Question HOSTS file hijack. False alarm? "PossibleHostsFileHijack"

Status
Not open for further replies.

c050

Reputable
Dec 14, 2018
45
2
4,535
Windows 10 Home
Version 21H2
OS build 19044.2006

No antivirus software installed, just Microsoft Defender.

Below my Protection History after I chose "Remove".
Threat blocked Moderate
15/09/2022 09:47

Detected: SettingsModifier:Win32/PossibleHostsFileHijack
Status: Removed
A threat or app was removed from this device.

Affected items:
containerfile: C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\PPPPPPPP.default\extensions\{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi

file: C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\PPPPPPPP.default\extensions\{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi->assets/thirdparties/someonewhocares.org/hosts/hosts

Why dis happen? Googling "PossibleHostsFileHijack" Microsoft informs me:
If you have changed the Hosts file yourself, you need to exclude it from detection by your antivirus software.
I've been using the https://winhelp2002.mvps.org/hosts.htm file. For 15 years. Never seen a warning message before. Looking at my hosts file it has modified date 2018. Nothing has edited it recently. Unless me choosing "Remove" restored it?

Googling "someonewhocares.org/hosts/hosts", that seems benign. It's from a Github repository.

One advice is to restore the empty Microsoft hosts file. But I discovered the joy of using a hosts file to filter out <Mod Edit> about 15-20 years ago and I want to keep using a hosts file. Another advice is do a "full scan". Did that, nothing found.

I wonder what happened when I choose to "Remove" it? Is my hosts file now bypassed and nonfunctional? It looks like the offending file was in the Firefox profile folder, so probably my core:
C:\Windows\System32\drivers\etc/hosts
file was never touched.
 
Last edited by a moderator:

c050

Reputable
Dec 14, 2018
45
2
4,535
sound like you have an externsion that try to change the hosts file and got stop by windows defender

That's effin' brazen. Editing the hosts file it could hijack to anywhere. Obviously admin access to alter that file. How did it imagine it wouldn't be detected, I wonder?

~

Yes ...I do have a new extension "Playback speed". Shame. I quite like it.

I installed three different before deciding on the one with the best control interface. It might be one of the first two. Possibly:
"Video Speed Controller" or
"Video Speed Up"

But the first two were deleted on uninstall so they couldn't have triggered it?

On second thought . I can look in the profile folder to see which one it was. Being paranoid I edited my Username and the Profile name. It wasn't really "PPPPPP".
 
Last edited:

c050

Reputable
Dec 14, 2018
45
2
4,535
Hmmm ... I now have three Firefox profiles.

One from 2018. That makes sense because I restored an hard drive image from about then.
One from 19 July, which is when I restored the image
One from today 15 Sep.

The last one, is that the work of Windows Defender, neutralizing a corrupt one?

The 19 July profile is the active one (as gathered by trouble shooting information page "about:support").
 
Status
Not open for further replies.