Astrocloud

I ran the manual elimination process in addition to running Symantec's anti virus. (I've actually got to call them tomorrow morning.)

Following this process off of the following link

http://www.trendmicro.com/vinfo/viru...=TROJ_QHOSTS.A


MANUAL REMOVAL INSTRUCTIONS

Removing Malware Entries from the Registry

Removing entries from the registry prevents the malware from performing its DNS redirection.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
Use Search Asst="no"
Select and delete the above registry entry.
Repeat the same deletion process for the following registry entries:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
Search Bar="http://www.google.com/ie"
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl
@=http://www.google.com/keyword/%s
HKEY_CURRENT_USER>Software>Microsoft>Windows
CurrentVersion>Internet Settings
MigrateProxy=0
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
Search Page=http://www.google.com
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl
Provider=”gogl"
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer
Search = SearchAssistant=http://www.google.com/ie
HKEY_LOCAL_MACHINE>System>CurrentControlSet
Services\VxD\MSTCP
HostName="host"
HKEY_LOCAL_MACHINE>System>CurrentControlSet
Services>VxD>MSTCP
Domain="mydomain.com"
HKEY_LOCAL_MACHINE>System>CurrentControlSet
Services>VxD>MSTCP
NameServer="69.57.146.14,69.57.147.175"
HKEY_LOCAL_MACHINE>System>ControlSet001>Services
Tcpip>Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,
6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX)
HKEY_LOCAL_MACHINE>System>ControlSet002>Services
Tcpip>Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,
6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX)
HKEY_LOCAL_MACHINE>System>ControlSet001>
Services>Tcpip>Parameters>interfaces>windows
r0x="your s0x"
HKEY_LOCAL_MACHINE>System>ControlSet002
Services>Tcpip>Parameters>interfaces>windows
r0x="your s0x"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,
00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00
(equivalent to %SystemRoot%\Help)
Modify the DataBasePath to the following value
equivalent to %SystemRoot%\System32\drivers\etc):
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,
00,6f,00,6f,00,74,00,25,00,5c,00,64,00,72,00,69,00,76,00,65,
00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00,00
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,
00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00
(equivalent to %SystemRoot%\Help)
Modify the DataBasePath to the following value
(equivalent to %SystemRoot%\System32\drivers\etc):
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,
00,6f,00,6f,00,74,00,25,00,5c,00,64,00,72,00,69,00,76,00,65,
00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00,00
Close Registry Editor
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Locating a Malware File

On Windows 9x/NT:

Click Start>Find>Files and Folders.
In the Named input box, type:
WINLOG
C:\bdtmp
In the Look In drop-down list, select the drive which contains Windows then press Enter.
On Windows 2000/ME/XP:

Click Start>Search>For Files and Folders.
In the Search for files and folders named input box, type:
WINLOG
C:\bdtmp
In the Look In drop-down list, select the drive which contains Windows then press Enter.
Deleting Other Malware Modifications

Right-click Start then click Search… or Find… depending on your version of Windows.
In the Named input box, type:
HOSTS
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Open the file “HOSTS” with a text editor. You can do this by right-clicking the file and choose “Open with”. On the “Open with” window choose Notepad or any other text editor installed on your system.
Delete the lines containing the strings listed below. This erases the links written by the malware on the system.
www.google.akadns.net
www.google.com
google.com
www.altavista.com
altavista.com
search.yahoo.com
uk.search.yahoo.com
ca.search.yahoo.com
jp.search.yahoo.com
au.search.yahoo.com
de.search.yahoo.com
search.yahoo.co.jp
www.lycos.de
www.lycos.ca
www.lycos.jp
www.lycos.co.jp
alltheweb.com
web.ask.com
ask.com
www.ask.com
www.teoma.com
search.aol.com
www.looksmart.com
auto.search.msn.com
search.msn.com
ca.search.msn.com
fr.ca.search.msn.com
search.fr.msn.be
search.fr.msn.ch
search.latam.yupimsn.com
search.msn.at
search.msn.be
search.msn.ch
search.msn.co.in
search.msn.co.jp
search.msn.co.kr
search.msn.com.br
search.msn.com.hk
search.msn.com.my
search.msn.com.sg
search.msn.com.tw
search.msn.co.za
search.msn.de
search.msn.dk
search.msn.es
search.msn.fi
search.msn.fr
search.msn.it
search.msn.nl
search.msn.no
search.msn.se
search.ninemsn.com.au
search.t1msn.com.mx
search.xtramsn.co.nz
search.yupimsn.com
uk.search.msn.com
search.lycos.com
www.lycos.com
www.google.ca
google.ca
www.google.uk
www.google.co.uk
www.google.com.au
www.google.co.jp
www.google.jp
www.google.at
www.google.be
www.google.ch
www.google.de
www.google.se
www.google.dk
www.google.fi
www.google.fr
www.google.com.gr
www.google.com.hk
www.google.ie
www.google.co.il
www.google.it
www.google.co.kr
www.google.com.mx
www.google.nl
www.google.co.nz
www.google.pl
www.google.pt
www.google.com.ru
www.google.com.sg
www.google.co.th
www.google.com.tr
www.google.com.tw
go.google.com
google.at
google.be
google.de
google.dk
google.fi
google.fr
google.com.hk
google.ie
google.co.il
google.it
google.co.kr
google.com.mx
google.nl
google.co.nz
google.pl
google.com.ru
google.com.sg
www.hotbot.com
hotbot.com
Save the file “HOSTS” and close the text editor you used.