Ask Me Help Desk - C:\windows\system32\drivers\etc\hosts virus

C:\windows\system32\drivers\etc\hosts virus

I went to a site and I think it was a java drive-by
Now NOD32 is constantly giving a warning that there is a Qhost virus in the hosts file
Only thing is, I don't know how to delete the virus

I opened the hosts in notepad and found this:

127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 novirusthanks.org
127.0.0.1 vscan.novirusthanks.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 virscan.org
127.0.0.1 www.virscan.org
127.0.0.1 virus-trap.org
127.0.0.1 www.virus-trap.org
127.0.0.1 filterbit.com
127.0.0.1 www.filterbit.com
127.0.0.1 viruschief.com
127.0.0.1 www.viruschief.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com

That's everything that's in hosts

Someone knows the real hosts?

Thanks

Those entries are preventing any browser on that machine from accessing those sites. You can delete them all if you can. Try using the free version of this product to scan and disinfect your machine: Malwarebytes
Try it in Safe Mode for best results.

You must spread some Reputation around before giving it to NeedKarma again.

What does your host file look like? Please include the whole text not just the blocked sites.

The following is what mine looks like:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 login.facebook.com

As you can see I am blocking Facebook. Before your PC accesses any DNS cache or DNS Server it inspects this file. Blocking what is listed.

Can you delete all entries so the only thing listed is 127.0.0.1 localhost?

The list of blocked sites is all what´s in hosts
Nothing else there

Well to me it's a symptom of an infection. I would do a good deep scanning.

All right,I´m doing a deep scan on my PC now
Also have changed the hosts file from the list of blocked sites to: 127.0.0.1 localhost

So all that's in hosts now is 127.0.0.1 localhost

1. Are you scanning in safe-mode?
2. Is your AV up-to-date?

After deleting all but localhost, are you still receiving the message?

I have deleted all but localhost
And haven't got the message yet
I think it's gone now

Thanks for the help guys!

What still concerns me is that you didn't put those entries in that host file, which means someone or something did. Am I correct?

Yes I think you're right and I think I also know how I got this virus in my PC
I went to a site not going to tell the site here for safety of you
Guess it was a java drive-by

Safety of me huh?

Either way, did the scan in safe mode with the most up-to-date AV retrieve anything?

No I meant the safety of everyone here

And yes I did a new virus scan, nothing found
So I think the virus is gone now
Got another problem now though
When I start my PC it doesn't start explorer.exe
After logging into my account all I see is a black screen
But if I open explorer.exe in task manager it works

System Restore?
Reinstall?

127.0.0.1 www.internetdownloadmanager.com