what else can I do for this?

I've run several online scans, cwshredder, hsremove, aboutbuster, adsspy, lspfix, stinger, and hijackthis along with spybot s&d, giant antispyware and webroot spysweeper and I still cant keep my hosts file from being modified to this crap:
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 auto.search.msn.com
69.20.16.183 ieautosearch


anyone got any suggestions?

 

Hi DK,

I have an option that you can try, but it is strictly a "Do at your own risk proposition."

If you want to give it a go, please download the following:

Generic Detection Tool

Pocket KillBox

NOW:
Please run a scan with HijackThis v1.99 and attach that log.

Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that along with the HJT log.

I have tried this before and it didn't give me all of the info needed to proceed, and the same may happen here - but, it's worth a try.

I will try to check back when time permits.

PP

 

thanks phillie, I did as you asked and here are my logs. I appreciate you taking a look. This things kept me tied up for 3 days now.

 

Hi DK,

Have you rebooted since attaching the logs???

If so, please attach a new findit log and then do not reboot until you hear from me. In my first post, I forgot to mention not to reboot since this baddie mutates.

If you have not since rebooted, let me know and we can get started on the removal process. I can see the badguy and there isn't too much of it compared to other logs I've seen.

PP

 

Phillie, I did reboot after trying to delete one of the dll files. here is a new findit log.

 

Hi DK,

Ready to Rock n Roll?

Before you start, please download the following tools and have them handy:

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

ALSO:
Please be sure your version of Pocket KillBox is v2.0.0.76 – If not, please download a new copy from the link below and extract it to the folder of your choice.
http://www.downloads.subratam.org/KillBox.zip

Off we go! Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this. Probably a good idea to Print Out these instructions.


Before you start, look in C:\WINNT\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINNT\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions.

This fix will take a couple of steps. I will keep it very simple, so please excuse the repetition. Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Now, run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINNT\SYSTEM32\etnclass.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINNT\SYSTEM32\lvl009~1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINNT\SYSTEM32\oomanage.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINNT\SYSTEM32\EtnClass.Dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINNT\System32\IEM32.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.


After your machine reboots, run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

Also, look again for C:\WINNT\SYSTEM32\guard.tmp and, if it remains, fire up KillBox and Delete it using Standard File Kill option.

If we’re lucky, we can now move on to Step 2!
Let me know of any difficulties you may have had with the above instructions. I’ll check back when time permits.

Best Luck
PP

 

Phillie, here is the compare log as you asked for. so far, the malware is still there.

 

Hi DK,

That is not entirely unexpected. Please repeat the process above with Killbox.

First, open KillBox, Select Tools and Delete Temp Files.

THEN: Copy and paste the following into the box. Remember to check Replace on Reboot and Use Dummy for each:

C:\WINNT\SYSTEM32\e2200c~1.dll

C:\WINNT\SYSTEM32\hhink.dll

C:\WINNT\SYSTEM32\lvl009~1.dll

C:\WINNT\SYSTEM32\guard.tmp

Allow your machine to reboot after the final entry and scan again with DLL Compare. Hopfully, it'll be clean and we can move on to step 2. If not, repeat the process on All new entries created ON or AFTER Dec.19, 2004. Always end with C:\WINNT\SYSTEM32\guard.tmp.

Once the DLL Compare log is clean, please attach it along with a fresh HijackThis log.

I'll try to check back when time permits. Best luck

PP

 

This will be the first thing I do when I'm home.

Thanks again for the help Phillie.

 

things look clean. here are the two logs.

 

Hi DK,

Things look clean, but you are still infected. A few more steps remain.

Please Navigate to C:\WINNT\SYSTEM32\guard.tmp and make sure it's gone. If it remains, feed it to KillBox and Delete using Standard File Kill.

On to Step 2:

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click the Restore Policy Button.

Then, use the UserAgent$ Button to remove the UserAgent from the registry.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log and we'll move on to step #3.

I'll check back when time permits.

PP

 

cool. thanks again.

I'll get this done when I get back home from work tonite.

 

Ok Phillie, heres the two logs as requested.

one note, after running vx2 finder policy restore, it wanted to reboot. I let it and ran it again having to use the vx2 finder button to get access to the useragent button. Once I did that, I continued following the directions you posted. Thanks again.

 

Hi DK,

Almost done!

Using START > RUN > regedit, please open the registry editor and navigate to the following:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Backup this key before doing the following:
RightClick on the subkey AdminDebug and select DELETE.

Then, do the same for the subkey Controls Folder.


NEXT:
Scan with HijackThis and Check the boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

Make sure ALL browser Windows are Closed when you Click FIX.

Reboot, attach a fresh HijackThis Log and let me know how things are working. Hopefully, all should be well! I will try to check back when I get some free time.

PP

 

Here it is, looks clean.

Thank you so very much Phillie. Your help is extremely appreciated.

 

You're Welcome I'm always happy to help eradicate some Malware - Especially this particular baddie!!

You're right, the HJT Log looks good - How are things working?

Don't forget to check out Chaslang's suggestions: How to Protect yourself from malware!

PP

 

Things are looking pretty good. no issues so far.
It's embarrasing really. I used to be an anti-virus admin for a major defense contractor but dang if I couldn't figure this one out. Thanks again for all your help.

 

Well, now that M$ has acquired Giant Anti-Spyware, Malware will soon be a thing of the past . . . . . OR NOT!! LOL

Happy to work through this with you! Glad you had the patience to stick with it. I've got 3-4 more of these ready to go - Guess I better streamline those steps!

Happy Holiday Computing
PP