hosts file appended

I have run all of thread 35407's recomendations.

The most obvious issue is the hosts file is appended with:
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

After removing these entries and saving, they appear again within seconds, if I am connected to the internet. If I run all the steps in the thread 35407, and remain disconnected from the internet, the entries do NOT reappear until I connect physically to the internet.

Also while connected, my browser opens periodically to sites with erroneous messages regarding Spyware detection and fixes. I close the windows without selecting anything.

After having run everything in thread 35407 my home page, which is actually an asp I run locally, does not function. I believe it may be due to the localhost entry redirection.

I am also no longer able to access my corporate email over the WAN, although if I enable the NetScreen Remote VPN, I am able to ping the Exchange server's IP address, but Outlook can not connect.

I appreciate your advice. Thank you.

 

Hi wscBoston,

This is a new baddie that is going around and people are still trying to figure out how to kill it. It might be a "wait and see" type of thing.

Just out of curiosity though, how many Hosts files do you have? Is it more than 1? Are there a bunch of backups?

PP

 

I had only one hosts file in the C:\WINDOWS\system32\drivers\etc directory, but when it is modified, I wind up with new ones with names like "hosts.20041207-193827.backup".

I thought I had the damn thing licked last night. Running in safe mode, disconnected from the internet, I was able to get through the various tools listed in thread 35407 repeatedly with no new ciritical issues reported. I also uninstalled P2P Networking, Skype, MicroSoft SQL Desktop, and turned off FTP services in IIS (which I had NOT turned on willingly.)

Then this AM, upon booting normally, and connecting to the network, things started to come back. The hosts file is once again getting appended, and pages are autolaunching from ie going to site promising SPYWare fixes (I close them immediately.) Many of the site have a messagebox appearing with yes and now questions. I use the process scheduler to kill inetinfo rather than click either yes or no.

 

I meant to say I kill iExplorer rather nan inetinfo.

 

Hi wscBoston,

I am still working on this one, culling data etc...

However, you might try the approach of Potterjazz in this thread:

Hijacked by Mysterious Trojan (or what?) HALP!

PP

 

I did what was recommended in that thread, running SpotBot S&D etc as Administrator with the run on statup option. I encountered nearly the same pattern of behavior described in the thread, but when running SpyBot S&D after a normal boot, now, I get a blue screen of death about 2/3 of the way through the scan. All symptoms still occurring. A few interesting things I have observed:

1) In the Administrator profile, there are 3 items in the recycle bin. They are not visible when I explore the recycle bin. I do allow the "Show hidden files" and "Show system files" options. There are 39 files in my regular profile's recycle bin. Emptying the recycle bin does NOT remove these files, nor does CCShredder.

2) The hosts file continues to get the appended items any time I run in Normal mode, or in Safe Mode with NetWork support and a network attached.

3) The CoolWWWSearch entries in Spybot S&D are not al able to be removed, in any mode.

4) I can not print. Even reinstalling the printer is not able to solve it. The printer registers that it is receiving data, but fails to print. Clearing the printer queue, rebooting, etc sometimes produced part of the first page.

I have documented the processes running in safe, safe w/ network, and normal modes and in researching them, the following are bad or suspicious:

bundle.exe
OLLaunch.exe - possible OK as part of Quicken online backup
OLRegCap.exe - possible OK as part of Quicken online backup
sahagent-dectest1003.exe
SAHUninstall_.exe

I would be happy to post a hijack file if requested. Have been running cleaners all week to no effect and am likely to lose my damn job soon if I don't find a way to get back to work. You help is much appreciated.

 

SUCCESS!!!!

All week I have been running the steps in the cleanup, over and over. All week the various trojans, spyware, adware, etc have been cleaned and returned despite all the immunization etc.

What finally worked was booting from a CD, getting to a C:\ prompt, and deleting every dll and other file in the c:\windows\system32\ directory with a created or modified date within the past two weeks. I was also able to get to the c:\recycler and perform del *.* and rdir commands to clear out the recycle bin. Then running all the Anti-virus cleaners. Once dll did come back again, but Ad Aware SE was able to tag it and clear it on a reboot, and I added it to the unwanted process list in the latest version of Network Associated Virus Scan. The dll is called iuanre.dll by the way. The other dll's I deleted manually were:
k044lahg1d4e
lzpqac
lzpquc
nytplwiz
r6p8lg7u16
sporder

then finally kpnigh.exe had to go the hard way.

My hosts file now stays as I leave it, I can print, and IIS is working. ahhh, peace. now at 5:05PM on a Friday, I feel I can start my work week! Thanks to all who work so hard on this forum to help others. I hope this post is of some help too.

 

I'm happy to see you were able to eradicate this baddie! Hopefully, an easier fix will surface soon, though. A lot of people are not comfortable tackling this head on like you did.

Thanks for the feedback. Perhaps, as you say, this thread will help others!

Best
PP