Kaspersky
Solved

mvps Hosts file detected as Trojan.Win32.Host2.gen


Userlevel 2
Badge
  • Bronze Junior Helper
  • 17 replies

Seems like this was an issue before, and claims to be resolved but I do not see “how” it was resolved. Kaspersky keeps flagging my HOSTS file, then disinfecting it by deleting it and replacing it with an empty HOSTS file. I’ve run the updates, run the full scans, yet every time I try to add even 1 line to the HOSTS file, immediately flagged and the red box appears to “disinfect and reboot”. Help. Anyone?

icon

Best answer by Wesly.Zhang 12 May 2020, 14:11

View original

30 replies

Userlevel 7
Badge +9

@Zac Welcome.  Can you reset the default HOSTS file of Windows ? 
Also, please contact K-Lab Technical Support https://center.kaspersky.com 

Userlevel 2
Badge

Yes, once Kaspersksy disinfects the HOSTS file and replaces it with a blank one, I’ve tried to add new entries to the blank one AND tried to use the MS default one. As long as it is blank or default there is no problem. As soon as I try to add ANY entries to it, it is flagged as the trojan again. I have backups of my HOSTS files saved as *.txt files and they are also not flagged until I rename them to just HOSTS (with no extension). As I’ve said, the full scan has been run with no virus or trojan detected. 

Thank you for the link - I have submitted the problem ticket there also.

I am hoping that whatever resolution was discovered back a few years ago can applied to this issue. The title of my post is the exact same as the one on your older forums, for reference.

Userlevel 7
Badge +5

Hello,

Please del rules for google in the hosts files.

Regards.

Userlevel 7
Badge +11

Hello @Wesly.Zhang,

All of the following:

 

 

  • :question: &, how are the Google entries causing the “Trojan.Win32.Host2.gen”, error when a new domain is added? 

Please let us know?

Thank you:pray_tone3:

Flood:whale:


Hello @Zac 

  • What domain has been added when the “Trojan.Win32.Host2.gen” error occurs? 

Please let us know?

Thank you:pray_tone3: 

Flood:whale:

Userlevel 7
Badge +5

Hello @Wesly.Zhang,

All of the following:

 

 

  • :question: &, how are the Google entries causing the “Trojan.Win32.Host2.gen”, error when a new domain is added? 

Please let us know?

Thank you:pray_tone3:

Flood:whale:

Hello @Zac 

  • What domain has been added when the “Trojan.Win32.Host2.gen” error occurs? 

Please let us know?

Thank you:pray_tone3: 

Flood:whale:


Hello, @FLOOD 

As I see, There are lots of rules for google or related websites . So the only solution to this issue is that adding this file to exclusion rule in KL Product.

Regards.

Userlevel 7
Badge +11

Hello @Wesly.Zhang,

  • So don’t remove exclude the google entries? Is that what you mean now? 

Please let us know?

Thank you:pray_tone3: 

Flood:whale:


 @Zac,

  • Have you actually added a File Antivirus exclusion for the modified Hosts file? If “no”, you’ll need to Pause KIS protection before modifying the file, add the FAV exclusion, resume protection, recheck the issue:thinking:
  • And, please provide an example domain that’s been added, that’s causing KIS to generate “Trojan.Win32.Host2.gen” alert, as I’ve modified the MVPS source file & not had any detections:thinking:

Please let us know?

Thank you:pray_tone3: 

Flood:whale:

Userlevel 7
Badge +5

Hello @Wesly.Zhang,

  • So don’t remove exclude the google entries? Is that what you mean now? 

Please let us know?

Thank you:pray_tone3: 

Flood:whale:

 @Zac,

  • Have you actually added a File Antivirus exclusion for the modified Hosts file? If “no”, you’ll need to Pause KIS protection before modifying the file, add the FAV exclusion, resume protection, recheck the issue:thinking:
  • And, please provide an example domain that’s been added, that’s causing KIS to generate “Trojan.Win32.Host2.gen” alert, as I’ve modified the MVPS source file & not had any detections:thinking:

Please let us know?

Thank you:pray_tone3: 

Flood:whale:


Hello, @FLOOD 

Yes, It is.

Userlevel 2
Badge

@Wesly.Zhang

I’ve paused protection, removed the entries listed, and resumed protection. So far no pop-ups or warnings. (fingers crossed).

Side note - when I added the HOSTS file to my exclusions, Kas still deleted and replaced it (before I got your notes) without any prompt. This is only day 3 of my first time trying their software… is there an option to silently fix issues? Can I turn off the “silent part” so I know what is happening?

============

@FLOOD

The entries I was trying to add were google and doubleclick related (all but one in the list Wesly provided). Again, fingers crossed this is the fix. 

Too good to be true?

=========

If this is the fix - Kas’ tech team needs an update. The instructions they sent to “diagnose” the issue is quite lengthy. Overkill actually.

 

I’ll update after a full day’s run and a reboot or two.

Thanks !!

 

Userlevel 7
Badge +11

Hello @Zac,

  1. I provided the list - it’s directly from most recent MVPS source file - unmodified
  2. I also used the same unmodified MVPS source file, with all the Google entries intact - in the system, instead of the original Hosts file, Kaspersky did not detect at all.
  3. We’re not sure what’s meant by “If this is the fix - Kas’ tech team needs an update. The instructions they sent to “diagnose” the issue is quite lengthy. Overkill actually”, did you actually contact Kaspersky Technical Support? 

Thank you:pray_tone3: 

Flood:whale:

Userlevel 7
Badge +5

Hello, @

Could you please provide this hosts file via PM? Let me check which rules are related to this detection.

Regards.

Userlevel 2
Badge

Hi @FLOOD ,

Since I’m new to Kaspersky, yes, I did contact tech support and posted on the forums here.

Sorry, I didn’t mean to indicate I doubted you or to insult you. I really appreciate the feedback and so far the hosts file is not being flagged as a Trojan.

I was just mentioning that when I explained the issue to tech support in pretty much the same way I posted here, they had me run thru all kinds of steps and still seem quite perplexed on what to do with this particular issue. I’ll be sure to close out that ticket with them.

Believe me, I am thankful if the hosts file issue is done now. :)

Again, apologies for any misunderstanding.

Thanks,

Zac

 

Userlevel 2
Badge

Hi @Wesly.Zhang ,

My MVPS HOSTS file is the one dated 03-03-20. As I mentioned I have deleted all the google entries that were given and re-enabled protections. So far the AV is not detecting the Trojan on that file any more.

Thanks !

Userlevel 7
Badge +11

Hello @Zac,

No apology necessary:slight_smile: , I wasn’t insulted or offended, just confused  by the information provided, it always helps us help you (& other Community members) if we are provided with all available information.

Thank you:pray_tone3:

Flood:whale:

Userlevel 7
Badge +11

Hello, @

Could you please provide this hosts file via PM? Let me check which rules are related to this detection. Regards.

Hello @Wesly.Zhang,

I’ve sent you the original 03-03-2020 MVPS Hosts file via a share link. 

Thank you:pray_tone3:

Flood:whale:

Userlevel 7
Badge +11
  1. I explained the issue to tech support in pretty much the same way I posted here, they had me run thru all kinds of steps and still seem quite perplexed on what to do with this particular issue. I’ll be sure to close out that ticket with them.
  2. Can I turn off the “silent part” so I know what is happening?

 

Hello @Zac

Additional:

  1. When you update Kaspersky Technical Support, please tell them the solution that’s worked. 
  2. Also, please explain/provide more detail  for “silent part” so we can assist? 

Thank you:pray_tone3:

Flood:whale:

Userlevel 2
Badge

@FLOOD ,

Oh, what I meant about the “silent part”…

Kaspersky changed the hosts file by deleting the “infected” one and replacing it with a blank one. It did this without any type of notification. Is there a way to turn these notifications back on so that I know when the program is doing this type of change again in the future? Hope that makes more sense. Once I get past the trial period and am more familiar with how Kaspersky works, I probably won’t need as many notifications. Just want to know what’s being changed for now. :)

Thanks!

Userlevel 7
Badge +11

Hello @Zac,

Thank you:ok_hand_tone3: !

  • Check Notifications settings, if there are any hidden notifications, it will show x (x = number) hidden notifications, select Reset all hidden notifications

 

 

  • If you wish to receive Notifications, make sure On-screen notifications is checked.
  • & check Quarantine, to see if there’s any files:thinking:

Thank you:pray_tone3:

Flood:whale:

Userlevel 7
Badge +11

Additional @Zac,

  • May we have the KIS Report - select ALL events, 7days, report; export the report, save as a .txt file & attach:paperclip: to your reply - see Report video as a guide

Note: the video shows 24hr Report collection, please select 7days from the dropdown list.

Please post back?

Thank you:pray_tone3:

Flood:whale:

Userlevel 7
Badge +9

 

 

Kaspersky changed the hosts file by deleting the “infected” one and replacing it with a blank one. It did this without any type of notification. 

Please share this Issue with K-Lab Technical Support before closing your Ticket.

 

Userlevel 2
Badge

@FLOOD 

Here is the report.

Seems like an awful lot of entries referencing that hosts file. :O

 

Userlevel 2
Badge

@FLOOD, @Wesly.Zhang  Just following up… 2 reboots later and hosts file is still intact. Removing the google references did the trick. 

Thank you!

PS: Let me know if anything in that KTS file needs attention.

:)

 

Userlevel 7
Badge +5

@FLOOD@Wesly.Zhang  Just following up… 2 reboots later and hosts file is still intact. Removing the google references did the trick. 

Thank you!

PS: Let me know if anything in that KTS file needs attention.

:)

 


Hello @Zac

You could add a exclusion for the hosts file avoiding KL scan it by two method, you can choose one of them to config:

When you choose the second one -- use “*” for all the files in the “etc” folder. You should add a threats name into object, this is the best way to avoid other malware existed in the folder in order to avoid escaping scanning. I think you could add google rule as well.

Regards.

Userlevel 2
Badge

@Wesly.Zhang Thanks for the info on adding an exclusion. My apologies for any misunderstanding, but I was updating you to let you know that deleting the google entries DID solve the problem. Thank you. :relaxed: :thumbsup:

Userlevel 7
Badge +5

@Wesly.Zhang Thanks for the info on adding an exclusion. My apologies for any misunderstanding, but I was updating you to let you know that deleting the google entries DID solve the problem. Thank you. :relaxed: :thumbsup:


Hi @Zac

Nice ! You are welcome. I'm glad you can solve the problem. Cheer :beers:

Userlevel 2
Badge

Hi - wondering if I could have you look over the following entries for me, please. Something in these is triggering the trojan alert again, but I can’t seem to pinpoint which one. I add them one at a time, but it seems to be a delayed reaction (sometimes hours) before the file is detected again.

0.0.0.0 avast.com
0.0.0.0 ipm-provider.ff.avast.com
0.0.0.0 dotomi.com
0.0.0.0 www.logmein.com
0.0.0.0 www.teamviewer.us
0.0.0.0 www.realvnc.com
0.0.0.0 cdn.blatungo.com
0.0.0.0 blatungo.com
0.0.0.0 facebook.com
0.0.0.0    www.facebook.com
0.0.0.0    fb.com
0.0.0.0    thesimsresource.com
0.0.0.0    www.thesimsresource.com
0.0.0.0 simsdom.com
0.0.0.0 www.simsdom.com
0.0.0.0 facebook.net
0.0.0.0 doubleclick.net
0.0.0.0 vacaneedasap.com
0.0.0.0 aol.com
0.0.0.0 oath.com
0.0.0.0 yahoo.com
0.0.0.0 netcheckcdn.xyz

Any thoughts or feedback would be appreciated !

Thanks :thinking::nerd::pray_tone1:

Reply