Hosts file keeps changing every second

[Alejos]

Hi There.

Since a while ago, I am having an issue with the hosts file located in
c:\windows\system32\drivers\etc, it keeps changing every second with weird
information. Here is the information:

201.114.35.200 bancomer.com
201.114.35.200 bancomer.com.mx
201.114.35.200 www.bancomer.com
201.114.35.200 www.bancomer.com.mx
192.193.230.100 www.banamex.com
192.193.230.100 banamex.com
192.193.230.100 www.banamex.com.mx
192.193.230.100 banamex.com.mx
200.76.36.117 www.bb.com.mx
200.76.36.117 bb.com.mx

I tried to use several antivirus and anti-spyware software, tried to stop
the DNS service but still the issue.
It would be great if you can provide me any help in this regarding.

Thanks

Alejandro.

 

[Leonard Grey]

Your computer is infected with malware.

Ordinarily, I do not counsel users to attempt to recover from malware
infections unless they feel comfortable with advanced repair procedures.
Better to show the computer to a professional.

 

[Bob Harris]

You might try a free program called Spybot Search and Destroy. It has an
option to lock the hosts file:
http://www.safer-networking.org/en/download/

You might be able to manually lock the hosts file by opening it in an
editor.

However, you will first need to clean out the hosts file, and stop whatever
is writing to it. There are many spayware and antivirus programs that can
do this. If the one(s) you are using do not catch this, then try some
others. Many of the major brand antivirus and antispyware sites offer fee
onm-line scanning and/or free downloadable programs to do scans. Just
remember, you might need to download to a different computer, burn to CD,
then run, dependning on the level of problems on your PC.

For more information on how to use the hosts file to block ads, see:
http://www.mvps.org/winhelp2002/hosts.htm

Note that a default hoists file looks something like:

# Notes: the browser does not read this "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
127.0.0.1 localhost

A hosts file used to block a website looks something like this:

# Notes: the browser does not read this "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
127.0.0.1 localhost
127.0.0.1 ads.active.com

The new line causes the web address www.ads.active.com to be redirected back
to your PC, thus effectively preventing the browser from reaching the
address.

However, in your current hosts file, a line like "201.114.35.200
bancomer.com" casues a request for www.bancomer.com to go directly to IP
address "201.114.35.200". This bypasses any filtering your ISP might
provide. It also goes to the IP address, whether or not that is the right
address for that name. Thus, spareware sometimes equates a safe web site
(e.g., www.microsoft.com") to an unsafe IP address.

 

[Anteaus]

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SHEZAN.C&VSect=T

This looks like a phishing Trojan which redirects accesses to bancomer.com
websites to a malicious site. If you are a Bancomer customer and have entered
any passwords into these pages, you should immediately change your online
passwords and inform your bank that your account may have been compromised.

 

[VanguardLH]

Hi There.

Since a while ago, I am having an issue with the hosts file located in
c:\windows\system32\drivers\etc, it keeps changing every second with weird
information. Here is the information:

201.114.35.200 bancomer.com
201.114.35.200 bancomer.com.mx
201.114.35.200 www.bancomer.com
201.114.35.200 www.bancomer.com.mx
192.193.230.100 www.banamex.com
192.193.230.100 banamex.com
192.193.230.100 www.banamex.com.mx
192.193.230.100 banamex.com.mx
200.76.36.117 www.bb.com.mx
200.76.36.117 bb.com.mx

I tried to use several antivirus and anti-spyware software, tried to stop
the DNS service but still the issue.
It would be great if you can provide me any help in this regarding.

Use SysInternals' FileMon to see what malware process is accessing the
hosts file.

Obviously whatever were the unidentified antivirus and anti-malware
software doesn't include HIPS (host intrustion protection system)
features to alert when a process is modifying the hosts file and prompt
you to allow or block that action.