Eset keeps removing my hosts file

Discussion in 'ESET Smart Security' started by artinusa, Nov 17, 2012.

Thread Status:
Not open for further replies.
  1. artinusa

    artinusa Registered Member

    Joined:
    Dec 20, 2010
    Posts:
    12
    Eset 4 Smart Security 4.2.64.2 keeps removing my hosts file and placing it in quarantine...I use my hosts file as a protection means..this removing mt host file opens up the way for intrusions. Its possible that some malware keeps trying to access the host file and ESET stops it. Doing its job .but on checking host I see not malware nor does my system find it.. I have ran rkill.com and ESET DNS flush..

    How can I stop this

    Can I set ESET to miss out the check on my host file?
     
  2. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    why not add it to the exceptions list??
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    does Eset specify (naming the threat) why it is removing? It could be some malware
     
  4. artinusa

    artinusa Registered Member

    Joined:
    Dec 20, 2010
    Posts:
    12
    Thank you for your prompt attention.

    I am not sure how I can place the hosts into the exclusions ..could you guide me please

    EDIT: I have done this..just waiting for a final scan now

    In the log files I found several of these logs below..is notepad infected.


    03/11/2012 9:39:16 PM Real-time file system protection file C:\Windows\System32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined Art-PC\Art Event occurred on a file modified by the application: C:\Windows\System32\notepad.exe.


    The trojan it seems to see is names Trojan Qhost I think....I have search for this with many scanners and not found any virus, trojan, or malware etc on my machine..but as soon as I place the quarantined host file back into driver/etc via ESET it removes it..

    Does anyone know of this trojanghost and how can i remove it.. TIA
     
    Last edited: Nov 17, 2012
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    In addition to what Cudni already recommended:

    The possibility exists, comments or content are being detected as malicious. Restore your Hosts file to default. Reboot your PC, flush your DNS, replace your restored Hosts file with your custom Hosts file, please report back your findings.
     
    Last edited: Nov 17, 2012
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Definitely send the file to ESET as per the instructions here. Hosts should not be detected unless it contains a redirection of a legit website that is known to be performed by malware.
     
  8. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello artinusa,

    You should open HOSTS with notepad. You should only find site entries with 127.0.0.1 followed by a website address. All other entries should be removed or changed to 127.0.0.1 , so that you can't access these malicious websites. Otherwise ESET or any other security product will detect the HOSTS file as QHOST. Because each time you visit a webpage that is entered in the HOSTS file you will redirected to another webpage.

    Regards,
    Niels
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Dear Niels,

    Please forgive me, but generally speaking that doesn't have to be true.
    People can put entries in their hosts file for other reasons than blocking websites; for example an entry where they "link" a website with its IP-adress, just to be able to go to that website in case there are DNS issues.
    To give an example: I have done that for the Wilders site. To be more precisely I have these two entries in my hosts file:

    66.227.46.190 wilderssecurity.com
    66.227.46.190 www.wilderssecurity.com

    (see for example post by LowWaterMark in this thread)
     
  10. artinusa

    artinusa Registered Member

    Joined:
    Dec 20, 2010
    Posts:
    12
    Thank you for all your help posters..

    I have removed all but essential entries.

    I found none that was not a correct entry basis..but many with '#comments' .. I took all them out also. I am now waiting for ESET to indicate a problem..so far so good..after a reboot ..time will tell
     
  11. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello fanj,

    Sorry, that I wasn't very clear but the reason why I mentioned it, is because of the detection of the QHost detection.

    By default there is only 1 entry in a HOSTS file and that is 127.0.0.1 local host. In a security point you can add malicious domains by typing 127.0.0.1 and enter the site address.

    The topic that you linked was with a connectivity issue for reaching the forum, when there was a DNS issue. But under a normal condition there shouldn't be any other ip-addresses entered in a HOST file except 127.0.0.1. If it's the case that there are other ip-addresses present it's suspicious.

    Regards,
    Niels
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    A Hosts file hijack is indicative of an additional infection. Follow instructions as requested here.

    • I would probably ignore all the comments regarding what and how to modify your Hosts file as they are speculative, at best and do not belong in this thread :ouch:
    A thread where the OP has an infection is not the place for speculation and a fun somewhere to waste your day postulating, is it ? NO.
     
    Last edited: Nov 18, 2012
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Niels,

    Yes, I know that.

    Yes, I know that.

    Yes, I know that.

    Niels, I have for many, many years those entries put in my hosts file. (when in the past the website changed hosting company and the IP-adress changed, I made the change in my hosts accordingly); btw, it was just an example. And yes, I use also the MVPS Hosts file.
    Depending on what you mean with "under a normal condition", your phrase "But under a normal condition there shouldn't be any other ip-addresses entered in a HOST file except 127.0.0.1" is not true. Generally speaking you cannot put it that way. Many users use the hosts file not only for blocking purposes (if they use it that way at all), but for other DNS purposes.
    Anyway, that discussion is probably going too far here in this thread. I hope that issue of artinusa gets solved.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please submit the detected hosts file to ESET or upload somewhere and PM me the download link. I'm really interested in finding out what entry is triggering the detection.
     
  15. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello siljaline,

    The OP posted that other security software didn't find anything.
    I quote :
    You also suggested to restore the HOSTS file. Which is in fact the same thing as removing other entries that don't refer to the localhost by opening it in notepad. If you for example take a look at manual removal instructions for QHOST, other security vendors also advice to manually remove other entries than the 127.0.0.1. To give an example of a FP that Mcafee had when legitimate changes by spybot search & destroyed were marked as a modification.

    Regards,
    Niels
     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Restoring Hosts, is to restore Hosts to default as shipped with the O/S. Your query is beyond the scope of this topic.
    The OP has instructions from ESET and she | he should do so as earliest convenience.

    Thanks.
     
  17. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello siljaline,

    What you suggested is good. But you will lose all malicious websites that you manually added or when you use a modified hosts file from Spybot Search & Destroy or any other security product to prevent to get access to these websites. That was the reason why I asked to manually edit the HOSTS file. So my solution is similar to restoring HOSTS to default that you suggested.

    If the OP was really infected with QHOST tools such as MBAM, online scanners would have detected other components of the infection.

    So I don't get your point, that what I suggested was irrelevant.


    I just want to be clear, I am not questioning your knowledge.


    Regards,
    Niels
     
    Last edited: Nov 21, 2012
Thread Status:
Not open for further replies.