|
10-04-2003, 11:58 PM
|
#1 (permalink) |
|
Apocalypse Nerd
|
Just spent a few Hours diagnosing fixing Qhost
Okay Qhost is a big pain in the ass. I was using Norton Anti-virus which qhost seems to mess with bigtime.
Note that you can catch this virus (technically a trojan) by simply visiting certain websites. The first symptom is that they blow away your homepage. They reset it to another page where they start loading system-fucks. The second thing you will notice is that your search engine pages will be rerouted and/or your service provider will be innaccessible. The safest thing to do is to download the latest versions of your virus-protection software and run it after visiting any unsavory websites. Run frequently. I ran Norton's "fix" but it didn't actually solve all of my problems. The best fix was located on Trend Micro's web page: http://www.trendmicro.com/vinfo/viru...=TROJ_QHOSTS.A Best of luck |
|
|
10-05-2003, 01:12 PM
|
#2 (permalink) |
|
Stop. Think. Question.
Location: Redondo Beach, CA
|
Couldn't find references to "qhost" anywhere on Trend, Symantec, or Grisoft.
I did find this short article about Qhost: http://www.indefense.com/about/virus.asp?v=QHost-1. (edit) Here's more information: http://searchsecurity.techtarget.com...30281,00.html.
__________________
How you do anything is how you do everything. |
|
|
|
10-05-2003, 07:23 PM
|
#3 (permalink) |
|
Not so great lurker
Location: NY
|
Here is the reference to qhosts from Symantec's site.
http://www.sarc.com/avcenter/venc/da...an.qhosts.html I have personally haven't seen this trojan BUT I am sure that the average user (who doesn't update their a/v and probably wouldn't know what a hosts file is), would not know what is wrong with their system or how to fix it. |
|
|
|
10-05-2003, 07:30 PM
|
#4 (permalink) |
|
Knight of the Old Republic
Location: Winston-Salem, NC
|
I *had* QHost, and I can safely say that it's a force that should be reckoned with. I couldn't open ANY search pages (it rerouted me to fucked up pages). So, I hit up Symantec's site and downloaded the fix for it. What do you know..."QHost is not detected on your computer." What the hell? I KNOW I had it, but nothing I did fixed it. I even uninstalled and re-installed Internet Explorer before I knew what it was and that didn't help. I ran Norton Anti-Virus, Symantec Anti-Virus, Ad-Aware, SpyBlaster, installed every single Microsoft Update for Windows XP ever made, and even tried System Restore. Guess what?
None of it worked. I ended up formatting yesterday morning. I now have all of the aformentioned installed again with Symantec Anti-Virus running in the system tray. I pray that I don't get it again, because right now there's literally no way to fix it. -Lasereth
__________________
"A Darwinian attacks his theory, seeking to find flaws. An ID believer defends his theory, seeking to conceal flaws." -Roger Ebert |
|
|
|
10-05-2003, 07:55 PM
|
#5 (permalink) |
|
Loser
|
WTF Happened to my Google? I'm so screwed!!!
Ladies (2%) and Gentlemen (98%),
A week ago, some mystery force changed my LAN settings from "Obtain IP Automatically" to something else. My ISP (Comcast Cable) tacitly admitted that something had infiltrated the trenches and messed up more than a few people. My buddy was likewise affected. I resored my settings. He did a system restore. I don't use system restore (WinXP Pro - legit). OK, I can go to most every fun web page, including this one. The one remaining symptom, however, is that I cannot access Google. Also, I can get no search results from Altavista or Yahoo. This troubles me no end. WinXP Pro, fully updated, no SysRestore. If it helps, it's a Shuttle SB51G. Can ANYone help a brother out? I'm the community PC doctor (three builds/rebuilds/reconfigs per month - free of charge), so I'm really at my wits end!!! Please? |
|
|
|
10-05-2003, 08:49 PM
|
#6 (permalink) |
|
Apocalypse Nerd
|
I ran the manual elimination process in addition to running Symantec's anti virus. (I've actually got to call them tomorrow morning.)
Following this process off of the following link http://www.trendmicro.com/vinfo/viru...=TROJ_QHOSTS.A MANUAL REMOVAL INSTRUCTIONS Removing Malware Entries from the Registry Removing entries from the registry prevents the malware from performing its DNS redirection. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main Use Search Asst="no" Select and delete the above registry entry. Repeat the same deletion process for the following registry entries: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main Search Bar="http://www.google.com/ie" HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl @=http://www.google.com/keyword/%s HKEY_CURRENT_USER>Software>Microsoft>Windows CurrentVersion>Internet Settings MigrateProxy=0 HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main Search Page=http://www.google.com HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl Provider=”gogl" HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer Search = SearchAssistant=http://www.google.com/ie HKEY_LOCAL_MACHINE>System>CurrentControlSet Services\VxD\MSTCP HostName="host" HKEY_LOCAL_MACHINE>System>CurrentControlSet Services>VxD>MSTCP Domain="mydomain.com" HKEY_LOCAL_MACHINE>System>CurrentControlSet Services>VxD>MSTCP NameServer="69.57.146.14,69.57.147.175" HKEY_LOCAL_MACHINE>System>ControlSet001>Services Tcpip>Parameters DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00, 6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX) HKEY_LOCAL_MACHINE>System>ControlSet002>Services Tcpip>Parameters DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00, 6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX) HKEY_LOCAL_MACHINE>System>ControlSet001> Services>Tcpip>Parameters>interfaces>windows r0x="your s0x" HKEY_LOCAL_MACHINE>System>ControlSet002 Services>Tcpip>Parameters>interfaces>windows r0x="your s0x" In the left panel, double-click the following: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f, 00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (equivalent to %SystemRoot%\Help) Modify the DataBasePath to the following value equivalent to %SystemRoot%\System32\drivers\etc): DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52, 00,6f,00,6f,00,74,00,25,00,5c,00,64,00,72,00,69,00,76,00,65, 00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00,00 In the left panel, double-click the following: HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f, 00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (equivalent to %SystemRoot%\Help) Modify the DataBasePath to the following value (equivalent to %SystemRoot%\System32\drivers\etc): DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52, 00,6f,00,6f,00,74,00,25,00,5c,00,64,00,72,00,69,00,76,00,65, 00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00,00 Close Registry Editor NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Locating a Malware File On Windows 9x/NT: Click Start>Find>Files and Folders. In the Named input box, type: WINLOG C:\bdtmp In the Look In drop-down list, select the drive which contains Windows then press Enter. On Windows 2000/ME/XP: Click Start>Search>For Files and Folders. In the Search for files and folders named input box, type: WINLOG C:\bdtmp In the Look In drop-down list, select the drive which contains Windows then press Enter. Deleting Other Malware Modifications Right-click Start then click Search… or Find… depending on your version of Windows. In the Named input box, type: HOSTS In the Look In drop-down list, select the drive which contains Windows, then press Enter. Open the file “HOSTS” with a text editor. You can do this by right-clicking the file and choose “Open with”. On the “Open with” window choose Notepad or any other text editor installed on your system. Delete the lines containing the strings listed below. This erases the links written by the malware on the system. www.google.akadns.net www.google.com google.com www.altavista.com altavista.com search.yahoo.com uk.search.yahoo.com ca.search.yahoo.com jp.search.yahoo.com au.search.yahoo.com de.search.yahoo.com search.yahoo.co.jp www.lycos.de www.lycos.ca www.lycos.jp www.lycos.co.jp alltheweb.com web.ask.com ask.com www.ask.com www.teoma.com search.aol.com www.looksmart.com auto.search.msn.com search.msn.com ca.search.msn.com fr.ca.search.msn.com search.fr.msn.be search.fr.msn.ch search.latam.yupimsn.com search.msn.at search.msn.be search.msn.ch search.msn.co.in search.msn.co.jp search.msn.co.kr search.msn.com.br search.msn.com.hk search.msn.com.my search.msn.com.sg search.msn.com.tw search.msn.co.za search.msn.de search.msn.dk search.msn.es search.msn.fi search.msn.fr search.msn.it search.msn.nl search.msn.no search.msn.se search.ninemsn.com.au search.t1msn.com.mx search.xtramsn.co.nz search.yupimsn.com uk.search.msn.com search.lycos.com www.lycos.com www.google.ca google.ca www.google.uk www.google.co.uk www.google.com.au www.google.co.jp www.google.jp www.google.at www.google.be www.google.ch www.google.de www.google.se www.google.dk www.google.fi www.google.fr www.google.com.gr www.google.com.hk www.google.ie www.google.co.il www.google.it www.google.co.kr www.google.com.mx www.google.nl www.google.co.nz www.google.pl www.google.pt www.google.com.ru www.google.com.sg www.google.co.th www.google.com.tr www.google.com.tw go.google.com google.at google.be google.de google.dk google.fi google.fr google.com.hk google.ie google.co.il google.it google.co.kr google.com.mx google.nl google.co.nz google.pl google.com.ru google.com.sg www.hotbot.com hotbot.com Save the file “HOSTS” and close the text editor you used. |
|
|
| Tags |
| diagnosing, fixing, hours, qhost, spent |
|
|
