Stupid Newbie has a problem.

  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

Hi my name is lesley. Since last weekend I haven't been able to use any search engines. Yahoo is my home page and whenever I search for something I get that annoying page that says "Page Cannot be Displayed" and it happens when I try to get to google and jeeves. I use search engines a lot, and I've asked for help on another board but no one answers me. They told me to do a command prompt and I did but they didn't tell me what the results meant. Can someone please give me some more info, it's so frustrating. Thanks!
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Does Google Search Engine work for you? Click the link below to goto it:

http://www.google.com/
  • musik
  • Legend
  • Super Moderator
  • User avatar
  • Posts: 6893
  • Loc: up a tree

Post 3+ Months Ago

She did say google does not work for her lol

Sounds like you have something corrupt in your browser or a virus...

Can you reinstall?
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Doh, I reread that like 2 times and kept overlooking that one part where it mentioned google haha. I see it now.

What was the last thing you did about the time it stopped working for you last weekend? Were you installing any programs? Updating anything? There was a recent trojan that was spreading that actually change what IPs many of the popular search engines and websites resolve to. Ill post that info when I can find it. I am willing to bet you have that though.
  • RichB
  • Guru
  • Guru
  • User avatar
  • Posts: 1121
  • Loc: Boston

Post 3+ Months Ago

Sounds like the Qhosts trojan. This made some changes on people's computers that redirected them to the hacker's website when they tried to go to google, altavista, etc. The hacker's websites have since been removed.

You can read more about it in these articles that describe how it creates a new "hosts" files in the windows help directory and then makes some changes to the registry, so the bogus hosts files will be used instead of the real one. The articles also contain information about fixing the problem.

http://us.mcafee.com/virusInfo/default. ... s_k=100719
http://securecomputing.stanford.edu/ale ... t2003.html
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Okay check this link out:

http://us.mcafee.com/virusInfo/default. ... s_k=100719

It says:

Date Discovered: 9/29/2003
Date Added: 10/1/2003

Virus Characteristics

The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.

This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ. The operations of the trojan are as follows:

  • A user is directed to a web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
  • This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
  • This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
  • The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file

Indications of Infection

System changes include:

  • A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
  • Configuring DNS servers to use different IP addresses, such as:
    • 69.57.146.14
    • 69.57.147.175
  • The creation of the following registry key:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
  • A marker file is created in the Windows directory named winlog
  • A temp directory is created and left behind by the trojan:
    • c:\bdtmp\tmp
Several Internet Explorer registry entries are changed/created:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://www.google.com/ie
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie

Method of Infection:

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

A popup ad at http://www. fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan. This trojan relies on an Internet Explorer vulnerability to get installed on the local system. Once installed, the trojan redirects Domain Name requests to a specified address.

Removal Instructions

  1. Apply the MS03-040 patch
  2. Delete the following files:
    • %WinDir%\Help\hosts
    • %WinDir%\winlog
  3. Set the following registry key value (Information on editing registry keys):
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
  4. Delete the following registry key value (Information on deleting registry keys):
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\Tcpip\Parameters\Interfaces\windows "r0x"
  5. Reconfigure your DNS server settings as desired
  6. Reconfigure your Internet Explorer settings as desired

Microsoft has released a patch for the vulnerablity exploited by QHost-1.

See: http://www.microsoft.com/technet/treevi ... 03-040.asp
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Looks like RichB posted before me, oh well :)

Lots of help here.
  • RichB
  • Guru
  • Guru
  • User avatar
  • Posts: 1121
  • Loc: Boston

Post 3+ Months Ago

I was just reading about this the other day when reviewing pages for a new security section for my website. Apparently there was a site set up by a hacker that contained a popup with the malicious code in it.

On a somewhat unrelated topic, the new google toolbar has a pretty cool popup blocker and some other new features.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Yup I use the Google Toolbar's popup blocker. I love it, plus you can see PageRanks of sites which I am always interested in.

I heard about this trojan the other day too from the guy formerly known as Gadget Guru who used to post here alot :)

I didn't put 2 and 2 together after I initiliated read the post though.
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

Wow, you guys are so helpful, thank you so much! I'll check out all these links and the info and get back to you. I might need some more help cause I might get confused with all of this but I'll try my best! I used to be able to use Google and Yahoo all the time. i don't remember downloading anything new except for a few fonts and I had to get rid of nCase (heard of it?) for like the 5th time since May. I have adaware on my computer and I run it everyday. I do a disk cleanup regularly also. It was working fine for me all day sunday then that night I went in to search for something and it wouldn't work, I get redirected to "Page Cannot Be Displayed". But anyway, I'll go check out all this stuff, and thanks so much!! :D
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

Yay!! I installed the google tool bar and everything is working great now!!! But when I went to the microsoft site from that link, it said to scan for critical updates and I did and there was one there but in the middle of the download it stopped and said the product key was invalid and I should contact microsoft about it! Is this a big problem or do I even need it? Thanks for all your help by tthe way you guys are great! :D
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Since Product Key is involved, I assume you are running XP. Did you activate your product key with MS? Have you made significant changes to your hardware?
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

um, no I haven't made any changes to the hardware, and I don't know what this product key stuff is about. I am running XP and I get those windows updates every now and then and I install them and there's no problem, but this time it just stopped and I got that message. It said something about piracy of microsoft products, and if I suspect I have something like that then I should contact microsoft. I don't think I have anything like that, how do I know?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

The only things I can think of are did you pay around $300 bucs U.S. for it, (XP) or did someone install "their own" copy of it for you? If it's the latter you're probably using hacked/cracked software and that's why MS put that little extra in there for XP. It could also be this (and correct me if I'm wrong XP users, but I think you only have 30 days to activate your XP activation key before it expires -- I know it's only 14 days with Win 2003 server, but I think I remember it's 30 days with XP - I have only used XP once on another computer, so I'm not sure but I think I'm correct -- correct me if I'm wrong)
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

My computer was a gift from my dad last chritmas and he and my uncle picked it out because my uncle works with computers and I know he payed for it so I'm pretty sure it's not ripped. Is the update really that important?? Will my computer like die without it?? lol.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Well did your uncle leave you the CD that he installed it with? or did he take it back with him for his computer?
  • dr nick
  • Proficient
  • Proficient
  • dr nick
  • Posts: 263
  • Loc: Frankfurt

Post 3+ Months Ago

Actually, I really appreciate the free updates that come with XP. More often than not, they are critical security updates (usualling involving windows media player or outlook), so chances are you get protected against malicious software pretty quick after Microsoft finds holes in theirs (which happens a lot).
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Well they are not really free, that is why they charge $100-$200 bucks for their Windows XP software. Supposedly all the support prices are built into their products. They are so much money though they probably wouldn't even need to do that. They just want more :)
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

I don't remember seeing a cd for XP, because like I said it was a gift, it came all put together with everything installed so I didn't see how they did it. It's a possibility though, because like I said, my uncle works with computers, he might have used his own to save my dad some cash, I don't know, but if that's the case then how come I didnt get this warning before??

And if you don't mind me asking, has anyone here heard of something called "nweexloaste"? I have this awful search bar in IE that always pops up whenever I go to a new page, it's the most annoying thing ever and I have no idea how to get rid of it. Whenever I right click on the tol bar to hide it it says it's called nweexloaste, and there's no matches for it on any search engines. If you can't answer this than thats ok, you've been a tremendous help already, thanks.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Lesley18 wrote:
I don't remember seeing a cd for XP, because like I said it was a gift, it came all put together with everything installed so I didn't see how they did it. It's a possibility though, because like I said, my uncle works with computers, he might have used his own to save my dad some cash, I don't know, but if that's the case then how come I didnt get this warning before??


The reason I ask because if you do not have the CD, he likely used his. The CD can only be installed on one computer. Maybe he recently used that same CD to install to another computer? For each computer that you need the software on, Microsoft wants you to go and buy another CD and they are enforcing it much harder with XP, compared to the previous versions of Windows.

Anyway I do not know entirely if this is what is causing your problem, but there is a good chance since you do not have the CD. I would tell you to call them for support, but I gurantee they are not going to help you if you do not have your Windows XP serial number.
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

Yeah I know, so I guess that's all I can do. Thanks for everything guys. And do any of you know what that tool bar thing is I explained in my last post? I'd just like to know what it is, and I find it strange that there's no matches for it on any search engines.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Are you sure nweexloaste is the exact spelling? I find exactly zero results in google for that.
  • RichB
  • Guru
  • Guru
  • User avatar
  • Posts: 1121
  • Loc: Boston

Post 3+ Months Ago

Sounds like that might be spyware that you inadvertently acquired. You can use one of the freeware spyware removal tools to get rid of that stuff. I use Spybot. Here's a link:

http://spybot.safer-networking.de/

Click on the "overview" link on the main page for a description of spyware.
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

Yeah the bar has a weird name but I'm sure of the spelling. Anyway, I downaloaded spybot, but I already have adaware, is one better than the other?
  • Lesley18
  • Novice
  • Novice
  • User avatar
  • Posts: 19
  • Loc: Eastern Canada

Post 3+ Months Ago

Hey, I think spybot did the trick, thanks so much for all your help, I really appreciate it!!! :D
  • virtualwebc
  • Banned
  • Banned
  • User avatar
  • Posts: 108
  • Loc: USA

Post 3+ Months Ago

Also a good tool to use that I like is, Spy Bot Search and Destoy. There are a few different trojans that mainly (no insinuation being made) but hide in porn sites. We have all opened those annoying email and next thing you know gobs and gobs of porn comes out of no where. While you are trying to click out of them you will intermitanly down load a weird search engine screen that will come up every time you open a new browser and try to go to any search engine. Also like you got there is the cant find screen. This is one of the very few legal free tools that I actually use on a day to day basis. I have paid for quiet a few different spy ware remover tools but by far in my opinion this is on the top of my top ten list.
Just because you run Norton or McCafee doesn't mean it will protect you from everything. Run a spyware removal tool on your machine and you will be amassed of all the stuff that it will find. I refer this program to all of my clients. If I am not mistaken you can find it still on zdnet.com and cnet.com . Also a good pop up stopper will help out too! I have tried both paicware versions of pop up stopper, free an professionall version and cant tell the differant in the two so I suggest either one. Hope I have been some help to you.
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

this topic is ancient, why was it dug up?
  • cyberax
  • Graduate
  • Graduate
  • User avatar
  • Posts: 169
  • Loc: INDIA

Post 3+ Months Ago

And moreover in the wrong directory.

Cheers,
  • phaugh
  • Professor
  • Professor
  • User avatar
  • Posts: 796

Post 3+ Months Ago

yeah!
  • madmonk
  • Mastermind
  • Mastermind
  • madmonk
  • Posts: 2115
  • Loc: australia

Post 3+ Months Ago

yea it may be ripped. the software.
i have seen vendors installing ripped software and selling "installed systems"

it even happened to my friend. so, its worth checking out yr vendor too..
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 30 posts
  • Users browsing this forum: No registered users and 6 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.