QHost trojan

Hi everyone,

Everytime try to do a search (on any search engine) I recieve one or to errors. I recieve a page cannot be displayed, when I try to go to the website www.google.com I get a cPanel page (which I have no idea of what cPanel is)

This has been reported as a trojan QHost on Symantec.net but when I download the removal tool it says no trojan detected...so I follow Symantec self (manaual) removal steps and I still have the same error

Also, I have tried using several trojan removal tools as well which do not detect the problem!

I have also used ad-aware and remove what I can from that as well, but the problem continues!!

Can someone please help me....I NEED MY GOOGLE!!!

Thank You for your time.

Are you sure you did everything and reversed everything done to the registry. If you did you should be in good shape. You may want to run through it again just to make sure you did everything required for removal:
http://www.symantec.com/avcenter/ven...an.qhosts.html
Other than that, I don't know.

heres a link that specifically addresses the problem~

http://www.cpanel.net/contact.cgi

Did a little reading on it, and it seems you must of been behind on your updates? Hopefully a quick update will help.

Go to tools, internet options....on the first line at the top, it will tell you what your default homepage is....change it to Google.

Or am I completely misunderstanding the issue? :)

Got a little bit more on it here-http://vil.nai.com/vil/content/v_100719.htm
Here it is if you want to know about-

Quote:

---

The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.
System changes include:

* A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
* Configuring DNS servers to use different IP addresses, such as:
o 69.57.146.14
o 69.57.147.175
* The creation of the following registry key:
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
* A marker file is created in the Windows directory named winlog
* A temp directory is created and left behind by the trojan:
o c:\bdtmp\tmp

---

Theres more on removing it, I didn't feel like taking up the room

If your using XP.. then You can just remove the trojan and then go and use the "Last best known configuration" for windows(Restore Point).. I hope this helps :)

Also check your C:\WINDOWS\system32\drivers\etc\hosts and see what it says about google.com www.google.com and whatever other sites you are having trouble with. Make sure your Virus scanner, trojan scanner, and firewall are up to date.

MB

It sometimes helps if you run your countermeasures in "safe" mode.

http://www.webattack.com/get/hostadmin.html A useful Host administration tool

http://www.wilderssecurity.com Browser Hijack Blaster.............other useful free tools as well ;)

http://www.spywareinfo.com/~merijn/index.html Hijack This...........look at the entries at the beginning of the report. Be careful, though, as it shows you everything, not just bad stuff.

Good Luck

Hello,
I recently removed this virus from a load of MSN client computers. Apperently what happened was, QHost was created about 5/6 months ago; the trojans main purpose was to resolve Domain names to psuedo IP's and thus preventing you from getting to select websites. The machines I removed the virus from ran Win 98. There is a file that the trojan loads into the ~/system/ directory called 'hosts'. If you open this file in notepad, you'll see the fake DNS resolves. Delete the file for god sake.

The wierd this about this virus is that it resolves you to a website that actually explains to you how to remove this virus. Unfortunetly, the patch that microsoft put out didn't work on my PC's. After the virus was written, the IP's that were initially in the virus, were recently acquired by some company that has to deal with every single hit.

Neat.

scat

A lot of good info has been provided already but the main thing that needs to be done after clearing out the trojan itself is to clear out all the entries that it put into the hosts file as MicroBurn and catman had pointed out.. once those entries are deleted, you'll be able to see google once again.

I surely would die without my google too.. :D