Re: It is Windows Defender! Thank you! I did try several things, but then gave up... On the subject: WD parses lines correctly i guess, because i tried 127.0.0.1 and 0.0.0.0 and some others - regardless of the IP, lines containing these exact addresses are erased. Position in the file does not matter either - they can be next to each other, or far - does not matter. Off ~100 lines in my hosts file only those two are erased, others are not affected, even doubleclick.net and google-analytics.com and such. Latest findings. Settles the matter at least for me: It (Windows Defender) actually has modifications of the hosts file documented in it's 'history'. You have to go through some motions to see it, but it is there. It is considered a 'Medium' level threat: SettingsModifier:Win32/PossibleHostsFileHijack. When WD modified my hosts file, it was actually 'Disinfecting' it. You can also 'Remove' it, which is replacing your hosts file with empty one. Good intentions then... These particular addresses were probably picked because they are most commonly found on average page.