Jump to content

Facebook malware editing host file, removing facebook.com


Recommended Posts

Post Merged

We look for post with 0 replies, so when you reply to your own topic, we assume you're being helped.

Please be patient, someone will assist you as soon as possible.

I have been trying to block Facebook on my wife computer (per her request) for a little over a week now. Every time I update the host file and add

127.0.0.1 www.facebook.com

to the host file. Every time I do this it blocks facebook for a period of time. Then eventually the line is removed automatically by something and she is able to access facebook again. This is sketchy as stuff and I am not the only one experiencing this.

http://www.bleepingc...opic435876.html

http://forum.avira.c...threadID=126207

http://www.techsuppo...sts-620204.html

Whatever is causing this needs to be investigated further. I have tried everything, setting the host file to read only permissions, adding facebook.com multiple times. Whatever is deleting it is looking specifically for facebook.com and removing the line. Take a look.

Friday I edit the host file to look like this,

# Copyright © 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

# 127.0.0.1 localhost

# ::1 localhost

# Block Facebook

127.0.0.1 static.ak.fbcdn.net

127.0.0.1 www.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.static.ak.fbcdn.net

127.0.0.1 login.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.login.facebook.com

127.0.0.1 fbcdn.net

127.0.0.1 www.fbcdn.net

127.0.0.1 fbcdn.com

127.0.0.1 www.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.fbcdn.com

127.0.0.1 static.ak.connect.facebook.com

127.0.0.1 www.static.ak.connect.facebook.com

And Monday it will look like this

# Copyright © 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

# 127.0.0.1 localhost

# ::1 localhost

# Block Facebook

127.0.0.1 static.ak.fbcdn.net

127.0.0.1 www.static.ak.fbcdn.net

127.0.0.1 login.facebook.com

127.0.0.1 www.login.facebook.com

127.0.0.1 fbcdn.net

127.0.0.1 www.fbcdn.net

127.0.0.1 fbcdn.com

127.0.0.1 www.fbcdn.com

127.0.0.1 static.ak.connect.facebook.com

127.0.0.1 www.static.ak.connect.facebook.com

I see no processes running related to Facebook. Nothing suspicious in the task scheduler. My wife claims that she is able to get in by clicking links in emails from Facebook but all links appear to be from facebook.com so they should have failed from the beginning.

I appreciate any support. Hope to hear some ideas from your community soon. Thx!

---------- Begin Log--------- I have tried to clean unique identifiers from this related to work and usernames.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_33

Run by username at 23:10:03 on 2012-08-27

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.1908.232 [GMT -4:00]

.

AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Host Intrusion Prevention Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k WbioSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe

c:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe

C:\Program Files\marimba\tuner\Tuner.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\IBM\Lotus\Notes\nsd.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

C:\Program Files\ VPN CLIENT\NvcSvcMgr.exe

C:\Program Files\SupportSoft_Amer_i_7\bin\sprtsvc.exe

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

C:\Program Files\SupportSoft_Amer_i_7\bin\tgsrvc.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\marimba\tuner\.marimba\marimba\ch.25\data\sum.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\SupportSoft_Amer_i_7\bin\sprtcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe

C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\system32\calc.exe

C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE

C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.2.20101202-0021\win32\x86\notes2.exe

C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

c:\PROGRA~1\mcafee\SITEAD~1\saui.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE

C:\Program Files\marimba\tuner\lib\minituner.exe

C:\Program Files\Microsoft Office\Office12\WINPROJ.EXE

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

C:\Users\username\AppData\Local\Temp\is-OCR82.tmp\mbam-setup.tmp

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://c3..com/

uDefault_Page_URL = https://c3..com

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll

mURLSearchHooks: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120704161559.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [Google Update] "c:\users\username\appdata\local\google\update\GoogleUpdate.exe" /c

uRunOnce: [-ENG-IE8Updates-1.0-GBL-R2] "c:\program files\-eng-ie8updates-1.0-gbl-r2\IE8Update_Act.vbs"

mRun: [<NO NAME>]

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [NVC] "c:\program files\ vpn client\Nvc.exe" -autostart

mRun: [iMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Everything] "c:\program files\everything\Everything.exe" -startup

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [supportSoft_Amer_i_7] "c:\program files\supportsoft_amer_i_7\bin\sprtcmd.exe" /P SupportSoft_Amer_i_7

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: GreyMSIAds = 1 (0x1)

uPolicies-explorer: TaskbarNoNotification = 0 (0x0)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableInstallerDetection = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: FilterAdministratorToken = 1 (0x1)

mPolicies-system: dontdisplaylockeduserid = 3 (0x3)

mPolicies-system: LogonType = 0 (0x0)

dPolicies-explorer: NoFileMenu = 1 (0x1)

dPolicies-explorer: NoFileUrl = 1 (0x1)

dPolicies-explorer: NoToolsMenu = 1 (0x1)

dPolicies-explorer: NoWindowsUpdate = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

Trusted Zone: bipac.net

Trusted Zone: idea-central.net

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256}\34963736F68433231363 : DhcpNameServer = 10.1.10.1

TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256}\C41646C656370235F6570737 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256}\E4544574541425 : DhcpNameServer = 192.168.1.1

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll

LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll

mASetup: {3A00BDE2-D512-4D0A-8A9E-52E842431F7D} - c:\program files\-eng-ie8_updates-1.0-gbl-r1\IE8Update_Act.vbs

mASetup: ADBFIX - c:\program files\patches\stub\ADB_Stub.EXE

mASetup: -ENG-IE8Updates-1.0-GBL-R2 - "c:\program files\-eng-ie8updates-1.0-gbl-r2\IE8Update_Act.vbs"

mASetup: ENG-SetMailtoLotusNotes-1.0-GBL-R1 - "c:\windows\system32\cmd.exe" /c "reg add hkcu\software\microsoft\windows\shell\associations\urlassociations\mailto\UserChoice /v Progid /d Notes.mailto /f"

mASetup: OFFIX - c:\program files\patches\stub\OFF-FIX-STUB.EXE

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\username\appdata\roaming\mozilla\firefox\profiles\zyudn6re.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10516.0\npctrlui.dll

FF - plugin: c:\users\username\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\users\username\appdata\roaming\mozilla\plugins\npatgpc.dll

FF - plugin: c:\users\username\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\username\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-2-1 214696]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2011-2-1 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2011-2-1 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2011-2-1 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2011-2-1 35552]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-2-1 45352]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-2-1 29472]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2011-2-1 44680]

.

=============== Created Last 30 ================

.

2012-08-28 03:09:55 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-27 11:50:52 -------- d-----w- c:\users\username\appdata\roaming\smkits

2012-08-22 15:25:25 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-08-22 15:21:51 41984 ----a-w- c:\windows\system32\browcli.dll

2012-08-22 15:21:51 102912 ----a-w- c:\windows\system32\browser.dll

2012-08-22 15:21:26 769024 ----a-w- c:\windows\system32\localspl.dll

2012-08-20 17:04:50 40328 ----a-w- c:\windows\system32\HIPIS0e011b5.dll

2012-08-20 13:05:56 -------- d-----w- c:\windows\system32\SPReview

2012-08-20 11:53:59 198144 ----a-w- c:\windows\system32\sysclass.dll

2012-08-20 11:51:04 -------- d-----w- c:\windows\system32\EventProviders

2012-08-20 11:47:55 123904 ----a-w- c:\windows\system32\poqexec.exe

2012-08-16 15:51:05 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9a69a146-b4c8-42c1-a1a3-8bbc57ef09e6}\offreg.dll

2012-08-16 15:49:59 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9a69a146-b4c8-42c1-a1a3-8bbc57ef09e6}\mpengine.dll

2012-08-16 15:49:58 -------- d-----w- C:\15b02a4ca90d6d3cfc48adf930e3

2012-07-31 17:52:06 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

2012-07-31 17:52:03 122128 ----a-w- c:\windows\system32\SynTPCo9.dll

2012-07-31 17:52:02 323344 ----a-w- c:\windows\system32\drivers\SynTP.sys

2012-07-31 17:52:02 175376 ----a-w- c:\windows\system32\SynTPAPI.dll

2012-07-31 17:52:01 1048576 ----a-w- c:\windows\system32\syndata.bin

2012-07-31 17:52:00 400656 ----a-w- c:\windows\system32\SynCOM.dll

2012-07-31 17:52:00 249104 ----a-w- c:\windows\system32\SynCtrl.dll

2012-07-31 17:50:56 -------- d-----w- C:\DRIVERS

.

==================== Find3M ====================

.

2012-08-20 12:53:07 152576 ----a-w- c:\windows\system32\msclmd.dll

2012-08-09 05:43:30 143040 ----a-w- c:\windows\system32\KevlarSigs.dll

2012-07-15 18:52:16 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-07-15 18:52:15 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-05 20:19:36 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-05 20:19:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-04 20:13:38 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2012-07-04 20:13:37 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2012-07-04 20:13:37 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll

2012-07-04 20:13:37 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2012-07-04 20:13:37 22816 ----a-w- c:\windows\system32\MFEOtlk.dll

2012-07-04 20:13:37 148520 ----a-w- c:\windows\system32\mfevtps.exe

2012-07-04 20:13:36 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2012-07-04 20:13:36 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2012-07-04 20:13:36 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2012-07-04 20:13:36 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-27 05:53:07 981504 ----a-w- c:\windows\system32\wininet.dll

2012-06-27 04:10:55 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-07 00:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX

2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll

2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 23:14:03.74 ===============

Sorry for the small font, I copied from a previous thread that was in the wrong topic.

In case my original post was too small

I have been trying to block Facebook on my wife computer (per her request) for a little over a week now. Every time I update the host file and add

127.0.0.1 www.facebook.com

to the host file. Every time I do this it blocks facebook for a period of time. Then eventually the line is removed automatically by something and she is able to access facebook again. This is sketchy as stuff and I am not the only one experiencing this.

http://www.bleepingc...opic435876.html

http://forum.avira.c...threadID=126207

http://www.techsuppo...sts-620204.html

Whatever is causing this needs to be investigated further. I have tried everything, setting the host file to read only permissions, adding facebook.com multiple times. Whatever is deleting it is looking specifically for facebook.com and removing the line. Take a look.

Friday I edit the host file to look like this,

# Copyright © 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

# 127.0.0.1 localhost

# ::1 localhost

# Block Facebook

127.0.0.1 static.ak.fbcdn.net

127.0.0.1 www.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.static.ak.fbcdn.net

127.0.0.1 login.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.login.facebook.com

127.0.0.1 fbcdn.net

127.0.0.1 www.fbcdn.net

127.0.0.1 fbcdn.com

127.0.0.1 www.facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 www.fbcdn.com

127.0.0.1 static.ak.connect.facebook.com

127.0.0.1 www.static.ak.connect.facebook.com

And Monday it will look like this

# Copyright © 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

# 127.0.0.1 localhost

# ::1 localhost

# Block Facebook

127.0.0.1 static.ak.fbcdn.net

127.0.0.1 www.static.ak.fbcdn.net

127.0.0.1 login.facebook.com

127.0.0.1 www.login.facebook.com

127.0.0.1 fbcdn.net

127.0.0.1 www.fbcdn.net

127.0.0.1 fbcdn.com

127.0.0.1 www.fbcdn.com

127.0.0.1 static.ak.connect.facebook.com

127.0.0.1 www.static.ak.connect.facebook.com

I see no processes running related to Facebook. Nothing suspicious in the task scheduler. My wife claims that she is able to get in by clicking links in emails from Facebook but all links appear to be from facebook.com so they should have failed from the beginning.

I appreciate any support. Hope to hear some ideas from your community soon. Thx!

Link to post
Share on other sites

  • Staff

Hi,

This is an odd issue. It's possible that McAfee is responsible, but I've never seen this, personally. The reason I lean towards McAfee is that it might have a Hosts file watching mechanism, but that wouldn't explain why all the sites aren't removed. To figure this out, you'll need to find out what triggers the removal..

Alternatively, try a different browser and try it in Safe Mode with Networking.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.