open hosts.bat trying to execute notepad.exe

Tried the new CIS on an older machine and am getting the same prompt like in the Italian forum:
https://forums.comodo.com/italiano-italian/hips-popup-open-hostsbat-is-trying-to-execute-notepadexe-t97394.0.html

My Italian really sucks :wink: so I’m putting it here again.

  • an “open host.bat” doesn’t exist, never has existed, even not temp…
  • message just pops up for 1 or 2 seconds, before another follows
  • XP SP3

Thanks and Greetings

Hello r1d1,

I think it could be a virus.

The good news is that Comodo Defense+ block it.

Try to execute a complete scan.

Greetings

fuco

Thanks fuco,

virus was my first thought too, but neither Comodo nor Avast or Kapersky found anything.
I checked half of Windows-Registry manually, all Autoruns, every Service…nothing unusual can be found…

There is no entry in the Comodo Logs or reports, it’s just the pop-up. As I said, I can’t locate a file named
“open host.bat”, no subroutine call…
Maybe it’s a CIS-internal thing, which only occurs under some weired circumstances?

Very strange thing…
Thanks + Greetings

Here’s a different way to look at it - rather than looking for a file called “open hosts.bat”, is it possible that something else is trying to “open” a file called “hosts.bat” and in doing so is invoking notepad to “open” the file?

I’m just trying to think outside the box and kept coming back to this. To me, “open hosts.bat” looks like a parameter, not a filename.

How you track down what the “something else” is, I don’t know, but hopefully a thought from left field will get you thinkiing differently.

Hope this helps,
Ewen :slight_smile:

Thinking further, I suspect that “something else” isn’t trying to invoke notepad.exe, I think that notepad.exe is being automatically executed with the parameter “open hosts.bat”.

Search all autorun locations (services, registry, etc.) for notepad.exe.

To start with I’d do a search of the registry.

  1. Open regedit.exe
  2. Click the top entry (Computer)
  3. With Computer highlighted, press CTRL-F
  4. Enter notepad.exe and press ENTER
  5. To continue past the first found occurrence of “notepad.exe”, press F3.
  6. Keep looking for “notepad.exe” to be present in an autorun (or similar) entry.

Hope this helps,
Ewen :slight_smile:

Hi panic! Everything is helpful and every idea is highly appreciated. Thanks for you time.
Thus far no luck, no Parameter or any call at all (notepad or anything else) which leads in any way to
host *hosts.bat or even any other *.bat

Right now I’m scanning the whole system and all files+content via text search for any hosts terms inside files, but this will take 1 or 2 days. :wink:

Thanks to all, have a nice week!

I installed CIS on another computer and was able to reproduce the pop-up:
HIPS must be at least in “Safe mode” and popup alerts must be set to “verbose mode”.
Next thing is a bit tricky: CPU has to be really busy (at least here with my device) and in this case the same pop-up came up for a very short time right before another

So I’m pretty sure it must be a Comodo thing which you just can’t see in usual circumstances, because the pop-up is really fast. That would explain why there’s no log entry…
Question is, what exactly does CIS do and why?

Greetings!

Found the term a few times in /themes/default.set…so it is a CIS thing…
See attachment.
I’m no html guy, but it seems the “display:none” in the css messes up, somehow…

open hosts.bat is trying to execute notepad.exe open hosts.bat is trying to execute notepad.exe open hosts.bat is trying to execute notepad.exe

I’ll check the whole thing if time permits.
Greetings

[attachment deleted by admin]

Just built a new computer, installed windows 7, 64 bit. And installed the new CIS. I’m also getting the same box popping up. Plus, I have to reboot the machine because it won’t let me choose any of the options like deny.

hi guys,

i’m having the same problem here. right after logging into the system i sometimes get this message, but can’t click it. also the popup is only half visible (top half). after about 1 second it is overlapped by another popup informing me that CCC.exe (AMD / ATI driver → catalyst control center) is trying to do something, although it is specifically set up as “allowed application”.

ever since i’ve upgraded from v5.x to 6.3.x i’ve had problems with comodo. from time to time it simply decides to forget every single rule i’ve set, resulting in random bull sh** behaviour like blocking my graphics driver (even with the whole folder set to “allowed application” in HIPS). sometimes it decides to block my antivirus program instead (avira). after telling it explicitly to allow every single exe / dll of the affected program, it will work for 3-4 sessions. of course it then tells me that the rules already exist (you don’t say!). then the whole cr*p starts all over again. a reinstall of both avira and comodo only helped for about 5 days. anyone with similar problems here?

I can confirm the appearance of open hosts.bat in the question window.
Its somehow a hdd symbol, but changes in between one second to the file that should appear in the question.

Could you run Rating Scan and when Catalyst files show up have them moved to Trusted Files list? That’s how I deal with them. It may not be pertinent to your case though.

Are the Comodo installation folders excluded in Avira? Can you try uninstalling Avira to see if there may be is a compatibility issue at hand?

If you want to start using the Comodo AV go to Add/Remove components of the Comodo Firewall installer in the start menu.

Hi, guys,
It’s not a virus, not a system problem, it’s a Comodo’s bug.

This is by (bad) design. The “open_hosts.bat” and “notepad.exe” are placeholders for the real programs in an alert message. If your system is fast enough, you will see the correct program names in the alert all the time. But if the cpu load is very high, the alert is displayed and the alert details will be changed afterwards.
It would be smarter to have “empty” placeholders…

In this case, it would be better to optimize the alert output to the minimum resource consumption. Less graphics more efficiency.

will try to do that. although i’ve already added the AMD / ATI executables to the trusted files list. also amd / ati is a trusted vendor and comodo still does not recognize these files… is it possible that it’s a UAC issue here because i’ve just tried to add the whole folder (c:\program files x86\ati technologies) and it said it can’t add empty files…

i’ve already tried several uninstalls on both avira and comodo. now it seems to be running somehow, but i think the avira install got corrupted because comodo blocked every single installation step and avira keeps whining about missing or disabled web features. during the installation of avira i got this openhosts.bat “bug” again several times. the system load can’t be high at all. i’m running a phenom 2 x6 1090t cpu which never reaches 25% total load under desktop conditions.

regarding comodo AV: some years ago i’ve already tried c-AV and it did not really convince me. i’ve deliberately downloaded a few infected files and c-AV was only able to detect about 50%, while avira flagged all as malicious. also, as far as i know, c-AV lacks some crucial functions like autorun blocking (on removable media), which is very important for me. i have to take care of about 20 systems in my circle of friends / family and quite often there’s some infected usb stick among the problems. so switching to linux to circumvent an infection sometimes is not an option. also, i’ve installed comodo on all of these systems in combination with avira, because i’ve had no issues until recently and this protection level seemed to be adequate especially for my family members who are not as tech-savvy as me and just want to check their email and whatnot.

i’m still wondering, is there a way to effectively reset the whole comodo (HIPS) configuration? since i’ve learned that the settings are stored in the registry (why???) it’s very important to me that a possible reset should be clean and thorough without the need to manually clean up the mess.

rating scan completed. yet again core features of the catalyst software ended up as unrecognized files. after my uninstall / reinstall berserk run just before xmas it was ok until now.
the files we’re talking about here are mainly CCC files among a few other ones; avira remains somewhat functioning.
typing the list

mom.foundation.dll
log.foundation.dll
(mediaespresso.exe - came with the LG bluray suite)
adiamenu.dll
atidxx64.dll
(is-rhq91.exe - has a cdburnerXP icon… maybe a part of that)
atiuxp64.dll
(mscorlib.ni.dll - .net framework?? gave me some hard time with the install, comodo bombarding me with messages)
log.foundation.private.dll
mom.implementation.dll
(is-n3470.exe - apparently cdburnerXP again)
(system.ni.dll - .net framework??)
(miranda32.exe - i use it every day. no idea why comodo decided not to trust it anymore)
(cinergydvr.exe - my tv software, also used on a daily base)

i’ve added only the CCC files to the trusted files list this time. the others remained “ignored”.

until today i’ve added these CCC dlls several times to the trusted files list and time after time it got ■■■■■■■ up…

since it still does not let me open the CCC panel i’m trying to reboot.

well, guess what, it’s still blocking the CCC suite.
both FW and HIPS were running in safe mode. running CCC did not even show up in the HIPS logs. i’ve tried switching HIPS to game mode, nothing. tried clean pc mode, still nothing. now i went back to safe mode, but now at least it produced several HIPS log entries.

2x: c:\program files x86\ati technologies\ati.ace\core-static\mom.exe - flags: create process - target: …\ccc.exe

1x: asus updater, unimportant

1x: c:\windows\syswow64\drivers\asupio.sys - flags: scanned and found safe

1x: system - flags: modify file - target: c:\windows\system32\logfiles\wmi\rtbackup\ETwRTSteam Event Tracing.etl

also i’ve noticed that the HIPS and FW rules shrunk down from several hundred entries to about 40 each. is the temporary HIPS clean pc mode responsible for this? if so, why did it “reset”/ mess up the FW rules?

edit: well i guess that’s the “forget event” described in my other post (https://forums.comodo.com/defense-sandbox-help-cis/hips-forgets-rules-t100199.0.html)

update: i’ve checked the rulesets again, the blocked CCC component mom.exe was still in the rules, yes, it was working until today as “allowed app”, but i’ve switched the rule to windows system process. now, after starting CCC via desktop context menu, at least it asked me if i want to allow “mmloaddrv.exe”. the CCC shows up now. why did it not ask me before? it simply blocked it, no questions asked… yay…

still i don’t get why this happens at all over and over again.

I also get this sometimes, on a pretty new Win 7 machine. No matter how many times I click Allow and remember, it eventually reappears.

Hello All,

I know this is a bit old topic, but I’m still facing the same issue :frowning: … The issue occurs with me when I keep the Comodo Dragon or Google Chrome running for a while and I’m not using my laptop. I could leave some downloads running or so, when I try to use the laptop again, I get this error and I lose control over the laptop. So, I was wondering, has anyone been able to resolve this?

Thanks.