none
Facebook malware editing host file, removing facebook.com

    Question

  • I have been trying to block Facebook on my wife computer (per her request) for a little over a week now. Every time I update the host file and add 


    127.0.0.1 www.facebook.com
    to the host file. Every time I do this it blocks facebook for a period of time. Then eventually the line is removed automatically by something and she is able to access facebook again. This is sketchy as shit and I am not the only one experiencing this.

    http://www.bleepingcomputer.com/forums/topic435876.html

    http://forum.avira.com/wbb/index.php?page=Thread&threadID=126207

    http://www.techsupportforum.com/forums/f112/facebook-entries-removed-from-hosts-620204.html

    Whatever is causing this needs to be investigated further.  I have tried everything,  setting the host file to read only permissions, adding facebook.com multiple times.  Whatever is deleting it is looking specifically for facebook.com and removing the line.  Take a look.

    Friday I edit the host file to look like this,

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1       localhost
    # ::1             localhost

    # Block Facebook


    127.0.0.1 static.ak.fbcdn.net
    127.0.0.1 www.facebook.com
    127.0.0.1 www.facebook.com
    127.0.0.1 www.static.ak.fbcdn.net
    127.0.0.1 login.facebook.com
    127.0.0.1 www.facebook.com
    127.0.0.1 www.facebook.com
    127.0.0.1 www.login.facebook.com
    127.0.0.1 fbcdn.net
    127.0.0.1 www.fbcdn.net
    127.0.0.1 fbcdn.com
    127.0.0.1 www.facebook.com
    127.0.0.1 www.facebook.com
    127.0.0.1 www.fbcdn.com
    127.0.0.1 static.ak.connect.facebook.com
    127.0.0.1 www.static.ak.connect.facebook.com

    And Monday it will look like this

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1       localhost
    # ::1             localhost

    # Block Facebook


    127.0.0.1 static.ak.fbcdn.net


    127.0.0.1 www.static.ak.fbcdn.net
    127.0.0.1 login.facebook.com


    127.0.0.1 www.login.facebook.com
    127.0.0.1 fbcdn.net
    127.0.0.1 www.fbcdn.net
    127.0.0.1 fbcdn.com


    127.0.0.1 www.fbcdn.com
    127.0.0.1 static.ak.connect.facebook.com
    127.0.0.1 www.static.ak.connect.facebook.com

    I see no processes running related to Facebook.  Nothing suspicious in the task scheduler.  My wife claims that she is able to get in by clicking links in emails from Facebook but all links appear to be from facebook.com so they should have failed from the beginning.

    I appreciate any support.  I submitted this to Malwarebytes hoping to get some info or action against what I would consider Malwarebytes but they offered little support.  Hope to hear some ideas from your community soon.  Thx!

    Tuesday, August 28, 2012 3:05 AM

Answers

All replies

  • Potentially useful information

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 
    Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 1.6.0_33
    Run by username at 23:10:03 on 2012-08-27
    Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.1908.232 [GMT -4:00]
    .
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Host Intrusion Prevention Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k WbioSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
    c:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
    C:\Program Files\marimba\tuner\Tuner.exe
    C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
    C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
    C:\Windows\system32\svchost.exe -k HsfXAudioService
    C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files\IBM\Lotus\Notes\nsd.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Windows\system32\mfevtps.exe
    C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
    C:\Program Files\ VPN CLIENT\NvcSvcMgr.exe
    C:\Program Files\SupportSoft_Amer_i_7\bin\sprtsvc.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
    C:\Program Files\SupportSoft_Amer_i_7\bin\tgsrvc.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\marimba\tuner\.marimba\marimba\ch.25\data\sum.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\SupportSoft_Amer_i_7\bin\sprtcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
    C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\system32\calc.exe
    C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE
    C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.2.20101202-0021\win32\x86\notes2.exe
    C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
    C:\Program Files\marimba\tuner\lib\minituner.exe
    C:\Program Files\Microsoft Office\Office12\WINPROJ.EXE
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\username\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    C:\Users\username\AppData\Local\Temp\is-OCR82.tmp\mbam-setup.tmp
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://c3..com/
    uDefault_Page_URL = https://c3..com
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll
    mURLSearchHooks: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120704161559.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou0.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [Google Update] "c:\users\username\appdata\local\google\update\GoogleUpdate.exe" /c
    uRunOnce: [-ENG-IE8Updates-1.0-GBL-R2] "c:\program files\-eng-ie8updates-1.0-gbl-r2\IE8Update_Act.vbs"
    mRun: [<NO NAME>] 
    mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [NVC] "c:\program files\ vpn client\Nvc.exe" -autostart
    mRun: [IMSS] "c:\program files\intel\intel(r) management engine components\imss\PIconStartup.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SupportSoft_Amer_i_7] "c:\program files\supportsoft_amer_i_7\bin\sprtcmd.exe" /P SupportSoft_Amer_i_7
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
    uPolicies-explorer: GreyMSIAds = 1 (0x1)
    uPolicies-explorer: TaskbarNoNotification = 0 (0x0)
    mPolicies-explorer: NoPublishingWizard = 1 (0x1)
    mPolicies-explorer: NoWebServices = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableInstallerDetection = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: FilterAdministratorToken = 1 (0x1)
    mPolicies-system: dontdisplaylockeduserid = 3 (0x3)
    mPolicies-system: LogonType = 0 (0x0)
    dPolicies-explorer: NoFileMenu = 1 (0x1)
    dPolicies-explorer: NoFileUrl = 1 (0x1)
    dPolicies-explorer: NoToolsMenu = 1 (0x1)
    dPolicies-explorer: NoWindowsUpdate = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    Trusted Zone: bipac.net
    Trusted Zone: idea-central.net
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256}\34963736F68433231363 : DhcpNameServer = 10.1.10.1
    TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256}\C41646C656370235F6570737 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{696E3B6C-6B22-475A-9739-52DB479C9256}\E4544574541425 : DhcpNameServer = 192.168.1.1
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    mASetup: {3A00BDE2-D512-4D0A-8A9E-52E842431F7D} - c:\program files\-eng-ie8_updates-1.0-gbl-r1\IE8Update_Act.vbs
    mASetup: ADBFIX - c:\program files\patches\stub\ADB_Stub.EXE
    mASetup: -ENG-IE8Updates-1.0-GBL-R2 - "c:\program files\-eng-ie8updates-1.0-gbl-r2\IE8Update_Act.vbs"
    mASetup: ENG-SetMailtoLotusNotes-1.0-GBL-R1 - "c:\windows\system32\cmd.exe" /c "reg add hkcu\software\microsoft\windows\shell\associations\urlassociations\mailto\UserChoice /v Progid /d Notes.mailto /f"
    mASetup: OFFIX - c:\program files\patches\stub\OFF-FIX-STUB.EXE
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\username\appdata\roaming\mozilla\firefox\profiles\zyudn6re.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10516.0\npctrlui.dll
    FF - plugin: c:\users\username\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\users\username\appdata\roaming\mozilla\plugins\npatgpc.dll
    FF - plugin: c:\users\username\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\username\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\windows\system32\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-2-1 214696]
    R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2011-2-1 44680]
    R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2011-2-1 107960]
    R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2011-2-1 38680]
    R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2011-2-1 35552]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-2-1 45352]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-2-1 29472]
    S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2011-2-1 44680]
    .
    =============== Created Last 30 ================
    .
    2012-08-28 03:09:55 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-08-27 11:50:52 -------- d-----w- c:\users\username\appdata\roaming\smkits
    2012-08-22 15:25:25 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-08-22 15:21:51 41984 ----a-w- c:\windows\system32\browcli.dll
    2012-08-22 15:21:51 102912 ----a-w- c:\windows\system32\browser.dll
    2012-08-22 15:21:26 769024 ----a-w- c:\windows\system32\localspl.dll
    2012-08-20 17:04:50 40328 ----a-w- c:\windows\system32\HIPIS0e011b5.dll
    2012-08-20 13:05:56 -------- d-----w- c:\windows\system32\SPReview
    2012-08-20 11:53:59 198144 ----a-w- c:\windows\system32\sysclass.dll
    2012-08-20 11:51:04 -------- d-----w- c:\windows\system32\EventProviders
    2012-08-20 11:47:55 123904 ----a-w- c:\windows\system32\poqexec.exe
    2012-08-16 15:51:05 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9a69a146-b4c8-42c1-a1a3-8bbc57ef09e6}\offreg.dll
    2012-08-16 15:49:59 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9a69a146-b4c8-42c1-a1a3-8bbc57ef09e6}\mpengine.dll
    2012-08-16 15:49:58 -------- d-----w- C:\15b02a4ca90d6d3cfc48adf930e3
    2012-07-31 17:52:06 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2012-07-31 17:52:03 122128 ----a-w- c:\windows\system32\SynTPCo9.dll
    2012-07-31 17:52:02 323344 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2012-07-31 17:52:02 175376 ----a-w- c:\windows\system32\SynTPAPI.dll
    2012-07-31 17:52:01 1048576 ----a-w- c:\windows\system32\syndata.bin
    2012-07-31 17:52:00 400656 ----a-w- c:\windows\system32\SynCOM.dll
    2012-07-31 17:52:00 249104 ----a-w- c:\windows\system32\SynCtrl.dll
    2012-07-31 17:50:56 -------- d-----w- C:\DRIVERS
    .
    ==================== Find3M  ====================
    .
    2012-08-20 12:53:07 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-08-09 05:43:30 143040 ----a-w- c:\windows\system32\KevlarSigs.dll
    2012-07-15 18:52:16 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-07-15 18:52:15 472840 ----a-w- c:\windows\system32\deployJava1.dll
    2012-07-05 20:19:36 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-05 20:19:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-04 20:13:38 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2012-07-04 20:13:37 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2012-07-04 20:13:37 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2012-07-04 20:13:37 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2012-07-04 20:13:37 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2012-07-04 20:13:37 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2012-07-04 20:13:36 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2012-07-04 20:13:36 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2012-07-04 20:13:36 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2012-07-04 20:13:36 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-27 05:53:07 981504 ----a-w- c:\windows\system32\wininet.dll
    2012-06-27 04:10:55 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-07 00:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
    2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
    2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 23:14:03.74 ===============

    Tuesday, August 28, 2012 3:22 AM
  • Hi,


    I suggest you try to scan the system in Safe Mode to check the result.


    Meanwhile, you can try to block the Facebook ip address via firewall to test the issue.


    Regards,


    Vincent Wang

    TechNet Community Support

    Wednesday, August 29, 2012 9:19 AM
    Moderator