PDA

View Full Version : trojan.win32.hosts2.gen



--Wolf--
28-03-2012, 02:50 PM
Having to post this from my tablet as I can't even access webpages on the laptop now.

Kaspersky pickedthis up and I Have run a disinfection on it 3times nnow but it keeps popping up. How the hell do I get rid of it for good?

Is listed as being at system32\drivers\etc\hosts

Thanks

Speedy Gonzales
28-03-2012, 03:05 PM
You're not the only one (http://forum.kaspersky.com/index.php?showtopic=205052)

Sounds like a Kaspersky screwup to me

--Wolf--
28-03-2012, 03:12 PM
Doesn't explain why i can't load webpages though.

In saying that my hosts file seems to have been deleted now.... that can't be good?

Speedy Gonzales
28-03-2012, 03:21 PM
Get the fixit (http://support.microsoft.com/kb/972034). There's probably code or something in the hosts file, why Kaspersky is deleting it.

What version of windows is installed?

--Wolf--
28-03-2012, 03:22 PM
Win 7

--Wolf--
28-03-2012, 03:30 PM
Ran that fixit but hosts file is still missing and still can't access webpages

Edit ran it again and hosts file is there now and kaspersky is warning me again but still can't access webpagea

Speedy Gonzales
28-03-2012, 03:38 PM
Open the hosts file. And see whats in it. Disable system restore. Copy this and save it as hosts. Make sure it doesnt save it as a txt file. And put it in C:\windows\system32\drivers\etc folder. This is from Win7 x64.


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

--Wolf--
28-03-2012, 03:45 PM
It says all that except at the top it says this file has been restored by kaspersky because of possible infection. It won't let me edit that out and save..says access denied

EDIT:

Back on the laptop now. Made another file, edited out the Kaspersky part, saved it then put it in and replaced the old one.

Webpages seem to work now, but I had to bypass K9 Web Protection (into supervisory mode). Wonder if that is what was causing the problem?

As far as the "trojan" - just ignore it? If it's definitely nothing to worry about then?

Speedy Gonzales
28-03-2012, 03:51 PM
Depends if Kaspersky will still pick it up as a trojan. If it deletes it, then you may not get online again

--Wolf--
28-03-2012, 03:53 PM
Depends if Kaspersky will still pick it up as a trojan. If it deletes it, then you may not get online again

OK will monitor it.

Thanks for your help Speedy, saved my ass. (as usual)

Speedy Gonzales
28-03-2012, 03:59 PM
Put teamviewer on this, and I can have a look if you want. If you install it send the ID and pw it gives you to me in a PM

Speedy Gonzales
29-03-2012, 08:17 AM
K9 Web protection may have been the cause of this alert. It must write to the hosts file or something?? And Kaspersky probably thought the hosts file was getting altered / modified. That's what this trojan does (by the looks of it). So, I uninstalled K9,, Wolf rebooted and so far so good. The alert hasnt popped up again

--Wolf--
29-03-2012, 12:03 PM
Yip problem seems to have been solved now. No virus alerts and webpages working fine now.

Huge thanks to Speedy for taking the time to look at it and finally solve it.

Speedy Gonzales
29-03-2012, 12:04 PM
No probs at all. Anytime :)