You are not logged in.

Thursday, April 24th 2014, 10:38am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "Todd Schaeffer" started this thread

Date of registration:
Aug 4th 2008

  • Send private message

1

Friday, June 8th 2012, 6:18pm

Hosts file

Opinion is requested regarding the host file and Avira Internet Security blocking of changes to the file. The option is selected as user preference. However, users browser may have been modified, hijacked, or subject to a greater vulnerability.

Web browser (Internet Explorer 9 on Windows 7 Home Premium Service Pack 1 Operating System) has been producing a security alert (“You are about to leave a secure Internet connection. It will be possible for others to view information you send.”), each time bing.com is accessed, for approximately 2 weeks despite no problems in many years of use.

Internet Properties were modified as new message (Some settings are managed by your system administrator.) is added to the Advanced tab only today.

Link offers the following “If your computer is part of a network at an organization such as a school, government agency, or business, your organization's system administrator might have disabled or even removed certain Windows Internet Explorer settings by using Group Policy. Group Policy is a Windows feature that system administrators can use to manage access to other Windows features. If you suspect that Group Policy is preventing you from changing a setting that you need to access, contact your system administrator.”.

Microsoft Technical Support suggested the uninstall/reinstall and/or Fix your hijacked web browser post might be the solution. Reset and reinstall corrected the Internet Properties message (Some settings are managed by your system administrator.). Nonetheless, bing.com is still producing the security alert.

The computer is not part of a specific network (other than internet service provider furbished router). No changes are evident for the browser’s Security tab. No unverified add ons are installed for the browser. No network connections are displayed or detected by the computers operating system.

Permissions on the hard drive were also altered. In correcting the modification, Avira Internet Security produced a message “In accordance with security guidelines, the Administrator has blocked access to the Hosts file.”. Technical support identified the browser problem as an internet issue. Would a change of the Hosts file be necessary? What other measures could prevent the recurrence?
Todd Schaeffer

redwolfe_98

Community member

Date of registration:
Nov 14th 2006

Version:
Avira Antivirus Suite

Operating System:
Win XPsp3

  • Send private message

2

Wednesday, June 13th 2012, 1:04am

todd, it doesn't hurt to have the "HOSTS" file locked, or "protected".. however, if you want to check to see if the HOSTS file has been modified by malware, you can do that.. you can open the HOSTS file with "notepad" to view its contents.. you can replace it with a windows default HOSTS file if you want to.. i don't really understand what the issue is unless you are asking if the HOSTS file should be locked, or protected.. as i said, it doesn't hurt to have it "locked", and you can unlock it if you need to..

regarding the "you are about to leave a secure Internet connection" warning-message, that is normal.. "internet explorer" has a setting for "warn if changing between secure and not secure mode".. apparently the person is going from a webpage where a secure connection is being used to the "bing.com" webpage where a secure connection is not being used, causing the "you are about to leave a secure Internet connection" warning-message to be generated.. you can disable the warning-message if you want to, in IE's settings, on the "advanced" tab.. i always have disabled that warning-message..
win xpsp3, "windows firewall", avira antivirus suite, SSM, RegDefend

This post has been edited 1 times, last edit by "redwolfe_98" (Jun 13th 2012, 1:08am)


redwolfe_98

Community member

Date of registration:
Nov 14th 2006

Version:
Avira Antivirus Suite

Operating System:
Win XPsp3

  • Send private message

3

Wednesday, June 13th 2012, 1:33am

p.s. you asked about how to avoid problems.. one thing that i would advise would be to not use oracle's "java".. however, if you need "java", you could keep it disabled except for when it is being used..

another thing that you could do in order to try to avoid having malware-infections would be to use a browser with high security-settings.. with "internet explorer", that would involve using high security-settings in IE's "internet zone" and "intranet zone".. with "firefox", it would involve using the "noscript" addon.. i think that using "firefox" with the "noscript" addon is easier than using "internet explorer" with high security-settings, if you have a choice between the two..
win xpsp3, "windows firewall", avira antivirus suite, SSM, RegDefend

This post has been edited 1 times, last edit by "redwolfe_98" (Jun 13th 2012, 1:38am)


  • "Todd Schaeffer" started this thread

Date of registration:
Aug 4th 2008

  • Send private message

4

Tuesday, July 3rd 2012, 1:04am

Apologies for the prolonged response. The computer hard drive failed. The workstation had to be shipped to manufacture for replacement and reinstallation.

Where is the HOSTS file located? Two files were identified. One was found in C:\Windows\System32\drivers\etc and another in C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210. The file produced the following example with and with out the “Protect Windows hosts file from changes” selected

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

What could be done about IE9? Internet Properties of the Advanced tab displays the message “Some settings are managed by your system administrator.”. The computer is not part of a network and the message has never appeared before. Reinstallation of the browser works temporarily, however the message reappears. Lower quality is most noticeable. Other concern is security. In addition to browser concerns, Windows command for rename does work as posted in the Windows Client TechNet; ren file1 file2, which has always worked in the past, instead; ren “file1” file2”, note quotation requirement.

Was the Avira Internet Security 2012 installed correctly? The suite is displaying one modification different from the regular product. When user enters “Expert mode” configuration settings in “General>Acoustic alerts>Acoustic alert” and selects “Use the following WAVE file (only in interactive mode)” with “WAVE file: c:\program files (x86)\avira\antivir desktop\default.wav” then chooses “Test”, the following message appears

Avira Internet Security 2012 – Configuration : avconfig.exe – Application Error

The instruction at 0x72121891 referenced memory at 0xda96a126. The memory could not be read.

Click on OK to terminate the program
Click on CANCEL to debug the program
Todd Schaeffer

redwolfe_98

Community member

Date of registration:
Nov 14th 2006

Version:
Avira Antivirus Suite

Operating System:
Win XPsp3

  • Send private message

5

Wednesday, July 4th 2012, 9:37pm

todd, i was just trying to tell you that i don't think that the "issues" that you are asking about are due to any problem with malware..

if there is an "administrator" who has locked some settings, you will have to contact the administator who locked the settings in order to have them changed..

you said that you sent the computer to a shop.. i suppose it is possible that someone at the shop locked some settings...

you could "reformat" the harddrive.. that would restore everything to the way it is suppose to be.. or, maybe doing a "dirty install" is an alternative, but i don't know if that would work, or not, as far as being about to get around having some settings locked by an "administrator".. you could ask microsoft about that..
win xpsp3, "windows firewall", avira antivirus suite, SSM, RegDefend

  • "Todd Schaeffer" started this thread

Date of registration:
Aug 4th 2008

  • Send private message

6

Friday, July 6th 2012, 5:33pm

Someone is altering your definition files. User has paid for the product and expects the same consistent quality protection they have experienced since 2008. Apologies for any hassle or aggravation inquiry may cause, however responsibility is the priority as detection system has enabled repair of many prior problems.

User is the Administrator. All administrative tasks are executed successfully, however the only problem is the internet explorer. Internet browsers are the primary starting point of all computer problems. Tracking protection feature has even been enabled to prevent irrelevant marketing.

Greatest concern of the user is the product modification observed at home. Yesterday, user worked from the library. Product license is about to expire. The following message displayed http://imageshack.us/photo/my-images/19/aviramessage.png/. This is consistent with the format of every message user has received since 2008. The last couple weeks have been unbearable due to some type of modification. At home, the following renewal message appears http://imageshack.us/photo/my-images/713/aviramessage2.png/.

Avira Message 2 is believed to be modifying component. The small, grey “x” in top right corner of the white portion of the message is usually blocked in internet explorer. Overall, struggle related to the modifications are nudge like code that leaves the pointer very inaccurate, combined with a malicious erratic code (possible infected system), and unusual sluggishness. Sluggishness is characterized noxious type of spam leaving system very slow while adding complications of sensed gamer type trying to make talking animations (GAME/Downloader or GAME/Casino.Gen2???).

Belief is wrongdoing is the result of crypting suite (TR/Crypt???).

Error messages displayed while trying to scan have included

Unable to load plugin ‘General’
Error LibraryLoad () failed.
No pages are available. XML is corrupt!
Feature ID is not registered.
While loading the module (aecore.dll) the following error occurred: Definition file (.VDF) is destroyed!

Scan log has provided further information

C:\Users\Todd Schaeffer\Downloads\avira_premium_security_suite_en.exe [0] Archive type: RAR SFX (self extracting) --> basic\aeoffice.dll [WARNING] The file could not be written!

C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVSCAN-20100209-052433-FE16C1F0\AVSCAN-0000002B.edb [0] Archive type: CAB (Microsoft) --> readme.htm [WARNING] No further files can be extracted from this archive. The archive will be closed.

[WARNING] Catched Exception FSSLIB_ReadFile in file ACCESS_VIOLATION
[WARNING] Insufficient memory. The file was not scanned.
[WARNING] The file could not be opened!
[WARNING] The temporary file could not be opened!
[NOTE] The registry entry is invisible.
[NOTE] This file cannot be opened for scanning.
[NOTE] An attempt is being made to scan the file with the aid of the snapshot driver. (Various database, configuration, parameter, and raw files)
[NOTE] Unsupported archive version
[WARNING] System error [0]: The operation completed successfully.
[WARNING] System error [21]: The device is not ready.
[WARNING] System error [267]: The directory name is invalid.
Error in ARK library
[NOTE] The registry entry is invisible.

Perpetual problem is believed to be

TR/Crypt
W32/Virut.Ge
HTML/Infected
HTML/Malicious
GAME/Downloader
GAME/Casino.Gen2

Past detections have been

WORM/Recycler
ADSPY/BetterInternet.YC
PCK/Armadillo
DR/Zlob
SPR/Dldr
HEUR/HTML.Malware
TR/Dropper.Gen
TR/StartPage
TR/Agent
TR/Orsam
ADSPY/SearchIt
HTML/FlashFrame
TR/Meredrop
Todd Schaeffer

  • "Todd Schaeffer" started this thread

Date of registration:
Aug 4th 2008

  • Send private message

7

Friday, July 13th 2012, 1:49pm

IE9 has been fixed. The last week was met with no high jacks or attempts to administrate the system. Mobile device is suspect in deficiencies. Time to afford new device may be solution. Internet Security product has been active in updating through obstacles. Host information is still sought. Tangently, user manual on antibot feature of security product would be supportive in combating spam.
Todd Schaeffer