"Possible Windows hosts file tampering detected." Please help!

iamtehmadhat · ‎04-03-2011

Hi. Sorry that this message is long/thorough. I'm a newbie, don't know that much about computers... so anytime something happens I don't understand, I go all OCD. Any help is MUCHO appreciated!!!

Here is a bit of back story:

Last night I clicked on a website where suddenly I got 4 pop-ups in the browser (bad link, nooo!). I immediately pressed the power to force a shut down. Rebooted in normal mode, ran Norton 360 full system scan, it detected and removed 68 tracking cookies - the cookies are from typical advertising companies (advertising.com, doubleclick.net, atdmt.com, etc). Rebooted again normally, ran MalwareBytes, it detected nothing. Rebooted in Safe Mode (no networking), ran Norton 360 just to make sure, it detected nothing.

This morning, ran Norton 360 again. It detected and removed 58 cookies. Same kind.

Tonight I wanted to run it again. When LiveUpdate started, I received the error message: "Possible Windows hosts file tampering detected. Please run a full system scan and try again. Error: 8921, 300." I clicked the "try again" button, received: "We are unable to communicate with one of our servers and detected entries within your host file that are blocking us from connecting." Norton itself was unable to correct the issue, so I started to talk to someone in chat, but with no help...

And then LiveUpdate was able to update. Ha. So... it looks to be good... I ran another scan. Now all these full system scans took the usual amount of time for my computer, about 30-40 minutes. This one only took 2 minutes (and it still detected now 56 of the tracking cookies).

So I checked my firewall and discovered a bunch of "Default Block SSDP/Inbound TCP connection" and "Unauthorized access blocked (Duplicate object)" with SERVICES.EXE being the actor and ccSvcHst.exe being the target... I've troubleshooted all that and I know I need to secure my router... which got me thinking... could what happened on my computer spread to my other computer I use in the house?

Sure enough, I just ran Norton 360 on the other computer and it detected 81 tracking cookies (Same kind.)

My questions are...

1) What was that tampering hosts file error about?

2) Why do the tracking cookies keep coming back, and why so MANY of them? At the most I'd have 3 or 4 detected previously!

3) What do I do about this other computer?! Is it as simple as "securing" my wireless router?!

P.S. - Both computers are Dell Inspirons running Windows XP SP3, and I am using Norton 360 version 5.

SendOfJive · ‎02-07-2009

Hi iamtehmadhat,

I am not sure what caused the Hosts file error. Malware does occasionally modify the Hosts file to prevent the computer from being able to connect to Security sites. From what you say though, it doesn't sound like you were infected. You can use a Fix-it tool from Microsoft to reset the Hosts file to its default settings:

http://support.microsoft.com/kb/972034

Tracking cookies are picked up in the course of everyday web surfing and do not represent a security threat, although there are some privacy concerns with them. The best way to deal with tracking cookies is to use options in your browser and a free program like SpywareBlaster to keep sites from setting them in the first place, and to automatically delete any that do get through every time you close the browser. See this post for some suggestions on how to do this:

http://community.norton.com/t5/Norton-360/Cannot-delete-cookie-quot-hp-administrator-content-yieldma...

The firewall default block rule and the "access blocked" Tamper Protection entries in Norton history are normal and expected, and the abbreviated scan time would occur due to Norton skipping known good files that were checked previously in an earlier scan. So in themselves none of these should be a cause for alarm.

Shutting down the computer by pressing the power button isn't really recommended unless the computer is otherwise unresponsive. A better approach in the future if you get unwanted pop-ups or redirections would be to hit Ctrl+Alt+Delete to bring up Windows Task Manager and use the Task Manager controls to end the browser process. This shuts down the browser without the risk of possibly initiating a download by clicking within a malicious web page.

It does not sound like your PC is infected, but keep an eye on things and if you notice any unusual behaviors be sure to post back and let us know.

iamtehmadhat · ‎04-03-2011

Thanks SendOfJive, I really appreciate your response! :)

Running scans on both computers, coming up with 0 tracking cookies on the first one (the one where I clicked the bad link), and the usual 2 on the second one (that had 81 cookies last night). Had a scare for the first one because when I powered up, I received the dreaded "No bootable device"... restarted and it worked fine. My internal hard drive's been on the fritz lately, coughing like an old man, I need to replace soon, so I'm not too concerned about that then... What's disappointing is, if I do find anything odd - usually my computer runs slower (for example, I was trying to download Spybot last night before I posted on this forum, and it was taking an usually long time to download)... I just chock it up to my internal HD problems...

Concerning the Hosts file, would you recommend a program like WinPatrol or the like to monitor for future reference, incase I can't rid of the malware (if it exists) and it still makes changes to the Hosts file?

One last question... the second computer that had 81 tracking cookies (when usually it only has 2)... I looked into the firewall history for it. I noticed that a little bit before I ran the scan last night, it said: "IP address has disappeared from adapter and is no longer being protected", then two minutes later it said "Protecting your connection to a newly detected network". This computer usually only has 2 or 3 tracking cookies on it. Is it possible that I would've gotten those tracking cookies on my computer in between that time since my router wasn't protected? I hope that's not a dumb question. :x

iamtehmadhat · ‎04-03-2011

And one last thing to mention the more I think about it....

I do notice sometimes when I'm using Internet Explorer - on a rare instance, because I usually run Mozilla with NoScript - it sometimes (not all the time) redirects me to a "doubleclick" ad. But since I have an ad blocker, it doesn't show me the ad itself, but a "This website could not be found" type page. It's been like that for a while, before this "tampering" error was ever received... I never really gave it much thought as I don't use IE that much and it never happens in Mozilla... is this something to look further into?

SendOfJive · ‎02-07-2009

Hi iamtehmadhat,

Spybot Search and Destroy's Immunization feature actully uses the Hosts file to block access to known malicious sites, so you don't want to guard the Hosts file too zealously with other software if you use this capability. Spybot also allows you to lock the Hosts file to prevent malware from tampering with it - if you do this be aware that some security scanners will flag this as suspicious.

Tracking cookies are usually placed by ads on web pages that you visit. The firewall log information you report is normal firewall activity and does not indicate any windows of opportunity for malware. You can control tracking cookies in Firefox much as you do in IE. Go to Tools > Options > Privacy. Put a checkmark in the "Accept cookies from sites" box. Leave "Accept third party cookies" unchecked. Set the "Keep until" box to read "Until I close Firefox." Sites that require persistent cookies for logging in (such as Norton.com or your banking site) can be added to the the Exceptions list and allowed. Use SpywareBlaster to populate the Exceptions list with sites to block. After doing this sites will be able to use session cookies so they can remember you as you navigate through the site, bad sites will not be allowed to set cookies, all cookies will be removed when you close the browser except for the ones you need for sites that you have specifically allowed.

If your harddrive is getting flakey you may see a lot of odd behaviors that can mimic malware. You should definitely backup all of your important data so that you have a copy safely stored off of the drive. When the drive fails it is game over.