HOSTS gone...

[XPSP3x32]

Yesterday AV (5.2.9.1) block some malware to change my hosts file, from C:\WINDOWS\system32\drivers\etc\, and add fosts file to quarantine.

End now, on every start up/reboot my host are missing, even if I move him again to ETC folder. Every single reboot his gone?

Any suggestions pls?

P.S. I delete everything from quarantine.

[SmackyTheFrog]

Are you seeing additional threat alerts saying the hosts file has been moved to the quarantine? What you are describing would most likely be the result of undetected malware running on your system which is attempting to modify the file with malicious redirects on a regular basis, which causes it to be removed. Contacting Eset support with a SysInspector log would be a good first course of action.

[XPSP3x32]

I don't see any alert, and NOD quarantine is empty.
If I reboot in safe mode, host is here, not deleted. But if reboot normally, it's gone.
I clear all temp, cache, etc... no suspicious .vbs scripts...

[SmackyTheFrog]

If you reboot normally and run the command 'attrib \Windows\System32\drivers\etc\hosts' from the command line, what output do you get? I'm thinking something may have just flagged the file with a hidden or system attribute.

[XPSP3x32]

@SmackyTheFrog it's not hidden. All my hidden/protected system files, are unchecked. So I can see them all.
I think it's added some reg key for deleting hosts, but can't find him.

Tnx anyway.

[XPSP3x32]

After uninstalling the NOD32 AV, problem gone. It was a NOD32 bug. He store somewhere previous action (quarantined hosts file), and on every reboot he delete him constantly

Now it's time to change AV

[Marcos]

Hosts file is only removed if it contains redirects set by malware and is detected by ESET.

[siljaline]

ESET has a tool that helps reset the HOSTS file to default following a DNS poisoning.

[XPSP3x32]

You don't get it?

NOD32 AV delete hosts file on every startup.
Every time win start, I add NEW fresh/clean hosts to etc folder, and on next win start his gone. After I uninstall NOD (5.2.9.1), this issue disappeared.

[siljaline]

Submit and issue ticket to ESET.

[Marcos]

Quote:

Originally Posted by XPSP3x32

You don't get it?

NOD32 AV delete hosts file on every startup.
Every time win start, I add NEW fresh/clean hosts to etc folder, and on next win start his gone. After I uninstall NOD (5.2.9.1), this issue disappeared.

I've tried that and it was only deleted if it contained malicious records. I assume some malware modifies it which triggers detection and the file is removed. I was unable to reproduce it with a clean hosts file. I'd suggest supplying the content of your ESET's quarantine as well as your Threat log to ESET for analysis.

[XPSP3x32]

Quote:

Originally Posted by Marcos

I've tried that and it was only deleted if it contained malicious records. I assume some malware modifies it which triggers detection and the file is removed. I was unable to reproduce it with a clean hosts file. I'd suggest supplying the content of your ESET's quarantine as well as your Threat log to ESET for analysis.

Tnx for the tips Marcos, but it's to late. I already uninstall NOD
Btw, I try this infected soft through Sandboxie, and he try to replace hosts, when he deleted by NOD. This probably cause that bug, and he constantly delete hosts files during reboot..

[zfactor]

probably a malware program running that tried to mod hosts each boot up imo not from nod..

[Marcos]

Deleting hosts file is not a bug as long as it contains malicious records.

[XPSP3x32]

* it's NOD bug.

DONE here & with NOD!

Arrivederci!

[Cudni]

Removing malware is what AV does and if it happens to be in hosts file then it has to go. Thanks all.

[Marcos]

Quote:

Originally Posted by XPSP3x32

* it's NOD bug.
DONE here & with NOD!

Complaining that ESET has removed malware (not a clean file) from your computer cannot be considered a bug in any way, that's what security software is actually supposed to do.