I have had the same problem with my KIS 2013:

 

Trojan.Win32.Host2.gen detected

Objet: c:\Windows\System32\Drivers\etc\hosts

 

I think maybe the problem is related to Spybot S&D. I have this program installed on my computer and I remember you that this program records in the HOSTS file many fraudulent webpages pointing to 127.0.0.1 in order to avoid the redirectioning of our PC to these webpages)

 

Maybe in Kaspersky have modified something and from now on these registers recorded by Spybot are considered as "recorded" by a malware. I have my computer clean, updated and this message has been very strange.

 

Regards

post-274808-1363348343_thumb.jpg

post-274808-1363348374_thumb.jpg

Edited by Darkness Knight

Share this post


Link to post
Share on other sites

I did experiencing the same problem like others here and now my pc running KIS 2013 full scan after a reboot by advanced detection. I think it have something to do with latest detection database and i'm just guessing :) Pls fix this. thanks in advance.

Share this post


Link to post
Share on other sites

Same problem here. There must be a URL in the latest MVPS file that Kaspersky detects as a malware target/source, so it responds by blocking the connection on update. If you actually already have the updates in your HOSTS file, Kaspersky blocks access to the file until you add it as an exclusion or allow a complete overwrite of your HOSTS file.

 

This same thing happened a couple of years back. How it was resolved, I don't know, but the problem "went away" after a while.

 

Adding an exclusion for HOSTS isn't the greatest idea in the world... It's definitely a file that malware will tamper with.

 

Blowing the file away completely instead of surgically removing the offending line is also not a good approach.

 

... and the lack of detail about which line of a text file is causing the alert is annoying to say the least.

 

For now, you can "work around" the issue by pausing Kaspersky, adding an exclusion for your HOSTS file, downloading the MVPS update, and resuming Kaspersky.

 

But yeah.. Kaspersky, please fix ASAP. :)

Edited by jasonheyd

Share this post


Link to post
Share on other sites

I have the exact same problem on all the 3 PCs that use Kaspersky. Kaspersky "fixed" the issue, but now I'm worried that it has deleted/changed files that were working correctly.

Btw, what does MVPS stands for? As far as I know, the only program that editet the hosts file is Spybot S&D

Edited by Snakethesniper

Share this post


Link to post
Share on other sites

Experiencing the same issue since this morning. I would say it's down to an update, that for some reason (known only to Kaspersky), they thought they could do with some more adverse publicity from all users who have, before this, been enjoying

 

the benefits of having this (MVPS file) useful tool.

 

I'm now suffering the onslaught of banner ads and all the other crap that the host file dealt with. I've been using this Host File set up for years now without a problem so, " if it aint broke, don't fix it!!" I really hope they get their act together and fix

 

this issue REAL SOON!

 

Regards

 

Doop

Share this post


Link to post
Share on other sites
I have the exact same problem on all the 3 PCs that use Kaspersky. Kaspersky "fixed" the issue, but now I'm worried that it has deleted/changed files that were working correctly.

Btw, what does MVPS stands for? As far as I know, the only program that editet the hosts file is Spybot S&D

 

 

I think you will find that Kaspersky "fixed" the issue by disinfecting "deleting" the altered host file and replacing it with the default copy.

 

To check just go onto the net and see if all the banner ads start appearing again and that will confirm what I suspect has happened.

 

When they get around to solving this issue you will need to download another copy of the Host File from http://winhelp2002.mvps.org/hosts.htm) and follow the instructions. You

 

won't be able to install it until they fix this as it will be disinfected each time it's detected, so we will all have to be waiting on this to be fixed soooon!!!

 

Regards

 

Doop

Share this post


Link to post
Share on other sites
I did experiencing the same problem like others here and now my pc running KIS 2013 full scan after a reboot by advanced detection. I think it have something to do with latest detection database and i'm just guessing :) Pls fix this. thanks in advance.

 

Ditto this, have allowed KIS2013 to "disinfect", re-boot and re-scan with negative result. Have also run Trend Micro Housecall for a second opinion and that is negative too.

Like the others, I am of the (non-expert) opinion that this is a "bug" in the latest update.

Share this post


Link to post
Share on other sites

I just had the same problem a few minutes ago after a rootkit search. Kaspersky disinfected the file and is now running a full search, without results so far.

 

The hosts file was the one from Spybot Search & Destroy.

Share this post


Link to post
Share on other sites

My old MVPS hosts also was detected by Kaspersky Internet Security 2012 today. And "disinfected" by deletion. Also blocks access to mvps site in browser.

 

Can't verify that my hosts file was modified since it was deleted, but I downloaded the new (and also blocked by kaspersky) mvps hosts file from another computer and didn't find anything suspicious in it (all were 127.0.0.1 etc..)

 

Updated to 2013 and same thing happens. (Except that Kaspersky Internet 2013 seems to take ages to start up. (Protection starting...))

Share this post


Link to post
Share on other sites

I just fought with KIS 13.0.1.4190 (f) over this for a while.

It fixes by deleting my hosts file. Doop it left me without a hosts file at all.

I disabled System Watcher, already had it limited to 1MB after watching what the Pure3 RC did with that module (100MBs).

 

I keep the last few iterations of Hostsmvps on my storage drive and KIS didn't like any of the four I tried to unzip either.

 

Would prefer that the world renowned Kaspersky programmers didn't create this mistake in the first place.

 

Would accept that the same folks fix this without all of us doing their legwork, we pay them I believe.

 

Yep, I'm in a bad way and it's almost noon here, this issue rubbed me the wrong way today.

 

Just now it came up again, I'll ignore and turn the sys watcher back on, that obviously affects heuristics.

 

 

**Ignore didn't help much, my browser became unusable when I went to update specs in my control panel here. I've had to turn KIS off.

Edited by Caniac

Share this post


Link to post
Share on other sites

I installed a new host file from a different source hpHOST and KIS detected a Trojan also. So it looks like at least MVPS and hpHOSTHost files if not all host files could be a false positive except the KIS replacement file . A temporary work-around I am using is to enable Exclusion on the MVPS Hosts file and use system change monitor application such as Winpatrol. This app will indicate/prevent a Host file is change and will provide some security while on Host file is on the Exclusion list and a permanent fix is in place. I submitted my Host file to KIS virus lab.

Edited by edge10

Share this post


Link to post
Share on other sites

In my specific case I had Windows XP that previously had Spybot Search and Destroy but it had been removed prior to installing Kaspersky Internet Security 2013. Spybot S&D adds and apparently after uninstall, leaves a bunch of well delineated entries in the ..System32/drivers/etc/hosts file. When removed, which I did, Kaspersky no longer complains. Kaspersky product for the first time, flagged this file and these entries as a trojan. So I used Kaspersky to restore the file as hosts.orig and then edited it to remove the spybot-added entries, and then restored as hosts.xyz. Then deleted hosts and renamed hosts.xyx to hosts and rebooted system. Now if you are still running Spybot S&D then I would check the hundreds of entries for consistency and then tell kaspersky to restore hosts and then ignore this until Kaspersky resolves the issue.

 

 

Share this post


Link to post
Share on other sites
I disabled System Watcher, already had it limited to 1MB after watching what the Pure3 RC did with that module (100MBs).

 

Pure3 RC ate up 100 GB not MB.

 

Fired up the pc again, added the object only to exclusions, things are smooth again.

Props to you edge 10 for the submission, and being of sound mind about this. <_<

Share this post


Link to post
Share on other sites
Ditto this, have allowed KIS2013 to "disinfect", re-boot and re-scan with negative result. Have also run Trend Micro Housecall for a second opinion and that is negative too.

Like the others, I am of the (non-expert) opinion that this is a "bug" in the latest update.

 

Whilst in no way advocating that others follow the same route, I have just used the Microsoft FixIt application to restore my host file with some success.

As I type, KIS2013 is no longer flagging the Trojan.

http://support.microsoft.com/kb/972034 (for Windows XP Home SP3).

Share this post


Link to post
Share on other sites

Update: The full scan finished and it didn't find anything.

 

After letting Spybot Search & Destroy modify the hosts file once again, there seemed to be nothing wrong with it. Everything redirected to 127.0.0.1 and no important update URLs or something similar were blocked by it. Kaspersky started to nag again though.

Edited by nyderic

Share this post


Link to post
Share on other sites

KAV 2013 Rootkit scan just flaged my HOSTs file as trojan. I have restored the file from backup.

The HOSTS file contain entries from both Spybot and mvps.

 

I would have though that by now Kaspersky should have been updated with a fix.

 

post-286303-1363376555_thumb.jpg

Share this post


Link to post
Share on other sites
Ditto this, have allowed KIS2013 to "disinfect", re-boot and re-scan with negative result. Have also run Trend Micro Housecall for a second opinion and that is negative too.

Like the others, I am of the (non-expert) opinion that this is a "bug" in the latest update.

Agreed. I just download mvps host from http://winhelp2002.mvps.org/hosts.htm around 5 a.m Malaysian time but still detected as trojan by KIS2013. Still waiting for solution.

Edited by ijen360

Share this post


Link to post
Share on other sites

Timeking:

 

#This file has been replaced with its default version by Kaspersky Lab because of possible infection

#

#

#

127.0.0.1 localhost

::1 localhost

 

That means it is gone. No further action is necessary.

 

//Edit: two topics were merged, and topic thread was de-cluttered, too.

Edited by richbuff

Share this post


Link to post
Share on other sites
That means it is gone. No further action is necessary.

 

Is Kaspersky 2013 giving false positives on this particular "trojan?"

 

Kaspersky proceeded to quaranteen/disinfect it, and all was supposed to be well with "no further action needed." Since then one of my programs has stopped working, and Kaspersky has alerted three more times saying it has detected Trojan.Win32.hosts.Gen in my hosts file. It keeps repeating the process, but the "trojan" just keeps reappearing. Except for the one program that can no longer open, my computer seems to be running very well.

 

I've wasted a day and a half worrying about this.

 

Here's the link I was given via "Get System Info" per your requirements.

 

http://www.getsysteminfo.com/read.php?file...4a306aef186e7ec

 

Thanks.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.