IE 6 and Google

[Mike Burgess]

Carolyn,
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects *all* major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)

Microsoft has released a cumulative patch for this vulnerability:
Simply go to Windows Update [hotfix 828750]
[more info]
http://www.microsoft.com/security/security_bulletins/ms03-040.asp

If your AV did not detect or you simply don't have an AV (bad idea)
Free Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

AVG AntiVirus 6.0 [freeware] http://www.grisoft.com/

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

 

[Mike Burgess]

Cal,
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects *all* major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)

Microsoft has released a cumulative patch for this vulnerability:
Simply go to Windows Update [hotfix 828750]
[more info]
http://www.microsoft.com/security/security_bulletins/ms03-040.asp

If your AV did not detect or you simply don't have an AV (bad idea)
Free Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

AVG AntiVirus 6.0 [freeware] http://www.grisoft.com/

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

 

[Mike Burgess]

HG,
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects *all* major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)

Microsoft has released a cumulative patch for this vulnerability:
Simply go to Windows Update [hotfix 828750]
[more info]
http://www.microsoft.com/security/security_bulletins/ms03-040.asp

If your AV did not detect or you simply don't have an AV (bad idea)
Free Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

AVG AntiVirus 6.0 [freeware] http://www.grisoft.com/

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

 

[JP]

-----Original Message-----
I'm having trouble viewing the google search engine.
Anyone else having a problem with this or AskJeeves? Help!
.
go here

:http://securityresponse.symantec.com/avcenter/venc/data/tr
ojan.qhosts.html

read about deleting the "Host" files. Open them with
notepad and see all the sites you couldn't visit. I was
probably created resently (since your problems) I deleted
both of them that I had. Now everything is fine.

 

[Jim Byrd]

Yeah, Mike, I understand that. What it will let him do, however, is to
create a new default if he's deleted any malware HOSTS files in Help or
whereever (some people are reporting multiple locations in addition to Help)
into which he can then copy your HOSTS file. I'll modify my writeup to make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in Windows\Help
(if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts virus.
Read here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system. Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are
reporting that
it did not), then follow the Manual Removal instructions there.

4. You probably will then need to restore your HOSTS file. Download
the
Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

Run the program, click the "Read Hosts File" button, click the button
labeled "Reset Defaults" and click "Save Changes." If you've been
using your
HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm
Blocking Unwanted Ads with a Hosts File), then you'll need to reset
it up
for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Mike Burgess]

Jim,
I understand the problem, many users still have not fixed the Registry:
[example -Qhost]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\Help

[default -XP]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

DataBasePath = Use HOSTS file (if exists)
Note: the manual method seems to be the only real cure?
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
The beta HijackThis can help reset *some* settings but not all ........
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid
--

Yeah, Mike, I understand that. What it will let him do, however, is to
create a new default if he's deleted any malware HOSTS files in Help or
whereever (some people are reporting multiple locations in addition to Help)
into which he can then copy your HOSTS file. I'll modify my writeup to make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in Windows\Help
(if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts virus.
Read here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system. Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

 

[Jim Byrd]

Hi Mike - I'm just not sure about their tool. I don't know if it cleans up
some of it, but just doesn't handle the HOSTS file issue(s) or just doesn't
do anything. It does appear to do a scan, and I don't think can hurt, but I
agree - the Manual Method seems to be the appropriate approach at this
point. I'm continuing advise people to use it in the event that they "fix"
the fix, but to default to Manual thereafter.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim,
I understand the problem, many users still have not fixed the
Registry: [example -Qhost]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\Help

[default -XP]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

DataBasePath = Use HOSTS file (if exists)
Note: the manual method seems to be the only real cure?
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
The beta HijackThis can help reset *some* settings but not all
........ _______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Yeah, Mike, I understand that. What it will let him do, however, is
to
create a new default if he's deleted any malware HOSTS files in Help
or
whereever (some people are reporting multiple locations in addition
to Help)
into which he can then copy your HOSTS file. I'll modify my writeup
to make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in Windows\Help
(if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts virus.
Read
here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that
this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system.
Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the
EXTRADAT.exe
update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read
the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

 

[Mike Burgess]

Jim,
Another example of a poorly written trojan ... I guess?
Seems to have had different effects on 98\ME users than XP\2K?
Some are finding duplicate HOSTS file, some not?

[opinion]
There are just too many users affected (Google) to be just from
that one page at FortuneCity. I think we are seeing a mixture of
"Delude", "Delude.A", "Delude-B", "Delude.E", and the "cpanel hijacker"

I think the HostsFileReader although does what the author intended, gives
the
user the wrong impression = "reset to Defaults", this in effect wipes all
entries
except for: "127.0.0.1 localhost", I think the average user thinks that
this app
is intended to remove the bogus search entries and remove those only?

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid
--

Hi Mike - I'm just not sure about their tool. I don't know if it cleans up
some of it, but just doesn't handle the HOSTS file issue(s) or just doesn't
do anything. It does appear to do a scan, and I don't think can hurt, but I
agree - the Manual Method seems to be the appropriate approach at this
point. I'm continuing advise people to use it in the event that they "fix"
the fix, but to default to Manual thereafter.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim,
I understand the problem, many users still have not fixed the
Registry: [example -Qhost]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\Help

[default -XP]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

DataBasePath = Use HOSTS file (if exists)
Note: the manual method seems to be the only real cure?
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
The beta HijackThis can help reset *some* settings but not all
........ _______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Yeah, Mike, I understand that. What it will let him do, however, is
to
create a new default if he's deleted any malware HOSTS files in Help
or
whereever (some people are reporting multiple locations in addition
to Help)
into which he can then copy your HOSTS file. I'll modify my writeup
to make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Mike Burgess <[email protected]> typed:
Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in Windows\Help
(if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts virus.
Read
here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that
this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system.
Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the
EXTRADAT.exe
update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read
the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

 

[Jim Byrd]

HI Mike - I hadn't thought about the reader getting that interpretation, but
you could be right. As a precaution, I'm going to add a warning to that
part of my post. You may very well be right about the mix - this is
starting to get widespread enough that I expect the AV vendors to start
taking more notice, so maybe we'll get some clarification and/or some better
tools.

--
Regards, Jim


In

Jim,
Another example of a poorly written trojan ... I guess?
Seems to have had different effects on 98\ME users than XP\2K?
Some are finding duplicate HOSTS file, some not?

[opinion]
There are just too many users affected (Google) to be just from
that one page at FortuneCity. I think we are seeing a mixture of
"Delude", "Delude.A", "Delude-B", "Delude.E", and the "cpanel
hijacker"

I think the HostsFileReader although does what the author intended,
gives
the
user the wrong impression = "reset to Defaults", this in effect wipes
all
entries
except for: "127.0.0.1 localhost", I think the average user thinks
that
this app
is intended to remove the bogus search entries and remove those only?

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Mike - I'm just not sure about their tool. I don't know if it
cleans up
some of it, but just doesn't handle the HOSTS file issue(s) or just doesn't
do anything. It does appear to do a scan, and I don't think can
hurt, but I
agree - the Manual Method seems to be the appropriate approach at
this
point. I'm continuing advise people to use it in the event that they "fix"
the fix, but to default to Manual thereafter.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim,
I understand the problem, many users still have not fixed the
Registry: [example -Qhost]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\Help

[default -XP]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

DataBasePath = Use HOSTS file (if exists)
Note: the manual method seems to be the only real cure?
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
The beta HijackThis can help reset *some* settings but not all
........ _______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Yeah, Mike, I understand that. What it will let him do, however,
is
to
create a new default if he's deleted any malware HOSTS files in
Help
or
whereever (some people are reporting multiple locations in addition
to
Help)
into which he can then copy your HOSTS file. I'll modify my
writeup
to
make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Mike Burgess <[email protected]> typed:
Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in
Windows\Help (if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts
virus.
Read
here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that
this
virus uses:


http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system.
Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the
EXTRADAT.exe
update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read
the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

 

[aravind]

Jim & Mike....

I have the same issue but what appears more complex is that

I do not have any single reference to the any of the regsirty entries
Or I do not have any other host file just the single one at
system32\drivers\etc
I do not have the bldmp temp directory.

I have applied adware, spybot, hijackthis, the beta hijack this, the
brown university qhost finder tool, symantecs qhost finder, updated AV
signatures.

I have applied the ms-patches too.

I have gone through all the recommended registry strings adviced by
many in different groups...not a single one exist. I deleted the host
...recreated a new one...re installed tcpip....

but no go at all. i can't access google, yahoo, yahoo mail and quite
a number of other web sites tooo... I can only this google groups by
using other browsers.

There is something being overlooked...some kind of camouflage cleverly
done here
by QHOST and mixture of variants. MY os is Xp Professional SP1.

Kindly keep up u r great work guys and see if you can find a fix ...

Cheers Thanks.

HI Mike - I hadn't thought about the reader getting that interpretation, but
you could be right. As a precaution, I'm going to add a warning to that
part of my post. You may very well be right about the mix - this is
starting to get widespread enough that I expect the AV vendors to start
taking more notice, so maybe we'll get some clarification and/or some better
tools.

--
Regards, Jim


In

Jim,
Another example of a poorly written trojan ... I guess?
Seems to have had different effects on 98\ME users than XP\2K?
Some are finding duplicate HOSTS file, some not?

[opinion]
There are just too many users affected (Google) to be just from
that one page at FortuneCity. I think we are seeing a mixture of
"Delude", "Delude.A", "Delude-B", "Delude.E", and the "cpanel
hijacker"

I think the HostsFileReader although does what the author intended,
gives
the
user the wrong impression = "reset to Defaults", this in effect wipes
all
entries
except for: "127.0.0.1 localhost", I think the average user thinks
that
this app
is intended to remove the bogus search entries and remove those only?

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Mike - I'm just not sure about their tool. I don't know if it
cleans up
some of it, but just doesn't handle the HOSTS file issue(s) or just doesn't
do anything. It does appear to do a scan, and I don't think can
hurt, but I
agree - the Manual Method seems to be the appropriate approach at
this
point. I'm continuing advise people to use it in the event that they "fix"
the fix, but to default to Manual thereafter.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Mike Burgess <[email protected]> typed:
Jim,
I understand the problem, many users still have not fixed the
Registry: [example -Qhost]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\Help

[default -XP]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

DataBasePath = Use HOSTS file (if exists)
Note: the manual method seems to be the only real cure?
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
The beta HijackThis can help reset *some* settings but not all
........ _______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Yeah, Mike, I understand that. What it will let him do, however,
is
to
create a new default if he's deleted any malware HOSTS files in
Help
or
whereever (some people are reporting multiple locations in addition
to Help)
into which he can then copy your HOSTS file. I'll modify my
writeup
to make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Mike Burgess <[email protected]> typed:
Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in
Windows\Help (if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts
virus.
Read here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that this
virus uses:


http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system. Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the
EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read
the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are
reporting that
it did not), then follow the Manual Removal instructions there.

4. You probably will then need to restore your HOSTS file.
Download
the
Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

Run the program, click the "Read Hosts File" button, click the
button
labeled "Reset Defaults" and click "Save Changes." If you've been
using your
HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm
Blocking Unwanted Ads with a Hosts File), then you'll need to
reset
it up
for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Jeff <[email protected]> typed:
Same problem for me. Please let me know if you receive a
fix.
-----Original Message-----
Yes, I am having the same problem. I cannot get to the
google site at all. I also can not use the search feature
at MSN or Yahoo.

Not sure what has happened.
.

 

[Jim Byrd]

Hi Aravind - Re- Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (latest release)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click
the Config button, then Misc Tools and click on Generate StartupList.log
which will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files a message asking for assistance,
Someone will answer with detailed instructions for the removal of your
parasite(s).

See if the "experts" there can diagnose the problem.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Jim & Mike....

I have the same issue but what appears more complex is that

I do not have any single reference to the any of the regsirty entries
Or I do not have any other host file just the single one at
system32\drivers\etc
I do not have the bldmp temp directory.

I have applied adware, spybot, hijackthis, the beta hijack this, the
brown university qhost finder tool, symantecs qhost finder, updated AV
signatures.

I have applied the ms-patches too.

I have gone through all the recommended registry strings adviced by
many in different groups...not a single one exist. I deleted the host
..recreated a new one...re installed tcpip....

but no go at all. i can't access google, yahoo, yahoo mail and quite
a number of other web sites tooo... I can only this google groups by
using other browsers.

There is something being overlooked...some kind of camouflage cleverly
done here
by QHOST and mixture of variants. MY os is Xp Professional SP1.

Kindly keep up u r great work guys and see if you can find a fix ...

Cheers Thanks.

HI Mike - I hadn't thought about the reader getting that interpretation, but
you could be right. As a precaution, I'm going to add a warning to that
part of my post. You may very well be right about the mix - this is
starting to get widespread enough that I expect the AV vendors to start
taking more notice, so maybe we'll get some clarification and/or some better
tools.

--
Regards, Jim


In

Jim,
Another example of a poorly written trojan ... I guess?
Seems to have had different effects on 98\ME users than XP\2K?
Some are finding duplicate HOSTS file, some not?

[opinion]
There are just too many users affected (Google) to be just from
that one page at FortuneCity. I think we are seeing a mixture of
"Delude", "Delude.A", "Delude-B", "Delude.E", and the "cpanel
hijacker"

I think the HostsFileReader although does what the author intended,
gives
the
user the wrong impression = "reset to Defaults", this in effect wipes
all
entries
except for: "127.0.0.1 localhost", I think the average user thinks
that
this app
is intended to remove the bogus search entries and remove those only?

_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Mike - I'm just not sure about their tool. I don't know if it
cleans up
some of it, but just doesn't handle the HOSTS file issue(s) or just doesn't
do anything. It does appear to do a scan, and I don't think can
hurt, but I
agree - the Manual Method seems to be the appropriate approach at
this
point. I'm continuing advise people to use it in the event that they "fix"
the fix, but to default to Manual thereafter.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Mike Burgess <[email protected]> typed:
Jim,
I understand the problem, many users still have not fixed the
Registry: [example -Qhost]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\Help

[default -XP]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

DataBasePath = Use HOSTS file (if exists)
Note: the manual method seems to be the only real cure?

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

The beta HijackThis can help reset *some* settings but not all
........ _______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Yeah, Mike, I understand that. What it will let him do, however,
is
to
create a new default if he's deleted any malware HOSTS files in
Help
or
whereever (some people are reporting multiple locations in addition
to Help)
into which he can then copy your HOSTS file. I'll modify my
writeup
to make
this clearer, since it didn't come through to you that way.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Mike Burgess <[email protected]> typed:
Jim,
FYI: the HOST File Reader is useless in this case ......
As previously pointed out it *only* looks in the default location,
in other words it won't find theQHosts created file in
Windows\Help (if
exists)

As a work-around the new beta version of HijackThis can detect ...
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid

Hi Jeff - You've apparently gotten infected with the QHosts
virus.
Read here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:


1. Be sure that you install hotfix 828750 which fixes the exploit
that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your
system. Most
of the major AV companies have updated their latest signatures to
detect
this virus (for Network Associates, be sure to get the
EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read
the
directions CAREFULLY (particularly about the Restore option) and
download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are
reporting that
it did not), then follow the Manual Removal instructions there.

4. You probably will then need to restore your HOSTS file.
Download
the
Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

Run the program, click the "Read Hosts File" button, click the
button
labeled "Reset Defaults" and click "Save Changes." If you've been
using your
HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm
Blocking Unwanted Ads with a Hosts File), then you'll need to
reset
it up
for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Jeff <[email protected]> typed:
Same problem for me. Please let me know if you receive a
fix.
-----Original Message-----
Yes, I am having the same problem. I cannot get to the
google site at all. I also can not use the search feature
at MSN or Yahoo.

Not sure what has happened.
.