29

First: I can't find any information on this phenomenon, not anywhere on the net.

I don't know which application does it, but something in my Windows 7 Home Premium system (fully updated & legal) updates my hosts file. I have UAC enabled. To edit my hosts file, I have to run Notepad with admin privileges or else I can't save my file.

The line 127.0.0.1 ad.doubleclick.net has disappeared several times now. It looks like that is the only line to which this happens. I have other lines in the same file, and they are left untouched.

I suspect Google Chrome to be responsible for this, since the Google Updater probably has the permissions to modify system files - and it's in their interest to load their crap, but I am not sure. While I understand that I use their services and that ads pay for those services, I don't like the idea of software violating my system like that. And I am surprised that it's even possible, I thought Chrome installed within the user profile and didn't need system write access to install.

Can anyone else confirm this issue? Any experience with similar things happening to the hosts file?

Edit: I have ProcessMonitor running with a filter on the hosts file. Let's see what I can find... thanks for the suggestion, I hadn't thought of it initially.

Update: This morning, Process Monitor showed a bunch of file activity. And 127.0.0.1 ad.doubleclick.net is gone! It looks like Windows Defender did it. Read the Process Monitor log here: http://pastebin.com/eJTf5qWs

AviD
  • 72,138
  • 22
  • 136
  • 218
Jacob Bruinsma
  • 413
  • 1
  • 4
  • 8
  • 2
    I dunno, I would suspect adware that is trying to serve ads from doubleclick. I don't know if this is a common technique, but I'd start with a virus/spyware scan (fully updated, of course) and/or the Microsoft malicious software removal tool. – Steve Dispensa Sep 06 '11 at 17:50
  • I know. MalwareBytes comes up clean, so do Avast! scans. There are about 15 entries in that file, and all of them point to localhost so it's not like there's malware trying to re-route any domain names. I'm monitoring the file with Process Monitor and it doesn't show anything out of the ordinary: after a /flushdns and a browser restart, the DnsClient service reloads the file once. That's it. – Jacob Bruinsma Sep 06 '11 at 19:16
  • 1
    What happens if you point the IP to something other than 127.0.0.1? – Steve Sep 07 '11 at 22:13
  • It wouldn't have made a difference, I think. Windows Defender has a thing for ad.doubleclick.net, who knows why can tell me! – Jacob Bruinsma Sep 08 '11 at 04:12
  • @Jacob possibly because it's trying to prevent the tracking that doubleclick does - so it's really a good change. ** – Jonathan Dickinson Oct 15 '11 at 12:49

2 Answers2

31

Use Process Monitor with a filter to watch the hosts file. Run it long enough and you will see everything that changes the file.

http://technet.microsoft.com/en-us/sysinternals/bb896645

securityishard
  • 731
  • 5
  • 3
  • 1
    Yes, that's one of my favorite tools. I wanted to make sure others were aware of the possible existence of this weird issue, just solving the problem isn't the only thing I'm after. – Jacob Bruinsma Sep 06 '11 at 17:21
12

I faced similar problems. I solved it by following these steps

  1. Right click on hosts file go to properties.
  2. Go to the Security tab.
  3. Under Groups and users go to the System and edit permissions.
  4. Deny write permissions for the System.
  5. Press OK and Done.
LvB
  • 8,217
  • 1
  • 26
  • 43
Seo Gregory
  • 121
  • 1
  • 2