Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 10-04-2003, 11:58 PM   #1 (permalink)
Apocalypse Nerd
 
Astrocloud's Avatar
 
Just spent a few Hours diagnosing fixing Qhost

Okay Qhost is a big pain in the ass. I was using Norton Anti-virus which qhost seems to mess with bigtime.

Note that you can catch this virus (technically a trojan) by simply visiting certain websites. The first symptom is that they blow away your homepage. They reset it to another page where they start loading system-fucks.


The second thing you will notice is that your search engine pages will be rerouted and/or your service provider will be innaccessible.

The safest thing to do is to download the latest versions of your virus-protection software and run it after visiting any unsavory websites. Run frequently.


I ran Norton's "fix" but it didn't actually solve all of my problems.

The best fix was located on Trend Micro's web page:

http://www.trendmicro.com/vinfo/viru...=TROJ_QHOSTS.A


Best of luck
Astrocloud is offline  
Old 10-05-2003, 01:12 PM   #2 (permalink)
Stop. Think. Question.
 
rubicon's Avatar
 
Location: Redondo Beach, CA
Couldn't find references to "qhost" anywhere on Trend, Symantec, or Grisoft.

I did find this short article about Qhost: http://www.indefense.com/about/virus.asp?v=QHost-1.

(edit)

Here's more information: http://searchsecurity.techtarget.com...30281,00.html.
__________________
How you do anything is how you do everything.
rubicon is offline  
Old 10-05-2003, 07:23 PM   #3 (permalink)
Not so great lurker
 
Location: NY
Here is the reference to qhosts from Symantec's site.
http://www.sarc.com/avcenter/venc/da...an.qhosts.html

I have personally haven't seen this trojan BUT I am sure that the average user (who doesn't update their a/v and probably wouldn't know what a hosts file is), would not know what is wrong with their system or how to fix it.
heyal256 is offline  
Old 10-05-2003, 07:30 PM   #4 (permalink)
Knight of the Old Republic
 
Lasereth's Avatar
 
Location: Winston-Salem, NC
I *had* QHost, and I can safely say that it's a force that should be reckoned with. I couldn't open ANY search pages (it rerouted me to fucked up pages). So, I hit up Symantec's site and downloaded the fix for it. What do you know..."QHost is not detected on your computer." What the hell? I KNOW I had it, but nothing I did fixed it. I even uninstalled and re-installed Internet Explorer before I knew what it was and that didn't help. I ran Norton Anti-Virus, Symantec Anti-Virus, Ad-Aware, SpyBlaster, installed every single Microsoft Update for Windows XP ever made, and even tried System Restore. Guess what?

None of it worked. I ended up formatting yesterday morning. I now have all of the aformentioned installed again with Symantec Anti-Virus running in the system tray. I pray that I don't get it again, because right now there's literally no way to fix it.

-Lasereth
__________________
"A Darwinian attacks his theory, seeking to find flaws. An ID believer defends his theory, seeking to conceal flaws." -Roger Ebert
Lasereth is offline  
Old 10-05-2003, 07:55 PM   #5 (permalink)
Loser
 
WTF Happened to my Google? I'm so screwed!!!

Ladies (2%) and Gentlemen (98%),

A week ago, some mystery force changed my LAN settings from "Obtain IP Automatically" to something else. My ISP (Comcast Cable) tacitly admitted that something had infiltrated the trenches and messed up more than a few people. My buddy was likewise affected. I resored my settings. He did a system restore. I don't use system restore (WinXP Pro - legit).

OK, I can go to most every fun web page, including this one. The one remaining symptom, however, is that I cannot access Google. Also, I can get no search results from Altavista or Yahoo.

This troubles me no end.

WinXP Pro, fully updated, no SysRestore. If it helps, it's a Shuttle SB51G.

Can ANYone help a brother out? I'm the community PC doctor (three builds/rebuilds/reconfigs per month - free of charge), so I'm really at my wits end!!!

Please?
clamburglar is offline  
Old 10-05-2003, 08:49 PM   #6 (permalink)
Apocalypse Nerd
 
Astrocloud's Avatar
 
I ran the manual elimination process in addition to running Symantec's anti virus. (I've actually got to call them tomorrow morning.)

Following this process off of the following link

http://www.trendmicro.com/vinfo/viru...=TROJ_QHOSTS.A


MANUAL REMOVAL INSTRUCTIONS

Removing Malware Entries from the Registry

Removing entries from the registry prevents the malware from performing its DNS redirection.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
Use Search Asst="no"
Select and delete the above registry entry.
Repeat the same deletion process for the following registry entries:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
Search Bar="http://www.google.com/ie"
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl
@=http://www.google.com/keyword/%s
HKEY_CURRENT_USER>Software>Microsoft>Windows
CurrentVersion>Internet Settings
MigrateProxy=0
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
Search Page=http://www.google.com
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl
Provider=”gogl"
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer
Search = SearchAssistant=http://www.google.com/ie
HKEY_LOCAL_MACHINE>System>CurrentControlSet
Services\VxD\MSTCP
HostName="host"
HKEY_LOCAL_MACHINE>System>CurrentControlSet
Services>VxD>MSTCP
Domain="mydomain.com"
HKEY_LOCAL_MACHINE>System>CurrentControlSet
Services>VxD>MSTCP
NameServer="69.57.146.14,69.57.147.175"
HKEY_LOCAL_MACHINE>System>ControlSet001>Services
Tcpip>Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,
6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX)
HKEY_LOCAL_MACHINE>System>ControlSet002>Services
Tcpip>Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,
6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX)
HKEY_LOCAL_MACHINE>System>ControlSet001>
Services>Tcpip>Parameters>interfaces>windows
r0x="your s0x"
HKEY_LOCAL_MACHINE>System>ControlSet002
Services>Tcpip>Parameters>interfaces>windows
r0x="your s0x"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,
00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00
(equivalent to %SystemRoot%\Help)
Modify the DataBasePath to the following value
equivalent to %SystemRoot%\System32\drivers\etc):
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,
00,6f,00,6f,00,74,00,25,00,5c,00,64,00,72,00,69,00,76,00,65,
00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00,00
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,
00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00
(equivalent to %SystemRoot%\Help)
Modify the DataBasePath to the following value
(equivalent to %SystemRoot%\System32\drivers\etc):
DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,
00,6f,00,6f,00,74,00,25,00,5c,00,64,00,72,00,69,00,76,00,65,
00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00,00
Close Registry Editor
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Locating a Malware File

On Windows 9x/NT:

Click Start>Find>Files and Folders.
In the Named input box, type:
WINLOG
C:\bdtmp
In the Look In drop-down list, select the drive which contains Windows then press Enter.
On Windows 2000/ME/XP:

Click Start>Search>For Files and Folders.
In the Search for files and folders named input box, type:
WINLOG
C:\bdtmp
In the Look In drop-down list, select the drive which contains Windows then press Enter.
Deleting Other Malware Modifications

Right-click Start then click Search… or Find… depending on your version of Windows.
In the Named input box, type:
HOSTS
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Open the file “HOSTS” with a text editor. You can do this by right-clicking the file and choose “Open with”. On the “Open with” window choose Notepad or any other text editor installed on your system.
Delete the lines containing the strings listed below. This erases the links written by the malware on the system.
www.google.akadns.net
www.google.com
google.com
www.altavista.com
altavista.com
search.yahoo.com
uk.search.yahoo.com
ca.search.yahoo.com
jp.search.yahoo.com
au.search.yahoo.com
de.search.yahoo.com
search.yahoo.co.jp
www.lycos.de
www.lycos.ca
www.lycos.jp
www.lycos.co.jp
alltheweb.com
web.ask.com
ask.com
www.ask.com
www.teoma.com
search.aol.com
www.looksmart.com
auto.search.msn.com
search.msn.com
ca.search.msn.com
fr.ca.search.msn.com
search.fr.msn.be
search.fr.msn.ch
search.latam.yupimsn.com
search.msn.at
search.msn.be
search.msn.ch
search.msn.co.in
search.msn.co.jp
search.msn.co.kr
search.msn.com.br
search.msn.com.hk
search.msn.com.my
search.msn.com.sg
search.msn.com.tw
search.msn.co.za
search.msn.de
search.msn.dk
search.msn.es
search.msn.fi
search.msn.fr
search.msn.it
search.msn.nl
search.msn.no
search.msn.se
search.ninemsn.com.au
search.t1msn.com.mx
search.xtramsn.co.nz
search.yupimsn.com
uk.search.msn.com
search.lycos.com
www.lycos.com
www.google.ca
google.ca
www.google.uk
www.google.co.uk
www.google.com.au
www.google.co.jp
www.google.jp
www.google.at
www.google.be
www.google.ch
www.google.de
www.google.se
www.google.dk
www.google.fi
www.google.fr
www.google.com.gr
www.google.com.hk
www.google.ie
www.google.co.il
www.google.it
www.google.co.kr
www.google.com.mx
www.google.nl
www.google.co.nz
www.google.pl
www.google.pt
www.google.com.ru
www.google.com.sg
www.google.co.th
www.google.com.tr
www.google.com.tw
go.google.com
google.at
google.be
google.de
google.dk
google.fi
google.fr
google.com.hk
google.ie
google.co.il
google.it
google.co.kr
google.com.mx
google.nl
google.co.nz
google.pl
google.com.ru
google.com.sg
www.hotbot.com
hotbot.com
Save the file “HOSTS” and close the text editor you used.
Astrocloud is offline  
Old 10-06-2003, 11:18 AM   #7 (permalink)
Stop. Think. Question.
 
rubicon's Avatar
 
Location: Redondo Beach, CA
Side note: interesting that I typed "qhost" into SARC and Trend web sites and didn't get any hits. Oh well.
__________________
How you do anything is how you do everything.
rubicon is offline  
Old 10-06-2003, 10:53 PM   #8 (permalink)
Tilted
 
The Symantec fix didn't work but the Trend Micro did... Don't forget to get the pattern file or else it won't work.

The scan took 4+ hours to complete, but all the search engines work fine now.
SuperFLYboy12 is offline  
 

Tags
diagnosing, fixing, hours, qhost, spent

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 12:28 PM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360