Search Engines

  • Thread starter Thread starter Debbie
  • Start date Start date
D

Debbie

HELP, I can't use any search engines, yet I can type
in an address and go there. I had just downloaded
a pop-up stopper from download.com...and it didn't
work that well so I removed it...don't know if this could
be the problem....anyone that is having this problem
put a pop-up stopper on their computer?
Any Ideas???
 
Hi Debbie - You've apparently gotten infected with the QHosts virus. Read
here for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
We have the same problem as well. Cannot access any
search engine.... Ran the Qhost removal program from
Symantec without success.

Thank you for any help!!!
 
Looks like it's the QHost virus. I'm having this problem
too. Here's what I was able to find about it:

http://us.mcafee.com/virusInfo/default.asp?
id=description&virus_k=100719

Microsoft patch:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS03-040.asp

The purpose of this trojan is to "hijack" browser use.
When page requests are made, they are rerouted to
specified Domain Name Servers. This allows a
remote "administrator" to direct users to the pages of
their choosing. For example, if an infected user
attempted to navigate to http://www.google.com, they
would be routed to a different site.


This trojan is responsible for recent reports of strange
DNS changes on systems as recently reported on
NTBUGTRAQ. The operations of the trojan are as follows:

A user is directed to a web site that contains Exploit-
ObjectData code. NOTE: The MS03-032 patch does not
protect against this attack vector. MS03-040 is required.
This allows for the automatic execution of VBScript
contained in an HTML file (x.hta)
This VBScript drops the file AOLFIX.EXE in the %TEMP%
directory
This dropped AOLFIX.EXE is run, which may perform
different tasks (several variants are known to exist)
The VBScript creates the file O.BAT, which cleans up
after the trojan by deleting the dropped AOLFIX.EXE file
and the O.BAT file
 
HI M, Heather and Mark - Please see my response to Debbie in this thread.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
I am having the same problem. No search engines work -
Yahoo, Google, even the one loaded on the IE browser. I
am convinced it has something to do with the latest IE
patch because I just downloaded it and everything stopped
working. Can anyone confirm this?
 
wr,
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects *all* major search engines to a website.
Note: this website has now been removed, thus the DNS errors.

Microsoft has released a cumulative patch for this vulnerability:
Simply go to Windows Update [hotfix 828750]
[more info]
http://www.microsoft.com/security/security_bulletins/ms03-040.asp

[manual removal method]
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
Note: not all machines are affected by the same Registry changes
but the user needs to verify in any case.

You can detect "Qhosts" via a new beta version of HijackThis
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
[more info]
http://forums.spywareinfo.com/index.php?showtopic=12127

For instruction on using HijackThis!
http://www.mvps.org/winhelp2002/unwanted.htm
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 10-07-03]
Please post replies to this Newsgroup, email address is invalid
--
 
Corrupt or compromised HOSTS file.

Search for the file named HOSTS (just that, no extension).

Open it with any text editor (Wordpad, Notepad, etc.),
delete everything, save the blank document. If you're
skittish about what might happen, save a copy on your
desktop before you clear it out.

Restart your machine.

All should be well.

Matt
 
Back
Top