google.com no longer works

[Rich]

I don't know whats wrong but google.com no longer works
in my browser. Instead of the web page I get a website
called cpanel and it says there is no address cofigured
to that address. Any help here would be great thanks.

 

[Jim Byrd]

Hi Rich - You've apparently gotten infected with the QHosts trojan. Read
here for information:
http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.




--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Patrick]

Sorry Jim - No Go

I just updated my Norton virus sigs and ran a scan.

It did find the trojan qhosts.

I still have the same problem . . . . redirected to
cpanel . . .

-----Original Message-----
Hi Rich - You've apparently gotten infected with the QHosts trojan. Read
here for information:
http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp? id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/82 8750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/t rojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30- 03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader ..exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98 \ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.




--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

I don't know whats wrong but google.com no longer works
in my browser. Instead of the web page I get a website
called cpanel and it says there is no address cofigured
to that address. Any help here would be great thanks.

.

 

[Jim Byrd]

Hi Patrick - Well, if you ran the Norton Removal Tool and still have the
problem,
then you need to search for and delete any HOSTS files on your computer
that the trojan has modified as shown on the Manual Removal instructions
page. There may be several and they may be located in places other than
that normal for HOSTS for your machine (such as \Windows\Help, for example)
as well as in the normal place. Normal location is:

Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 98\ME Location: - C:\WINDOWS


If you ever want to use a HOSTS file for ad blocking or the like, you can
always create a new default as I outlined or just copy a good ad blocking
HOSTS file to that location in \drivers\etc such as the one here:
http://www.mvps.org/winhelp2002/hosts.zip from Mike Burgess' site. You can
read more about this here: http://www.mvps.org/winhelp2002/hosts.htm I
would recommend it, as it also stops much "malware" from getting on your
system as well as ads.


If you want to take some additional steps to defend your machine, I would
suggest the following:

The best way to start is to get Ad-Aware 6.0, Build 162 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly
to get rid of most "spyware/hijackware" on your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan.



Next, courtesy of Mike Burgess:

--Recommended Minimum Security Settings--

Close all instances of IE and OE
Control Panel | Internet Options

Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt

Click on the "Content" tab
Click the "Publishers" button

Highlight and click "Remove" any unknowns, click Ok

Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok

Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/



Then, from me:

You might want to consider installing the SpywareBlaster and SpywareGuard
here to help prevent this kind of thing from happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running (837 parasites
as of this date) if it is already installed, and it provides information and
fixit-links for a variety of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts
to install malware) Both Very Highly Recommended.

Good luck!


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Sorry Jim - No Go

I just updated my Norton virus sigs and ran a scan.

It did find the trojan qhosts.

I still have the same problem . . . . redirected to
cpanel . . .

-----Original Message-----
Hi Rich - You've apparently gotten infected with the QHosts trojan.
Read here for information:
http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?
id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit
that this virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/82
8750/default.asp

2. Update and run a complete Anti-Virus software check of your
system. Most of the major AV companies have updated their latest
signatures to detect this virus (for Network Associates, be sure to
get the EXTRADAT.exe update from the above page as well as your
regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and
download and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/t
rojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are
reporting that it did not), then follow the Manual Removal
instructions there. The following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal
redirectors, this one hides the HOSTS file in the "Windows\Help"
folder. It then creates entries that redirects all major search
engines to a website. Note: this website has now been removed, thus
the DNS errors. [more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS file http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-
03] Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS
files on your machine with the trojan's settings, and you'll need to
find and delete them all, per the manual directions at the Symantec
site.

4. You probably will then need to restore your HOSTS file if you
plan to use it for DNS speedup and/or ad blocking. Download the
Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader .exe

To create a new Default version of HOSTS, run the program, click the
"Read Hosts File" button, click the button labeled "Reset Defaults"
and click "Save Changes." Now go to normal HOSTS file location
(Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or
Windows 98 \ME Location: - C:\WINDOWS) and rename the "hosts" that
it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking
Unwanted Ads with a Hosts File), then you'll need to reset the new
default you've created up for that purpose.




--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

I don't know whats wrong but google.com no longer works
in my browser. Instead of the web page I get a website
called cpanel and it says there is no address cofigured
to that address. Any help here would be great thanks.

.