Failure to access to Google website

[Bruce]

I can no longer access the Google website or have searches
work on MSN Search, Alta Vista, Yahoo or Lycos. I keep
getting "This page cannot be displayed". Excite and
Webcrawler search engines work just fine. I have done
everything my IP and Microsoft asked me to do including a
virus scan. I have the feeling from a couple of posts that
I'm not alone with this problem. Any advice?

 

[Ecurb]

From Kim Komando computer radio talk show. www.komando.com
-------------------------------------------------------
Has Google disappeared?

Q. The strangest thing is happening to my computer. When
I try
to search with Google, I'm sent to an error page. It says
I've
downloaded a malicious program. I don't understand this.
What must
I do to correct this?

A. I wrote about this in the last big weekend edition of
our
newsletter. But I want to cover it again, because I've
gotten several
calls on the show and e-mails about it. There is a fix,
along with a
new patch from Microsoft, so all hope is not lost!

This problem is caused by a Trojan horse, which most
people call
Qhosts-1. It may also be called Delude. People apparently
were lured
into this situation by a spam e-mail. The spam sent them
to a
particular Web site, where a pop-up ad downloaded the
Trojan horse.
The download was accomplished through a flaw in Internet
Explorer.

The Trojan horse then downloaded a file called
Partyboy.exe. It
prevents access to search engines, including Google.
Instead, victims
initially were sent to a page that displayed pop-up ads.
The people
behind this probably were paid to run the ads. But that
page was taken
down by the Internet service provider hosting it, and
replaced with the
error message you saw.

Last weekend, Microsoft issued a patch that fixes the
flaw in Internet
Explorer. Everyone should download it. Open Internet
Explorer, and
click Tools>Windows Update. Let the site scan your
computer. You can
also learn more about it here:
http://www.microsoft.com/security/security_bulletins/ms03-
040.asp

If you have this problem on your computer, you have to
change your
hosts file. In Windows XP, it is located at:
C:\Windows\System32\drivers\etc\Hosts.
In Windows 2000, it's at:
C:Winnt\System32\drivers\etc\Hosts
If you are using Windows 98 or ME, try C:\Windows\Hosts.
I could
not find a Hosts file on my installations of 98 and ME,
but you may
have it.

Open the Hosts file with Notepad. Remove any references
to Google
or any other search engine, along with the IP address
64.191.95.139.
Save the file. If Notepad gives the Hosts file an
extension of .txt,
go into Windows Explorer and change it. There should be
no dot or
extension after the word Hosts.

You may still have the Trojan horse or other files on
your system.
Run an updated anti-virus program. Also, run Ad-Aware and
Spybot Search
and Destroy to find and delete them. Those two programs
are free and
can be found at, respectively:
http://www.lavasoftusa.com
http://www.safer-networking.org/

 

[teach486]

The only search engine I have found in the last two days
that will work is http://www.dogpile.com. Seems many
others are having the same difficulties (see my other post
for details).

 

[Chris]

I am having the exact same problem! Came here for
answers. Any luck?

 

[H Leboeuf]

http://www.f-secure.com/v-descs/delude.shtml

NAME: Delude
ALIAS: Trojan.BAT.Startpage.a
Delude is a trojan that is available on a web page. The web page contains a
code that uses a vulnerability in the Internet Explorer (MS03-032) to
execute.
More information about the vulnerability, including a fix, is available from
Microsoft at:
http://www.microsoft.com/security/security_bulletins/ms03-032.asp
VARIANT: Delude.A
The HTA code available on a web page downloads a file "partyboy.exe" from an
ftp site and runs it. This file is is packed with UPX. It is a batch file
which was compiled to executable binary (".exe") using a BatToExe tool.
When executed, it changes the Internet Explorer start page to find-now.info.
It prevents access to the most major search engines such as Google, Yahoo,
Lycos, MSN and AltaVista. To do this it replaces the following file:

More:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
http://vil.nai.com/vil/content/v_100719.htm
http://www.sophos.com/virusinfo/analyses/trojqhosts1.html

 

[H Leboeuf]

http://www.f-secure.com/v-descs/delude.shtml

NAME: Delude
ALIAS: Trojan.BAT.Startpage.a
Delude is a trojan that is available on a web page. The web page contains a
code that uses a vulnerability in the Internet Explorer (MS03-032) to
execute.
More information about the vulnerability, including a fix, is available from
Microsoft at:
http://www.microsoft.com/security/security_bulletins/ms03-032.asp
VARIANT: Delude.A
The HTA code available on a web page downloads a file "partyboy.exe" from an
ftp site and runs it. This file is is packed with UPX. It is a batch file
which was compiled to executable binary (".exe") using a BatToExe tool.
When executed, it changes the Internet Explorer start page to find-now.info.
It prevents access to the most major search engines such as Google, Yahoo,
Lycos, MSN and AltaVista. To do this it replaces the following file:

More:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
http://vil.nai.com/vil/content/v_100719.htm
http://www.sophos.com/virusinfo/analyses/trojqhosts1.html