Jim Byrd said:HI Kathleen - You've apparently gotten infected with the QHosts trojan. Read
here for information:
http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191
Try the following:
1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:
http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp
2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates (McAfee), be sure to get the EXTRADAT.exe
update from the above page as well as your regular update).
3a. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
3b. An alternative that by report may work better than the Symantec tool is
the Brown University Removal Tool, here:
http://software.brown.edu/dist/w-cleanqhosts.html THIS WOULD BE MY PRIMARY
RECOMMENDATION
If that still doesn't clean it up (and a number of people are reporting that
it did not with the Symantec tool), then follow the Manual Removal
instructions at the link in 3a. The following is courtesy of Mike Burgess:
"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis
(http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"
Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings some of which cannot not be removed
by the Removal Tools, and you'll need to do a search to find and just delete
them all, or clean them per the manual directions at the Symantec site.
4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe
To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Note that this is NOT a recreation of your original HOSTS
file, but a brand new "initialized" one. Now go to normal HOSTS file
location (Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or
Windows 98\ME Location: - C:\WINDOWS) and rename the "hosts" file that it
created to "HOSTS" (no quotes, all caps, no extension). If you've been using
your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a Hosts
File), then you'll need to reset the new default you've created up for that
purpose. (Recommended, BTW - it also blocks a lot of "malware" as well as
offensive advertising.)
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
InKathleen said:I also suddenly can't use any search engines (as of last
week). I get the "page can not be found" error when
trying a MSN or Yahoo search and when I try to do a Google
search I end up at cPanel. ???
I've tried re-installing IE6 and the latest updates, etc
and that doesn't work (although it also seems that the
attempt to re-install doesn't actually finish either.)
I've also scanned for and cleaned off viruses and
installed all the latest critical Windows updates (I'm
using Windows 2000)
Can anyone help me?
Thanks in advance!
Sandi - Microsoft MVP said:Is cpanel associated with Qhosts? I thought it wasn't.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.htmlJim Byrd said:3b. An alternative that by report may work better than the Symantec tool is
the Brown University Removal Tool, here:
http://software.brown.edu/dist/w-cleanqhosts.html THIS WOULD BE MY PRIMARY
RECOMMENDATION
If that still doesn't clean it up (and a number of people are reporting that
it did not with the Symantec tool), then follow the Manual Removal
instructions at the link in 3a. The following is courtesy of Mike Burgess:
"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis
(http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"
Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings some of which cannot not be removed
by the Removal Tools, and you'll need to do a search to find and just delete
them all, or clean them per the manual directions at the Symantec site.
4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe
To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Note that this is NOT a recreation of your original HOSTS
file, but a brand new "initialized" one. Now go to normal HOSTS file
location (Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or
Windows 98\ME Location: - C:\WINDOWS) and rename the "hosts" file that it
created to "HOSTS" (no quotes, all caps, no extension). If you've been using
your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a Hosts
File), then you'll need to reset the new default you've created up for that
purpose. (Recommended, BTW - it also blocks a lot of "malware" as well as
offensive advertising.)
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
InKathleen said:I also suddenly can't use any search engines (as of last
week). I get the "page can not be found" error when
trying a MSN or Yahoo search and when I try to do a Google
search I end up at cPanel. ???
I've tried re-installing IE6 and the latest updates, etc
and that doesn't work (although it also seems that the
attempt to re-install doesn't actually finish either.)
I've also scanned for and cleaned off viruses and
installed all the latest critical Windows updates (I'm
using Windows 2000)
Can anyone help me?
Thanks in advance!
Jim Byrd said:Hi Sandi - I honestly don't know in this case. The rest of the symptoms are
pure QHosts, and the variants seem to be growing daily, so my first thought
was to have her check that and then proceed from there.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
Inhttp://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.htmlSandi - Microsoft MVP said:tool
isto
useit for DNS speedup and/or ad blocking. Download the Hosts File Reader:
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe
To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Note that this is NOT a recreation of your original HOSTS
file, but a brand new "initialized" one. Now go to normal HOSTS file
location (Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or
Windows 98\ME Location: - C:\WINDOWS) and rename the "hosts" file that it
created to "HOSTS" (no quotes, all caps, no extension). If you've been using
your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a Hosts
File), then you'll need to reset the new default you've created up for that
purpose. (Recommended, BTW - it also blocks a lot of "malware" as well as
offensive advertising.)
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In Kathleen <[email protected]> typed:
I also suddenly can't use any search engines (as of last
week). I get the "page can not be found" error when
trying a MSN or Yahoo search and when I try to do a Google
search I end up at cPanel. ???
I've tried re-installing IE6 and the latest updates, etc
and that doesn't work (although it also seems that the
attempt to re-install doesn't actually finish either.)
I've also scanned for and cleaned off viruses and
installed all the latest critical Windows updates (I'm
using Windows 2000)
Can anyone help me?
Thanks in advance!
Sandi - Microsoft MVP said:I'm on a hijacking mailing list, and I'm sure we were sent the files that
cause the cpanel infection... I'll check and let you know.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.htmlJim Byrd said:3b. An alternative that by report may work better than the Symantec tool is
the Brown University Removal Tool, here:
http://software.brown.edu/dist/w-cleanqhosts.html THIS WOULD BE MY
PRIMARY
RECOMMENDATION
If that still doesn't clean it up (and a number of people are reporting
that
it did not with the Symantec tool), then follow the Manual Removal
instructions at the link in 3a. The following is courtesy of Mike Burgess:
"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis
(http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"
Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings some of which cannot not be
removed
by the Removal Tools, and you'll need to do a search to find and just
delete
them all, or clean them per the manual directions at the Symantec site.
4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe
To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Note that this is NOT a recreation of your original HOSTS
file, but a brand new "initialized" one. Now go to normal HOSTS file
location (Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or
Windows 98\ME Location: - C:\WINDOWS) and rename the "hosts" file that it
created to "HOSTS" (no quotes, all caps, no extension). If you've been
using
your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a
Hosts
File), then you'll need to reset the new default you've created up for
that
purpose. (Recommended, BTW - it also blocks a lot of "malware" as well as
offensive advertising.)
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In Kathleen <[email protected]> typed:
I also suddenly can't use any search engines (as of last
week). I get the "page can not be found" error when
trying a MSN or Yahoo search and when I try to do a Google
search I end up at cPanel. ???
I've tried re-installing IE6 and the latest updates, etc
and that doesn't work (although it also seems that the
attempt to re-install doesn't actually finish either.)
I've also scanned for and cleaned off viruses and
installed all the latest critical Windows updates (I'm
using Windows 2000)
Can anyone help me?
Thanks in advance!
Jim Byrd said:Thanks Sandi.
--
Regards, Jim
Inhttp://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.htmlSandi - Microsoft MVP said:that
itcreated to "HOSTS" (no quotes, all caps, no extension). If you've been
using
your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a
Hosts
File), then you'll need to reset the new default you've created up for
that
purpose. (Recommended, BTW - it also blocks a lot of "malware" as well
as
offensive advertising.)
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In Kathleen <[email protected]> typed:
I also suddenly can't use any search engines (as of last
week). I get the "page can not be found" error when
trying a MSN or Yahoo search and when I try to do a Google
search I end up at cPanel. ???
I've tried re-installing IE6 and the latest updates, etc
and that doesn't work (although it also seems that the
attempt to re-install doesn't actually finish either.)
I've also scanned for and cleaned off viruses and
installed all the latest critical Windows updates (I'm
using Windows 2000)
Can anyone help me?
Thanks in advance!
Sandi - Microsoft MVP said:Hi Jim,
Now I see the source for the confusion; Qhosts doesn't hijack you and send
you to the cpanel site, it sends you to a third party site that has been
shut down and *then* cpanel comes into play, which is a relief, because
cpanel is a 'legitimate' business, unlike the search engines/porn sites that
are normally the domain of hijackers/viruses.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.htmlJim Byrd said:3b. An alternative that by report may work better than the Symantec tool is
the Brown University Removal Tool, here:
http://software.brown.edu/dist/w-cleanqhosts.html THIS WOULD BE MY
PRIMARY
RECOMMENDATION
If that still doesn't clean it up (and a number of people are reporting that
it did not with the Symantec tool), then follow the Manual Removal
instructions at the link in 3a. The following is courtesy of Mike
Burgess:
"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal
redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis
(http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"
Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings some of which cannot not be
removed
by the Removal Tools, and you'll need to do a search to find and just
delete
them all, or clean them per the manual directions at the Symantec site.
4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe
To create a new Default version of HOSTS, run the program, click the
"Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Note that this is NOT a recreation of your original
HOSTS
file, but a brand new "initialized" one. Now go to normal HOSTS file
location (Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC
or
Windows 98\ME Location: - C:\WINDOWS) and rename the "hosts" file that it
created to "HOSTS" (no quotes, all caps, no extension). If you've been using
your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a Hosts
File), then you'll need to reset the new default you've created up for that
purpose. (Recommended, BTW - it also blocks a lot of "malware" as well as
offensive advertising.)
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In Kathleen <[email protected]> typed:
I also suddenly can't use any search engines (as of last
week). I get the "page can not be found" error when
trying a MSN or Yahoo search and when I try to do a Google
search I end up at cPanel. ???
I've tried re-installing IE6 and the latest updates, etc
and that doesn't work (although it also seems that the
attempt to re-install doesn't actually finish either.)
I've also scanned for and cleaned off viruses and
installed all the latest critical Windows updates (I'm
using Windows 2000)
Can anyone help me?
Thanks in advance!