Refuse Connection to google.com

[Leigh]

Hi,

Since yesterday, I can nolonger access www.google.com.
The "ping" command used the following ip address

207.44.194.56

However, my DNS server says the address is

216.239.39.99

"ipconfig /displaydns" returned 207.44.194.56 as
the ip address for many search engines.

"ipconfig /flushdns" executed successfully but
did not clear the wrong records.

The situation is the same even if I stop the DNS client
service.

How could I resolve this problem?

Leigh

 

[Lord_Kaos]

I'm seeing the same problem, apparently it was an attack
from a specially formatted webpage that uses a flaw in one
of MS's recent patches and there is no new patch to fix
the patch yet. I'm just short of reinstalling the os
right now if i can't find out which file(s) to replace to
clear out the bad cache...

email above just needs - removed.

 

[ahl]

I'm seeing the same problem, apparently it was an attack
from a specially formatted webpage that uses a flaw in one
of MS's recent patches and there is no new patch to fix
the patch yet. I'm just short of reinstalling the os
right now if i can't find out which file(s) to replace to
clear out the bad cache...

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html

 

[Randall]

Hi,

Since yesterday, I can nolonger access www.google.com.
The "ping" command used the following ip address

207.44.194.56

However, my DNS server says the address is

216.239.39.99

"ipconfig /displaydns" returned 207.44.194.56 as
the ip address for many search engines.

"ipconfig /flushdns" executed successfully but
did not clear the wrong records.

The situation is the same even if I stop the DNS client
service.

How could I resolve this problem?

Leigh

You have been HiJacked by a web site. Most likely for a DOS attack.
You need to clean your winnt\help\hosts file. Then reboot.

Randall Cole

 

[Randall]

Hi,

Since yesterday, I can nolonger access www.google.com.
The "ping" command used the following ip address

207.44.194.56

However, my DNS server says the address is

216.239.39.99

"ipconfig /displaydns" returned 207.44.194.56 as
the ip address for many search engines.

"ipconfig /flushdns" executed successfully but
did not clear the wrong records.

The situation is the same even if I stop the DNS client
service.

How could I resolve this problem?

Leigh

Has anyone tracked down what caused this. I don't think it is the
Trojan.QHOST. None of the files from QHOST are on this system.

Randall

 

[Kent W. England [MVP]]

If this is the Qhosts infection, you need to clean it out and apply the
Windows Update referenced by KB828750 to fix the vulnerability.

The new Qhosts bug exploits the unpatched residual vulnerability in
MS03-032. See http://vil.nai.com/vil/content/v_100719.htm and
http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html for more
details.

You can fix the Qhosts bug manually if your AV tools don't do it.

Delete the following files:
%WinDir%\Help\hosts
%WinDir%\winlog

Delete the following directory:
c:\bdtmp\tmp

Reset the following registry key value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath" = %SystemRoot%\System32\drivers\etc

Delete the following registry key value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\In
terfaces\windows
"r0x" = your s0x

Delete the following IP addresses from your DNS servers list, if
present:
69.57.146.14
69.57.147.175
and reconfigure your DNS server IP addresses, as required by your
service provider.

Qhosts sets all search values to google. Reconfigure your Internet
Explorer search settings as desired, if you don't want google.

To prevent this exploit, install the critical update described by
bulletin MS03-040 and KB828750. To test your browser vulnerability to
this exploit, see http://www.secunia.com/MS03-032/.