Question

Disappearing HOSTS File in XP Pro SP2

Asked by: Mercury351

Hello,
I recently started using XP Pro SP2, installing it not long ago.  The system hasn't had any time to be infected by any malware.  Aside from FireFox 3.5.1, WordPerfect Suite 12, WinAmp 5, and my drivers, I haven't installed much in it.  I have a program called Adfree 3.2. It is an ad blocker which relies on the system HOSTS text file to block ads, substituting any small GIF image of your choice in its place.  I correctly reconfigured it to place its HOSTS file in the
C:\WINDOWS\system32\drivers\etc
folder.  This is the beginning of the Adfree 3.2 HOSTS file which I have updated with newer advertisement server locations.  I estimate there are about 1,890 server locations.  The HOSTS file is 56K bytes:
===================
#
# Hosts file created by AdFree
#

# localhost: Needs to stay like this to work
127.0.0.1   localhost

# Other servers: These servers are directed towards
# AdFree to be filtered. You must alter these from
# within the AdFree program.

127.0.0.1   123banners.com
127.0.0.1   247media.com
127.0.0.1   24pm-affiliation.com
127.0.0.1   7adpower.com
127.0.0.1   911promotion.com
127.0.0.1   a.as-us.falkag.net
127.0.0.1   a.consumer.net
127.0.0.1   a.r.tv.com
...
===================

However, I am having a problem with XP Pro SP2.  Every time I start any operation, no matter what it is, XP automatically deletes the HOSTS file.  No matter if I start any browser, IE or FireFox, Windows Explorer, Notepad, even if I open any applet in "Control Panel" > "Administrative Tools", XP will delete the HOSTS file.  The system and Adfree need the HOSTS file to properly block ads.  I have spent over 12 hours trying find the solution online, but with no success.  I shut off the "DNS Client" service, I even tried shutting off the XP firewall, but nothing has worked.

I can get Adfree to work correctly, substituting a GIF of my choice in place of ads.  I must set the HOSTS file to "read only."  However, Adfree isn't really meant to function that way and I will run into problems if I try to "pause" it.  Plus, every time I start or exit Adfree, or shut off the system, I must change the "read only" setting.  Reading posts on the 'Net, I know others have had this problem, but they never posted their solution.    I know there is a either a service applet I can disable or Registry setting I can use to stop XP from deleting the HOSTS file.  Does anyone know what it is?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-05 at 03:10:13ID24627455
Tags

Microsoft XP Pro SP2

,

HOSTS file

,

internet

,

security

,

registry

,

service (local)

Topics

Windows XP Operating System

,

Domain Name Service (DNS)

,

TCP/IP

Participating Experts
3
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. MALWARE
    HI ALL I HAVE A MALWARE PROBLEM OR SOMETHIG LIKE THAT I HAVE A RESIDENT UCLEANER PROBLEM THAT ASK ME TO BUY EVERY TIME ASLO A ERROR SAFE I CANT DEAL WITH IT , I USE A LOT OF ANTI SPAM, ANTI VIRUS, ETC BUT NOTHING MY SOLUTION WAS DELETE DE DOCUMENT AND SETTINGS USERS AND STA...
  2. PC infected with  spyware / malware
    Hi Experts! My computer is again infected with spyware. I use Win XP Pro SP2. A month ago, I reformatted the HDD because I was not able to remove all of these spyware. Now they are back and I don't want to reformat the HDD again. My anti-virus software is Panda and it stopp...
  3. Rundll32.exe is infected by Malware
    On Win XP Pro SP2 PC, when most any program or sytem utility on PC is run an error comes up saying to Choose a Program to open "rundll.32.exe" with (i.e Like when you click a file and select "Open with". I,E THAT WINDOW is the one I mean.) Also same error...
  4. Company Server seems to be infected with some kind of m…
    We have just implemented a new server for one of our clients. They previously had an old server which became infected by a virus or some kind of malware, which eventually rendered the server unusable. Previously they didn't have any antivirus protection before we took them ...
  5. Malware Doctor Infection
    Hi all, A friend of mine has a Sony Vaio he uses for his Topography and he got it infected with Malware Doctor last week. Apparently he wanted to install some defragging app and NOD32 was stopping him from doing so (and for good reason). So he disabled the antivirus and insta...
  6. Malware infection
    System is infected by malware jcdrive.exe its located C:\Windows\ folder jcdrive.exe process automatically starts after sometime after windows starts. Tried deleting jcdrive.exe many time, i comes back again. Cleaned system with Symantec Endpoint and Malware bytes, but its...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: TimorosPosted on 2009-08-05 at 03:55:16ID: 25021941

I haven't seen that problem again .... but
You can download Spybot S&D (http://www.safer-networking.org/en/download/)
Choose Immunize and press the immunize button.
If you go to "mode" menu - choose advanced mode , you will see several settings, from there it has an option "Tools" - "IETweeks" there is an option which says "Lock hosts file..."

 

by: synquePosted on 2009-08-05 at 04:42:47ID: 25022225

Have you tried using Process Monitor to pinpoint which process is deleting the hosts file? http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Just start Process Monitor and the following filter: path, contains, hosts, include
That should show give you a better idea what exactly is happening to that file.

 

by: Mercury351Posted on 2009-08-05 at 05:59:01ID: 25022849

synque,
I thought about using Process Monitor but wasn't sure exactly how it works.  I'll install it tonight and report back.

Meanwhile, if anyone has the actual Service to shut off or Registry entry to modify, please post it here.

Thanks.

 

by: KromptonPosted on 2009-08-05 at 09:28:19ID: 25025210

Never seen this problem myself but I out of curiosity I did some searching and found this post. It's a bit old but may still be useful.
http://www.computing.net/answers/windows-xp/hosts-file-hacked/87449.html

Cheers

 

by: Mercury351Posted on 2009-08-06 at 21:11:12ID: 25039944

Hello,
I ran Process Monitor v2.5 and added the HOSTS filter as suggested.  I also opened Windows Explorer  at folder C:\WINDOWS\system32\drivers\etc.  I then ran Adfree 3.2 and it correctly placed the HOSTS file into the etc folder.  The HOSTS file was sitting there as it's supposed to be.  Then I ran NOTEPAD and the HOSTS file was deleted as usual.

I really wish I knew what is going on.  I'm getting tired of dealing with this.  If necessary, I will call Microsoft Support and perhaps someone there can help me if no one here can.  That is, if they still provide free support for XP Pro SP2.  Here are the results from Process Monitor.  There are 5 lines, 4 from "Explorer.EXE" and 1 from "notepad.exe."  I will post the Event and Process information from the first Explorer.EXE line.  Does ANYONE know the solution to this problem?  I know it's some kind of service or Registry setting.  PLEASE!

===================================================
EVENT
Date & Time:      8/6/2009 8:43:50 PM
Event Class:      File System
Operation:      CreateFile
Result:      SUCCESS
Path:      C:\WINDOWS\system32\drivers\etc\hosts
TID:      1312
Duration:      0.0000274
Desired Access:      Read Attributes, Delete
Disposition:      Open
Options:      Non-Directory File, Open Reparse Point
Attributes:      n/a
ShareMode:      Read, Write, Delete
AllocationSize:      n/a
OpenResult:      Opened
===================================================
PROCESS
Description:      Windows Explorer
Company:      Microsoft Corporation
Name:      Explorer.EXE
Version:      6.0.2900.2180
Path:      C:\WINDOWS\Explorer.EXE
Command Line:      C:\WINDOWS\Explorer.EXE
PID:      1200
Parent PID:      1184
Session ID:      0
User:      DANIEL\danielm
Auth ID:      00000000:0000ddef
Architecture:      32-bit
Virtualized:      n/a
Integrity:      n/a
Started:      8/6/2009 8:31:46 PM
Ended:      (Running)
Modules:
Explorer.EXE      0x1000000      0xff000      C:\WINDOWS\Explorer.EXE
GUStrLib.dll      0x1590000      0x1c000      C:\WINDOWS\system32\GUStrLib.dll
hercplgs.cpl      0x1810000      0x73000      C:\WINDOWS\system32\hercplgs.cpl
rsaenh.dll      0xffd0000      0x28000      C:\WINDOWS\system32\rsaenh.dll
lpad32.dll      0x10000000      0x26000      C:\WINDOWS\system32\lpad32.dll
PortableDeviceApi.dll      0x10930000      0x49000      C:\WINDOWS\system32\PortableDeviceApi.dll
PortableDeviceTypes.dll      0x109c0000      0x2c000      C:\WINDOWS\system32\PortableDeviceTypes.dll
WPDShServiceObj.dll      0x164a0000      0x23000      C:\WINDOWS\system32\WPDShServiceObj.dll
xpsp2res.dll      0x20000000      0x2c5000      C:\WINDOWS\system32\xpsp2res.dll
PFIM120EN.DLL      0x383d0000      0xa000      H:\WordPerfect Office 12\Programs\PFIM120EN.DLL
PFSE120.DLL      0x38480000      0x16000      H:\WordPerfect Office 12\Programs\PFSE120.DLL
WINHTTP.dll      0x4d4f0000      0x58000      C:\WINDOWS\system32\WINHTTP.dll
UxTheme.dll      0x5ad70000      0x38000      C:\WINDOWS\system32\UxTheme.dll
NETAPI32.dll      0x5b860000      0x54000      C:\WINDOWS\system32\NETAPI32.dll
themeui.dll      0x5ba60000      0x71000      C:\WINDOWS\system32\themeui.dll
ShimEng.dll      0x5cb70000      0x26000      C:\WINDOWS\system32\ShimEng.dll
comctl32.dll      0x5d090000      0x97000      C:\WINDOWS\system32\comctl32.dll
msisip.dll      0x60980000      0x7000      C:\WINDOWS\system32\msisip.dll
AcGenral.DLL      0x6f880000      0x1ca000      C:\WINDOWS\AppPatch\AcGenral.DLL
WS2HELP.dll      0x71aa0000      0x8000      C:\WINDOWS\system32\WS2HELP.dll
WS2_32.dll      0x71ab0000      0x17000      C:\WINDOWS\system32\WS2_32.dll
WSOCK32.dll      0x71ad0000      0x9000      C:\WINDOWS\system32\WSOCK32.dll
SAMLIB.dll      0x71bf0000      0x13000      C:\WINDOWS\system32\SAMLIB.dll
actxprxy.dll      0x71d40000      0x1c000      C:\WINDOWS\system32\actxprxy.dll
mydocs.dll      0x72410000      0x1a000      C:\WINDOWS\system32\mydocs.dll
msacm32.drv      0x72d10000      0x8000      C:\WINDOWS\system32\msacm32.drv
wdmaud.drv      0x72d20000      0x9000      C:\WINDOWS\system32\wdmaud.drv
WZCSAPI.DLL      0x73030000      0x10000      C:\WINDOWS\system32\WZCSAPI.DLL
mfc42.dll      0x73dd0000      0xfe000      C:\WINDOWS\system32\mfc42.dll
DSOUND.dll      0x73f10000      0x5c000      C:\WINDOWS\system32\DSOUND.dll
msi.dll      0x745e0000      0x2c6000      C:\WINDOWS\system32\msi.dll
POWRPROF.dll      0x74ad0000      0x8000      C:\WINDOWS\system32\POWRPROF.dll
BatMeter.dll      0x74af0000      0xa000      C:\WINDOWS\system32\BatMeter.dll
webcheck.dll      0x74b30000      0x46000      C:\WINDOWS\system32\webcheck.dll
oleacc.dll      0x74c80000      0x2c000      C:\WINDOWS\system32\oleacc.dll
wshext.dll      0x74ea0000      0x10000      C:\WINDOWS\system32\wshext.dll
CRYPTUI.dll      0x754d0000      0x80000      C:\WINDOWS\system32\CRYPTUI.dll
SXS.DLL      0x75e90000      0xb0000      C:\WINDOWS\system32\SXS.DLL
BROWSEUI.dll      0x75f80000      0xfc000      C:\WINDOWS\system32\BROWSEUI.dll
msvcp60.dll      0x76080000      0x65000      C:\WINDOWS\system32\msvcp60.dll
stobject.dll      0x76280000      0x21000      C:\WINDOWS\system32\stobject.dll
WINSTA.dll      0x76360000      0x10000      C:\WINDOWS\system32\WINSTA.dll
MSIMG32.dll      0x76380000      0x5000      C:\WINDOWS\system32\MSIMG32.dll
comdlg32.dll      0x763b0000      0x49000      C:\WINDOWS\system32\comdlg32.dll
NETSHELL.dll      0x76400000      0x1a6000      C:\WINDOWS\system32\NETSHELL.dll
CSCDLL.dll      0x76600000      0x1d000      C:\WINDOWS\System32\CSCDLL.dll
RASDLG.dll      0x768d0000      0xa4000      C:\WINDOWS\system32\RASDLG.dll
LINKINFO.dll      0x76980000      0x8000      C:\WINDOWS\system32\LINKINFO.dll
ntshrui.dll      0x76990000      0x25000      C:\WINDOWS\system32\ntshrui.dll
USERENV.dll      0x769c0000      0xb3000      C:\WINDOWS\system32\USERENV.dll
ATL.DLL      0x76b20000      0x11000      C:\WINDOWS\system32\ATL.DLL
WINMM.dll      0x76b40000      0x2d000      C:\WINDOWS\system32\WINMM.dll
credui.dll      0x76c00000      0x2e000      C:\WINDOWS\system32\credui.dll
WINTRUST.dll      0x76c30000      0x2e000      C:\WINDOWS\system32\WINTRUST.dll
IMAGEHLP.dll      0x76c90000      0x28000      C:\WINDOWS\system32\IMAGEHLP.dll
MPRAPI.dll      0x76d40000      0x18000      C:\WINDOWS\system32\MPRAPI.dll
iphlpapi.dll      0x76d60000      0x19000      C:\WINDOWS\system32\iphlpapi.dll
adsldpc.dll      0x76e10000      0x25000      C:\WINDOWS\system32\adsldpc.dll
rtutils.dll      0x76e80000      0xe000      C:\WINDOWS\system32\rtutils.dll
rasman.dll      0x76e90000      0x12000      C:\WINDOWS\system32\rasman.dll
TAPI32.dll      0x76eb0000      0x2f000      C:\WINDOWS\system32\TAPI32.dll
RASAPI32.dll      0x76ee0000      0x3c000      C:\WINDOWS\system32\RASAPI32.dll
WTSAPI32.dll      0x76f50000      0x8000      C:\WINDOWS\system32\WTSAPI32.dll
WLDAP32.dll      0x76f60000      0x2c000      C:\WINDOWS\system32\WLDAP32.dll
CLBCATQ.DLL      0x76fd0000      0x7f000      C:\WINDOWS\system32\CLBCATQ.DLL
COMRes.dll      0x77050000      0xc5000      C:\WINDOWS\system32\COMRes.dll
OLEAUT32.dll      0x77120000      0x8c000      C:\WINDOWS\system32\OLEAUT32.dll
WININET.dll      0x771b0000      0xa6000      C:\WINDOWS\system32\WININET.dll
urlmon.dll      0x77260000      0x9c000      C:\WINDOWS\system32\urlmon.dll
comctl32.dll      0x773d0000      0x102000      

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1

ff9\comctl32.dll
ole32.dll      0x774e0000      0x13c000      C:\WINDOWS\system32\ole32.dll
SHDOCVW.dll      0x77760000      0x16c000      C:\WINDOWS\system32\SHDOCVW.dll
SETUPAPI.dll      0x77920000      0xf3000      C:\WINDOWS\system32\SETUPAPI.dll
cscui.dll      0x77a20000      0x54000      C:\WINDOWS\System32\cscui.dll
CRYPT32.dll      0x77a80000      0x94000      C:\WINDOWS\system32\CRYPT32.dll
MSASN1.dll      0x77b20000      0x12000      C:\WINDOWS\system32\MSASN1.dll
appHelp.dll      0x77b40000      0x22000      C:\WINDOWS\system32\appHelp.dll
midimap.dll      0x77bd0000      0x7000      C:\WINDOWS\system32\midimap.dll
MSACM32.dll      0x77be0000      0x15000      C:\WINDOWS\system32\MSACM32.dll
VERSION.dll      0x77c00000      0x8000      C:\WINDOWS\system32\VERSION.dll
msvcrt.dll      0x77c10000      0x58000      C:\WINDOWS\system32\msvcrt.dll
msv1_0.dll      0x77c70000      0x23000      C:\WINDOWS\system32\msv1_0.dll
ACTIVEDS.dll      0x77cc0000      0x32000      C:\WINDOWS\system32\ACTIVEDS.dll
ADVAPI32.dll      0x77dd0000      0x9b000      C:\WINDOWS\system32\ADVAPI32.dll
RPCRT4.dll      0x77e70000      0x91000      C:\WINDOWS\system32\RPCRT4.dll
GDI32.dll      0x77f10000      0x46000      C:\WINDOWS\system32\GDI32.dll
SHLWAPI.dll      0x77f60000      0x76000      C:\WINDOWS\system32\SHLWAPI.dll
Secur32.dll      0x77fe0000      0x11000      C:\WINDOWS\system32\Secur32.dll
msvcr70.dll      0x7c000000      0x54000      C:\WINDOWS\system32\msvcr70.dll
mfc70.dll      0x7c140000      0xee000      C:\WINDOWS\system32\mfc70.dll
kernel32.dll      0x7c800000      0xf4000      C:\WINDOWS\system32\kernel32.dll
ntdll.dll      0x7c900000      0xb0000      C:\WINDOWS\system32\ntdll.dll
SHELL32.dll      0x7c9c0000      0x814000      C:\WINDOWS\system32\SHELL32.dll

 

by: KromptonPosted on 2009-08-07 at 06:28:47ID: 25042419

Are you saying that each time you open NotePad.exe your hosts file is being deleted?!?

That sounds suspiciously like a virus. I would verify that the file has not been replaced somehow. Try opening Notepad and leave it open then run Adfree 3.2. Just watch the folder for a while see what happens. Then while still watching the folder close and reopen notepad. If your hosts file gets deleted again I would say notepad.exe has been infected.

 

by: Mercury351Posted on 2009-08-07 at 06:41:14ID: 25042541

No, I am saying NO MATTER WHAT I DO the HOSTS file gets deleted.  NOTEPAD is just an example.  It seems to be some kind of systemwide setting.  If I don't have the answer by Monday morning, I'll see if I can get free support from Microsoft.  Perhaps they're still giving free support for XP Pro SP2.

 

by: KromptonPosted on 2009-08-07 at 07:30:19ID: 25043066

I see. Sorry about that. I did read your original question but did not review it again after reading your last post and it simply slipped my mind that you said "...any operation..." Still sounds like viral activity.

I am not personaly fammilar with Adfree. However, here are a couple of thing you can try.
Boot into Safe Mode and see if it still happens?
If it dosen't, take a look at those items that are loaded at startup by starting msconfig.

I would also look at all the "Run" keys in the registry.

Enabling auditing on the etc folder through Advanced security properties may turn up in the event logs.

 

by: synquePosted on 2009-08-07 at 09:47:10ID: 25044684

Mercury, the event you posted is just the Explorer opening the file for reading. This is not the event that does the deleting. Can you post the other events too?

 

by: synquePosted on 2009-08-07 at 10:19:02ID: 25044976

Actually I wouldn't assume that XP does the deleting. I think that's unlikely. More likely is that AdFree itself is the culprit. You can easily test that by creating an empty hosts file yourself while AdFree isn't running and see if it still randomly disappears. Or you can reconfigure AdFree to place its hosts file at a different location and see if it still disappears.

AdFree 3.2 seems to be over 7 years old. If the problem stops as soon as you stop using AdFree, I'd strongly suggest changing your ad blocker to one of the newer (and most likely way better) offerings.

 

by: Mercury351Posted on 2009-08-07 at 19:09:11ID: 25048011

>>>>>>>>>>>>>>>>>>
However, here are a couple of thing you can try.
Boot into Safe Mode and see if it still happens?
If it dosen't, take a look at those items that are loaded at startup by starting msconfig.

I would also look at all the "Run" keys in the registry.

Enabling auditing on the etc folder through Advanced security properties may turn up in the event logs.
<<<<<<<<<<<<<<<<<<
Krompton,
I already looked at the Registry Run keys in MSConfig, nothing suspicious.  I'll try auditing the folder, then Safe Mode if testing Adfree, as stated below, doesn't work.  BTW, I looked for the Security tab\Auditing option for the etc folder but it wasn't there.  Apparently I must enable auditing first through a system service or some such.


>>>>>>>>>>>>>>>>>>
Actually I wouldn't assume that XP does the deleting. I think that's unlikely. More likely is that AdFree itself is the culprit. You can easily test that by creating an empty hosts file yourself while AdFree isn't running and see if it still randomly disappears. Or you can reconfigure AdFree to place its hosts file at a different location and see if it still disappears.
<<<<<<<<<<<<<<<<<<
synque,
that's a good idea.  I didn't think of that.  I'll test your theory later tonight.  If true, there might be a setting I can use in an Adfree config file.

I've been pretty busy installing other software.  I've been  gradually building up this system.  I'm half finished.  I am ready to install M$ Office 2003, Adobe Acrobat, Symantec Norton SystemWorks with Anti-Virus, and Encarta DVD, (all legal CD's if you're wondering) in that order.

While I don't believe I am infected with a virus, I might do a Symantec Internet-based pre-scan anyway.  I will certainly do a Norton AV CD pre-scan before installing.  

Mercury.

 

by: Mercury351Posted on 2009-08-08 at 01:22:44ID: 25048782

>>>>>>>>>>>>>>>>>>
Actually I wouldn't assume that XP does the deleting. I think that's unlikely. More likely is that AdFree itself is the culprit. You can easily test that by creating an empty hosts file yourself while AdFree isn't running and see if it still randomly disappears. Or you can reconfigure AdFree to place its hosts file at a different location and see if it still disappears.
<<<<<<<<<<<<<<<<<<
synque,
I tested XP Pro SP2 by placing a full HOSTS file in C:\WINDOWS\system32\drivers\etc without Adfree running and it was deleted.

 

by: Mercury351Posted on 2009-09-06 at 00:08:35ID: 25268982

Hello,
this is my final report on this problem.  I am writing this final post for others should they need to find a solution.  The deletions of the c:\windows\system32\drivers\etc\Host file was caused by a trojan named lpad32.dll.  If you read my third post here where I posted my Process Monitor v2.5 results for the first Windows Explorer call where the HOSTS file is deleted, you'll see it there.

The only reason I found the solution to this problem was because I installed Norton Anti-Virus.  Apparently, I picked up the lpad32.dll trojan much quicker than I thought I could.  I have been using my Adfree program with no problems ever since NAV removed the lpad32.dll trojan.  Adfree blocks an average of 270 ads each day.

Here is the NAV report:
=======================
Norton Quarantine and Restore Report
Created:  Monday, August 10, 2009 6:53:31 PM
------------------------------------------------------------------------------

File Name
Location
Status                     Size                         Risk Name
User Name                  Machine Name                 Domain
Date Quarantined
Submitted to Symantec

------------------------------------------------------------------------------

lpad32.dll
c:\windows\system32
Quarantined                40.0 KB                      Trojan Horse
SYSTEM                     Mercury351                       WORKGROUP
Monday, August 10, 2009 9:52:33 AM
Not submitted

------------------------------------------------------------------------------
=======================
Here are 2 websites which describe the lpad32.dll trojan.  The first is more relevant than the second:
http://www.prevx.com/filenames/X2255031954477396390-X1/LPAD32.DLL.html
http://www.threatexpert.com/files/lpad32.dll.html

Because Timoros was the first person to post an anti-trojan solution, I am awarding the points to him.

Mercury351

 

by: Mercury351Posted on 2009-09-06 at 00:12:49ID: 31611832

I used Norton Anti-Virus to scan for the trojan instead of Spybot S&D.  The name of the trojan was lpad32.dll.  After lpad32.dll was removed by NAV, the HOSTS file was no longer deleted.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...