Stupid Newbie has a problem.

Hi my name is lesley. Since last weekend I haven't been able to use any search engines. Yahoo is my home page and whenever I search for something I get that annoying page that says "Page Cannot be Displayed" and it happens when I try to get to google and jeeves. I use search engines a lot, and I've asked for help on another board but no one answers me. They told me to do a command prompt and I did but they didn't tell me what the results meant. Can someone please give me some more info, it's so frustrating. Thanks!

Does Google Search Engine work for you? Click the link below to goto it:

http://www.google.com/

She did say google does not work for her lol

Sounds like you have something corrupt in your browser or a virus...

Can you reinstall?

Doh, I reread that like 2 times and kept overlooking that one part where it mentioned google haha. I see it now.

What was the last thing you did about the time it stopped working for you last weekend? Were you installing any programs? Updating anything? There was a recent trojan that was spreading that actually change what IPs many of the popular search engines and websites resolve to. Ill post that info when I can find it. I am willing to bet you have that though.

Sounds like the Qhosts trojan. This made some changes on people's computers that redirected them to the hacker's website when they tried to go to google, altavista, etc. The hacker's websites have since been removed.

You can read more about it in these articles that describe how it creates a new "hosts" files in the windows help directory and then makes some changes to the registry, so the bogus hosts files will be used instead of the real one. The articles also contain information about fixing the problem.

http://us.mcafee.com/virusInfo/default. ... s_k=100719
http://securecomputing.stanford.edu/ale ... t2003.html

Okay check this link out:

http://us.mcafee.com/virusInfo/default. ... s_k=100719

It says:

Date Discovered: 9/29/2003
Date Added: 10/1/2003

Virus Characteristics

The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.

This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ. The operations of the trojan are as follows:

• A user is directed to a web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
• This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
• This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
• The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file

Indications of Infection

System changes include:

• A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
• Configuring DNS servers to use different IP addresses, such as:
  • 69.57.146.14
  • 69.57.147.175
• The creation of the following registry key:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
• A marker file is created in the Windows directory named winlog
• A temp directory is created and left behind by the trojan:
  • c:\bdtmp\tmp

Several Internet Explorer registry entries are changed/created:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://www.google.com/ie
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie

Method of Infection:

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

A popup ad at http://www. fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan. This trojan relies on an Internet Explorer vulnerability to get installed on the local system. Once installed, the trojan redirects Domain Name requests to a specified address.

Removal Instructions

1. Apply the MS03-040 patch
2. Delete the following files:
   • %WinDir%\Help\hosts
   • %WinDir%\winlog
3. Set the following registry key value (Information on editing registry keys):
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
     Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
4. Delete the following registry key value (Information on deleting registry keys):
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
     Services\Tcpip\Parameters\Interfaces\windows "r0x"
5. Reconfigure your DNS server settings as desired
6. Reconfigure your Internet Explorer settings as desired

Microsoft has released a patch for the vulnerablity exploited by QHost-1.

See: http://www.microsoft.com/technet/treevi ... 03-040.asp

Looks like RichB posted before me, oh well

Lots of help here.

I was just reading about this the other day when reviewing pages for a new security section for my website. Apparently there was a site set up by a hacker that contained a popup with the malicious code in it.

On a somewhat unrelated topic, the new google toolbar has a pretty cool popup blocker and some other new features.

Yup I use the Google Toolbar's popup blocker. I love it, plus you can see PageRanks of sites which I am always interested in.

I heard about this trojan the other day too from the guy formerly known as Gadget Guru who used to post here alot

I didn't put 2 and 2 together after I initiliated read the post though.

Wow, you guys are so helpful, thank you so much! I'll check out all these links and the info and get back to you. I might need some more help cause I might get confused with all of this but I'll try my best! I used to be able to use Google and Yahoo all the time. i don't remember downloading anything new except for a few fonts and I had to get rid of nCase (heard of it?) for like the 5th time since May. I have adaware on my computer and I run it everyday. I do a disk cleanup regularly also. It was working fine for me all day sunday then that night I went in to search for something and it wouldn't work, I get redirected to "Page Cannot Be Displayed". But anyway, I'll go check out all this stuff, and thanks so much!!

Yay!! I installed the google tool bar and everything is working great now!!! But when I went to the microsoft site from that link, it said to scan for critical updates and I did and there was one there but in the middle of the download it stopped and said the product key was invalid and I should contact microsoft about it! Is this a big problem or do I even need it? Thanks for all your help by tthe way you guys are great!

Since Product Key is involved, I assume you are running XP. Did you activate your product key with MS? Have you made significant changes to your hardware?

um, no I haven't made any changes to the hardware, and I don't know what this product key stuff is about. I am running XP and I get those windows updates every now and then and I install them and there's no problem, but this time it just stopped and I got that message. It said something about piracy of microsoft products, and if I suspect I have something like that then I should contact microsoft. I don't think I have anything like that, how do I know?

The only things I can think of are did you pay around $300 bucs U.S. for it, (XP) or did someone install "their own" copy of it for you? If it's the latter you're probably using hacked/cracked software and that's why MS put that little extra in there for XP. It could also be this (and correct me if I'm wrong XP users, but I think you only have 30 days to activate your XP activation key before it expires -- I know it's only 14 days with Win 2003 server, but I think I remember it's 30 days with XP - I have only used XP once on another computer, so I'm not sure but I think I'm correct -- correct me if I'm wrong)

My computer was a gift from my dad last chritmas and he and my uncle picked it out because my uncle works with computers and I know he payed for it so I'm pretty sure it's not ripped. Is the update really that important?? Will my computer like die without it?? lol.