HOSTS 0 Posted October 28, 2013 Posted October 28, 2013 This is an annoyance. I've encountered issues with NOD32 flagging the hosts file as the following: Win32/Qhost trojan Please update your application. There is nothing malicious included in the hosts file. I have several systems, including other relatives systems, setup to download and update hosts file via Spybot Search & Destroy and the MVPS Hosts file on each schedule system restart, as well change all address', excluding the loopback address, to 0.0.0.0 to minimize the hosts file size and eliminate the cpu (100%) usage. The main reason for setting address' within the hosts file to 0.0.0.0, and not going into explicit detail, is to minimize the file space from nearly over 5-10mb to 1mb. If thousands of address' were pointing to the loopback address of 127.0.0.1 the system will check the address on the local machine and will eventually give up, whereas 0.0.0.0 it will explicitly block the site with no checks.
Administrators Marcos 5,446 Posted October 28, 2013 Administrators Posted October 28, 2013 Please submit the hosts file to ESET for further analysis as per the instructions here.
Arakasi 549 Posted October 28, 2013 Posted October 28, 2013 (edited) A legitimate host file will not be flagged by ESET. A modified host file by malware will, however. Your host file may have been tampered with. It has nothing to do with your loopback IP or 0.0.0.0. Manually go through your host file and make sure you don't have any real antivirus companies address inside being blocked, as well as sending a copy to ESET for evaluation. Edited October 28, 2013 by Arakasi
HOSTS 0 Posted October 28, 2013 Author Posted October 28, 2013 (edited) You can download the hosts file from both SBS&D and MVPS. I have gone through the entire hosts file. Each address points to 0.0.0.0, exlcuding the loopback address 127.0.0.1 My systems are not infected period. End of story. Edited October 28, 2013 by HOSTS
Arakasi 549 Posted October 28, 2013 Posted October 28, 2013 I just downloaded said host file from MVPSThen i scanned it.Here are my results.
Arakasi 549 Posted October 28, 2013 Posted October 28, 2013 I would send yours per Marcos instructions. Good luck sir.
HOSTS 0 Posted October 28, 2013 Author Posted October 28, 2013 (edited) I don't see the file size, all you could have done is scanned the default Microsoft file. Had you bothered appending BOTH SBS&D and MVPS?! Not to mention the address' they point to? Neither SBS&D or MVPS change the address' to 0.0.0.0, they leave them to point to 127.0.0.1, already stated I have a script to change the address' upon system cycles after each file update. Edit: Had not mentioned SpywareBlaster appending their data to the hosts file. So it's SBS&D, MVPS, and SpywareBlaster appending to the hosts file. Edited October 28, 2013 by HOSTS
Administrators Marcos 5,446 Posted October 28, 2013 Administrators Posted October 28, 2013 We've found malware that redirects one of the addresses listed in the hosts file to 0.0.0.0 which is the reason why it's detected. We'll make this hosts file undetected.
Recommended Posts