Eset keeps removing my hosts file

Eset 4 Smart Security 4.2.64.2 keeps removing my hosts file and placing it in quarantine...I use my hosts file as a protection means..this removing mt host file opens up the way for intrusions. Its possible that some malware keeps trying to access the host file and ESET stops it. Doing its job .but on checking host I see not malware nor does my system find it.. I have ran rkill.com and ESET DNS flush..

How can I stop this

Can I set ESET to miss out the check on my host file?

 

why not add it to the exceptions list??

 

does Eset specify (naming the threat) why it is removing? It could be some malware

 

Thank you for your prompt attention.

I am not sure how I can place the hosts into the exclusions ..could you guide me please

EDIT: I have done this..just waiting for a final scan now

In the log files I found several of these logs below..is notepad infected.


03/11/2012 9:39:16 PM Real-time file system protection file C:\Windows\System32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined Art-PC\Art Event occurred on a file modified by the application: C:\Windows\System32\notepad.exe.


The trojan it seems to see is names Trojan Qhost I think....I have search for this with many scanners and not found any virus, trojan, or malware etc on my machine..but as soon as I place the quarantined host file back into driver/etc via ESET it removes it..

Does anyone know of this trojanghost and how can i remove it.. TIA

 

go to step 6
http://kb.eset.com/esetkb/index?page=content&id=SOLN2505

 

In addition to what Cudni already recommended:

The possibility exists, comments or content are being detected as malicious. Restore your Hosts file to default. Reboot your PC, flush your DNS, replace your restored Hosts file with your custom Hosts file, please report back your findings.

 

Definitely send the file to ESET as per the instructions here. Hosts should not be detected unless it contains a redirection of a legit website that is known to be performed by malware.

 

Hello artinusa,

You should open HOSTS with notepad. You should only find site entries with 127.0.0.1 followed by a website address. All other entries should be removed or changed to 127.0.0.1 , so that you can't access these malicious websites. Otherwise ESET or any other security product will detect the HOSTS file as QHOST. Because each time you visit a webpage that is entered in the HOSTS file you will redirected to another webpage.

Regards,
Niels

 

Dear Niels,

Please forgive me, but generally speaking that doesn't have to be true.
People can put entries in their hosts file for other reasons than blocking websites; for example an entry where they "link" a website with its IP-adress, just to be able to go to that website in case there are DNS issues.
To give an example: I have done that for the Wilders site. To be more precisely I have these two entries in my hosts file:

66.227.46.190 wilderssecurity.com
66.227.46.190 www.wilderssecurity.com

(see for example post by LowWaterMark in this thread)

 

Thank you for all your help posters..

I have removed all but essential entries.

I found none that was not a correct entry basis..but many with '#comments' .. I took all them out also. I am now waiting for ESET to indicate a problem..so far so good..after a reboot ..time will tell

 

Hello fanj,

Sorry, that I wasn't very clear but the reason why I mentioned it, is because of the detection of the QHost detection.

By default there is only 1 entry in a HOSTS file and that is 127.0.0.1 local host. In a security point you can add malicious domains by typing 127.0.0.1 and enter the site address.

The topic that you linked was with a connectivity issue for reaching the forum, when there was a DNS issue. But under a normal condition there shouldn't be any other ip-addresses entered in a HOST file except 127.0.0.1. If it's the case that there are other ip-addresses present it's suspicious.

Regards,
Niels

 

A Hosts file hijack is indicative of an additional infection. Follow instructions as requested here.

• I would probably ignore all the comments regarding what and how to modify your Hosts file as they are speculative, at best and do not belong in this thread
A thread where the OP has an infection is not the place for speculation and a fun somewhere to waste your day postulating, is it ? NO.

 

Hi Niels,

Yes, I know that.

Yes, I know that.

Yes, I know that.

Niels, I have for many, many years those entries put in my hosts file. (when in the past the website changed hosting company and the IP-adress changed, I made the change in my hosts accordingly); btw, it was just an example. And yes, I use also the MVPS Hosts file.
Depending on what you mean with "under a normal condition", your phrase "But under a normal condition there shouldn't be any other ip-addresses entered in a HOST file except 127.0.0.1" is not true. Generally speaking you cannot put it that way. Many users use the hosts file not only for blocking purposes (if they use it that way at all), but for other DNS purposes.
Anyway, that discussion is probably going too far here in this thread. I hope that issue of artinusa gets solved.

 

Please submit the detected hosts file to ESET or upload somewhere and PM me the download link. I'm really interested in finding out what entry is triggering the detection.

 

Hello siljaline,

The OP posted that other security software didn't find anything.
I quote :

You also suggested to restore the HOSTS file. Which is in fact the same thing as removing other entries that don't refer to the localhost by opening it in notepad. If you for example take a look at manual removal instructions for QHOST, other security vendors also advice to manually remove other entries than the 127.0.0.1. To give an example of a FP that Mcafee had when legitimate changes by spybot search & destroyed were marked as a modification.

Regards,
Niels

 

Restoring Hosts, is to restore Hosts to default as shipped with the O/S. Your query is beyond the scope of this topic.
The OP has instructions from ESET and she | he should do so as earliest convenience.

Thanks.

 

Hello siljaline,

What you suggested is good. But you will lose all malicious websites that you manually added or when you use a modified hosts file from Spybot Search & Destroy or any other security product to prevent to get access to these websites. That was the reason why I asked to manually edit the HOSTS file. So my solution is similar to restoring HOSTS to default that you suggested.

If the OP was really infected with QHOST tools such as MBAM, online scanners would have detected other components of the infection.

So I don't get your point, that what I suggested was irrelevant.


I just want to be clear, I am not questioning your knowledge.


Regards,
Niels