search

  • Thread starter Thread starter pegfox
  • Start date Start date
P

pegfox

After having just posted my previous message, I find that
many people are having the same problem. Since 3 days ago,
while using Explorer5, searching wasn't a problem, so have
to assume that Exp.6 is the culprit. Why doesn't Microsoft
give us an answer? Or at least make it more convenient to
receive help.
 
Hi Pegfox - IE6 isn't the problem. You've apparently gotten infected with
the QHosts virus. Read here for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
From Kim Komando radio computer talk show. www.komando.com
Has Google disappeared?

Q. The strangest thing is happening to my computer. When
I try
to search with Google, I'm sent to an error page. It says
I've
downloaded a malicious program. I don't understand this.
What must
I do to correct this?

A. I wrote about this in the last big weekend edition of
our
newsletter. But I want to cover it again, because I've
gotten several
calls on the show and e-mails about it. There is a fix,
along with a
new patch from Microsoft, so all hope is not lost!

This problem is caused by a Trojan horse, which most
people call
Qhosts-1. It may also be called Delude. People apparently
were lured
into this situation by a spam e-mail. The spam sent them
to a
particular Web site, where a pop-up ad downloaded the
Trojan horse.
The download was accomplished through a flaw in Internet
Explorer.

The Trojan horse then downloaded a file called
Partyboy.exe. It
prevents access to search engines, including Google.
Instead, victims
initially were sent to a page that displayed pop-up ads.
The people
behind this probably were paid to run the ads. But that
page was taken
down by the Internet service provider hosting it, and
replaced with the
error message you saw.

Last weekend, Microsoft issued a patch that fixes the
flaw in Internet
Explorer. Everyone should download it. Open Internet
Explorer, and
click Tools>Windows Update. Let the site scan your
computer. You can
also learn more about it here:
http://www.microsoft.com/security/security_bulletins/ms03-
040.asp

If you have this problem on your computer, you have to
change your
hosts file. In Windows XP, it is located at:
C:\Windows\System32\drivers\etc\Hosts.
In Windows 2000, it's at:
C:Winnt\System32\drivers\etc\Hosts
If you are using Windows 98 or ME, try C:\Windows\Hosts.
I could
not find a Hosts file on my installations of 98 and ME,
but you may
have it.

Open the Hosts file with Notepad. Remove any references
to Google
or any other search engine, along with the IP address
64.191.95.139.
Save the file. If Notepad gives the Hosts file an
extension of .txt,
go into Windows Explorer and change it. There should be
no dot or
extension after the word Hosts.

You may still have the Trojan horse or other files on
your system.
Run an updated anti-virus program. Also, run Ad-Aware and
Spybot Search
and Destroy to find and delete them. Those two programs
are free and
can be found at, respectively:
http://www.lavasoftusa.com
http://www.safer-networking.org/
 
Thank-you for your quick response. First nasty infection
in 12 yrs., so didn't recognize it.
-----Original Message-----
Hi Pegfox - IE6 isn't the problem. You've apparently gotten infected with
the QHosts virus. Read here for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp? id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828 750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/tr ojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30- 03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader. exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
pegfox said:
After having just posted my previous message, I find that
many people are having the same problem. Since 3 days ago,
while using Explorer5, searching wasn't a problem, so have
to assume that Exp.6 is the culprit. Why doesn't Microsoft
give us an answer? Or at least make it more convenient to
receive help.
Click to expand...


.
Click to expand...
 
Back
Top