Running into a problem this morning. It was picked up last night that the hosts file was modified on many computers as far back as August 19th. SEP is installed on all these systems and is up to date. It hasn't picked up anything. Based on a little google research this issue is usually acompanied by a FakeAV infection. However I can neither detect nor have record of this being blocked on these machines. I can fix the machines fairly easily but I'm mainly concerned with the mechanism of infection. Any clues?
Sample of the host file.
89.149.230.156 www.google.de
89.149.230.156 www.google.fr
89.149.230.156 www.google.co.uk
89.149.230.156 www.google.com.br
89.149.230.156 www.google.it
89.149.230.156 www.google.es
89.149.230.156 www.google.co.jp
89.149.230.156 www.google.com.mx
89.149.230.156 www.google.ca
89.149.230.156 www.google.com.au
89.149.230.156 www.google.nl
89.149.230.156 www.google.co.za
89.149.230.156 www.google.be
89.149.230.156 www.google.gr
89.149.230.156 www.google.at
89.149.230.156 www.google.se
89.149.230.156 www.google.ch
89.149.230.156 www.google.pt
89.149.230.156 www.google.dk
89.149.230.156 www.google.fi
89.149.230.156 www.google.ie
89.149.230.156 www.google.no
89.149.230.156 search.yahoo.com
89.149.230.156 us.search.yahoo.com
89.149.230.156 uk.search.yahoo.com
89.149.230.156 www.bing.com