[MRT-X] Hosts File Infections
Posted Mar 21, 2025 09:38 AM
![[Image: Ao15uxN.gif]](https://imgur.com/Ao15uxN.gif)
Hosts File Infections and Their Resolutions
Hosts file infections occur when rogue software or malware modifies the Hosts file, corrupting it and altering its behavior.
What is the Hosts File?
The Hosts file acts as an address book for your computer. When you type a website address like www.yahoo.com into your browser, your computer first checks the Hosts file to see if the IP address (the "telephone number" for that site) is stored locally.
- If the IP address is found in the Hosts file, your computer connects directly to it.
- If not, your computer queries your ISP's (Internet Service Provider) DNS server to retrieve the correct address.
Most users do not have entries in their Hosts file, as IP resolution is typically handled by DNS. However, when the Hosts file is compromised, it can cause serious issues, including:
- Redirecting users to malicious websites.
- Adding sites to the Trusted Zone, increasing security risks.
- Phishing attacks, stealing personal data by redirecting users to fake login pages.
How Hosts File Infections Appear in HijackThis Logs
Infected Hosts file entries will appear as O1 entries in a HijackThis log. Below is an example of a compromised Hosts file:
Code
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.baIn the example above, malicious IP addresses are redirecting legitimate websites like Google to a rogue server, potentially leading to phishing or malware downloads.
How to Fix a Hosts File Infection
To repair the Hosts file and restore it to its default state, a specialized tool should be used. A commonly recommended tool for this purpose is FRST (Farbar Recovery Scan Tool).
Steps to Restore the Hosts File:
- Download FRST (Farbar Recovery Scan Tool).
- Run FRST as Administrator.
- Create a notepad file on in the same directory as FRST is named fixlist.txt.
- Copy and paste the following into the fixlist.txt and save it:
Quote:Start::
Hosts:
End:: - Use the "Fix" function to reset the Hosts file.
- Reboot your system to apply the changes.
- Confirm that the Hosts file has been restored by checking:
CodeC:\Windows\System32\Drivers\etc\hosts - If necessary, manually inspect and remove any remaining suspicious entries.
Important Notes:
- Some O1 entries may be legitimate (e.g., custom entries used for local development).
- Always research Hosts file entries before removing them.
- Avoid third-party "hosts file managers" that promise optimizations but may introduce new risks.
