HOSTS gone...

Discussion in 'ESET NOD32 Antivirus' started by XPSP3x32, May 24, 2012.

Thread Status:
Not open for further replies.
  1. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    Yesterday AV (5.2.9.1) block some malware to change my hosts file, from C:\WINDOWS\system32\drivers\etc\, and add fosts file to quarantine.

    End now, on every start up/reboot my host are missing, even if I move him again to ETC folder. Every single reboot his gone?

    Any suggestions pls?

    P.S. I delete everything from quarantine.
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Are you seeing additional threat alerts saying the hosts file has been moved to the quarantine? What you are describing would most likely be the result of undetected malware running on your system which is attempting to modify the file with malicious redirects on a regular basis, which causes it to be removed. Contacting Eset support with a SysInspector log would be a good first course of action.
     
  3. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    I don't see any alert, and NOD quarantine is empty.
    If I reboot in safe mode, host is here, not deleted. But if reboot normally, it's gone.
    I clear all temp, cache, etc... no suspicious .vbs scripts...
     
  4. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    If you reboot normally and run the command 'attrib \Windows\System32\drivers\etc\hosts' from the command line, what output do you get? I'm thinking something may have just flagged the file with a hidden or system attribute.
     
  5. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    @SmackyTheFrog it's not hidden. All my hidden/protected system files, are unchecked. So I can see them all.
    I think it's added some reg key for deleting hosts, but can't find him.

    Tnx anyway.
     
  6. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    After uninstalling the NOD32 AV, problem gone. It was a NOD32 bug. He store somewhere previous action (quarantined hosts file), and on every reboot he delete him constantly :thumbd:

    Now it's time to change AV :)
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Hosts file is only removed if it contains redirects set by malware and is detected by ESET.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    You don't get it?

    NOD32 AV delete hosts file on every startup.
    Every time win start, I add NEW fresh/clean hosts to etc folder, and on next win start his gone. After I uninstall NOD (5.2.9.1), this issue disappeared.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Submit and issue ticket to ESET.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I've tried that and it was only deleted if it contained malicious records. I assume some malware modifies it which triggers detection and the file is removed. I was unable to reproduce it with a clean hosts file. I'd suggest supplying the content of your ESET's quarantine as well as your Threat log to ESET for analysis.
     
  12. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    Tnx for the tips Marcos, but it's to late. I already uninstall NOD :)
    Btw, I try this infected soft through Sandboxie, and he try to replace hosts, when he deleted by NOD. This probably cause that bug, and he constantly delete hosts files during reboot..
     
  13. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    probably a malware program running that tried to mod hosts each boot up imo not from nod..
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Deleting hosts file is not a bug as long as it contains malicious records.
     
  15. XPSP3x32

    XPSP3x32 Registered Member

    Joined:
    Jun 15, 2011
    Posts:
    12
    * it's NOD bug.

    DONE here & with NOD!

    Arrivederci!
     
    Last edited by a moderator: May 27, 2012
  16. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Removing malware is what AV does and if it happens to be in hosts file then it has to go. Thanks all.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Complaining that ESET has removed malware (not a clean file) from your computer cannot be considered a bug in any way, that's what security software is actually supposed to do.
     
Thread Status:
Not open for further replies.