Strange looking Host found?

[dwdraw2]

I ran a small check with the "MiniToolBox," and this is what I found in the Hosts content:

54.204.28.26 imfpmncmbojnbdhnogcegojocabhpbnh. What is this, is it Ad-ware? I would appreciate it if someone could let me know. I can find it and delete it if necessary, I have no problem with that. But It just seems that it doesn't belong? I ran: Hitman Pro, Malwarebytes Pro, and Avast, but they never caught it.



MiniToolBox by Farbar Version: 18-12-2013
Ran by Dan (administrator) on 26-01-2014 at 23:34:06
Running from "C:\Users\Dan\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

54.204.28.26 imfpmncmbojnbdhnogcegojocabhpbnh
127.0.0.1 localhost


Thanks for your time.

dwdraw2

 

[archer]

It seems like Adware to me. You can use SuperAntiSpyware to remove it.

 

[Golden]

The easiest solution might be to simply reset the hosts file and flush the DNS cache.

Run this .bat file as administrator to do that - it will automatically reboot your computer when its completed.

View attachment flush.bat

 

[UsernameIssues]

The IP address resolves to:

ec2-54-204-28-26.compute-1.amazonaws.com

The letters...
imfpmncmbojnbdhnogcegojocabhpbnh
...look very much like a Chrome extension ID.

I've never seen a Chrome extension ID in the HOSTS file.

Google returns a few hits on those letters...
...but you should be careful if you research this.
Dr.Web Anti-virus - How To Remove Virus (Adware.Downware.2032) - [DRWEBHK.COM]

Look in Programs and Features for StartSavin or Start Savin

Remove any Chrome extensions with the same name and/or any extension that you don't want. But they might come right back. If you do have an extension written by the grey hats at 215apps, you might be in for a long thread like this one http://www.sevenforums.com/system-security/316404-instant-savings-app.html

 

[dwdraw2]

Thanks everybody for your suggestions. I will embark on them to see what works or, what happens? I appreciate your help.

Thanks for your time.

dwdraw2

 

[GeneO]

Were you using any Amazon Web / Cloud services?

 

[dwdraw2]

Thanks for the reply.

I don't actively use any web/cloud services, other than Hitman Pro, which uploads to the cloud to check on a potential virus. Sometimes I watch a movie from Netflix, but there, I get hit with "PUP's from time to time. I have no problem getting them out. The other day, I just removed a virus called "pcreg." That's been on my computer for a few months. I thought that was a legit function. It wouldn't let me open it, so I just let it be until I decided to check it out on the web the other day. Turned out to be a virus. I used SuperSpyHunter to browse to it then pried it out, I then took SuperSpyHunter off because it is a memory hog. I used the trial version.

Lately, I have reading that the Host files can be updated? I have been looking around to figure out how to do that. I haven't got a solid grip on that yet. So, I haven't done anything with the files. From what I understand thus far, the files may or may not be needed, depending on the programs one has in their computer. The files can be used to re-direct ad's, from what I read. So, they can be used in your favor. But, a hacker can use them against you too.

Some of these sites say it's easy to work with Host files. For me, easy is when you understand it-I don't yet. So I haven't made a move on them. So, for now, I just stare (glare) at them from time to time.

If you can find out, if I need only one file, the 127.0.0.1 Localhost, for my computer to keep running the associated programs, then I can delete the other host (54.204.28.26 imfpmncmbojnbdhnogcegojocabhpbnh). I would appreciate your help here.

Thanks for your time.

dwdraw2

 

[UsernameIssues]

The HOSTS file that comes with Windows 7 is shown in the code box below.

Every line that starts with a # character is a remark line (comment line).

As you can see, all lines are comments. You do not need a HOSTS file at all.

The zipped (compressed) file attached to this post contains all of the (unmodified) files that are normally found in this folder: C:\Windows\System32\drivers\etc

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#    127.0.0.1       localhost
#    ::1             localhost

 

[dwdraw2]

Thanks for the reply.

I will check this out. I will either delete both or just the one.

I appreciate your help.

Thanks for your time.

dwdraw2

 

[UsernameIssues]

The HOSTS file (and the other files in the folder) are protected. You can copy the HOSTS file to the desktop, change it and then copy it back. Or, just copy the one that I attached.

Do you have the Chrome browser installed?

 

[Jacee]

Make sure proxy settings are disabled ....


Disable the proxy settings in Internet Explorer:
1) Under “Tools” in the browser tool bar select “Internet Options”.
2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
3) Click “LAN Settings” near the bottom of the “Connections” section.
4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
6) Click “Ok” to close the “Internet Options” window.
Reboot
Make sure "Proxy server" is still disabled under your LAN Settings.

 

[dwdraw2]

No, I do not have the Chrome browser installed. I did have it on but several days ago I uninstalled it. I was having some problems with it. I installed Firefox in it's place.

Here's what I did so far: I found the folder by your posting (thanks.) I went to the folder, opened the window, erased (deleted) the file closed just the window, and reopened it, only to find that it came back?

So, which files do I copy from your post to copy into the Host file?

Thanks for your time.

dwdraw2

 

[dwdraw2]

Thanks Jacee for the reply.

I'll make a copy of the instruction and follow them to the "T."

Thanks again

dwdraw2

 

[dwdraw2]

Jacee, do I go back and reset the Proxy after changing the Host?

thanks for your time.

dwdraw2

 

[dwdraw2]

Thanks USERNAMEISSUES for the downloads. I have them downloaded in explorer.

I'll check back later to see if there is more instructions.

Thanks again.

dwdraw2

 

[Jacee]

Just make sure proxy settings are disabled! ... it doesn't really matter what order.

 

[dwdraw2]

Thanks Jacee and Usernameissues.

You both have been a lot of help. Jacee, the Proxy unchecked. I pasted the text provided by Usernameissues. and below is a copy of a system check by "rkill":


Rkill 2.6.4 by Lawrence Abrams (Grinler)
Bleeping Computer - Technical Support and Computer Help
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn't - A brief introduction to the program - Anti-Virus and Anti-Malware Software

Program started at: 01/28/2014 06:09:41 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 01/28/2014 06:09:52 PM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)


The text provided by Usernameissues cleared the rogue host. Awesome!

Thanks again for your help.

Thanks for your time.

dwdraw2

 

[UsernameIssues]

No, I do not have the Chrome browser installed. I did have it on but several days ago I uninstalled it. I was having some problems with it. I installed Firefox in it's place.

Here's what I did so far: I found the folder by your posting (thanks.) I went to the folder, opened the window, erased (deleted) the file closed just the window, and reopened it, only to find that it came back?

So, which files do I copy from your post to copy into the Host file?

Thanks for your time.

dwdraw2

This might not be a problem - but it is not the norm for a stock install of W7. It might be AVAST that is putting the file back or it might be something bad putting it back (or changing it). Jacee will walk you thru checking for bad things.



You might not need this info now, but you can copy/paste any or all of the standard (unmodified) files from that zip into that folder. In the detail view, they should look close to this:

 

[lehnerus2000]

You could just Remark the suspicious entry (see post #8) and then see if it reappears when you:

• Reboot
• Try to browse the Internet

 

[dwdraw2]

Thanks for the reply Usernameissue.

It took a few tries, but it finally took the pasted files. I have checked it and your files have not changed. It worked. The Rkill list above shows the host with "no issues found." I'm thinking that Chrome might have put that strange host there when I installed it-if not maybe someone else did? But anyway, it's finally gone thanks to the files you sent to me.

I saved those files in case that I might need them later-never know.

Thanks for your time-I appreciate it.

dwdraw2