Annoying problem!
02 November 2003, 11:33 PM
#1
Scooby Senior
Thread Starter
My internet explorer has decided that the homepage ain't gonna be google anymore - but http://www.idgsearch.com/ instead 
If i change it in Internet options back to Google it always goes back after a restart. Anybody help?
If i change it in Internet options back to Google it always goes back after a restart. Anybody help?
Trending Topics
05 November 2003, 12:46 AM
#10
Scooby Regular
Join Date: Feb 2002
Location: here
Posts: 10,641
Likes: 0
Received 0 Likes
on
0 Posts
Try downloading Spybot from here.
Check for updates when you first run it & then get it to check your computer. It is a fair bit better than Adaware at digging up spyware.
Check for updates when you first run it & then get it to check your computer. It is a fair bit better than Adaware at digging up spyware.
05 November 2003, 06:30 PM
#14
Scooby Regular
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
Haaaa got it I think ? 
You have a virus called QHosts-1
Microsoft has released a patch for the vulnerablity exploited by QHost-1. See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
-- Update - 10/02/2003 --
This trojan has been reclassified as Low-Profiled due to media attention at: http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b
The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.
This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ. The operations of the trojan are as follows:
A user is directed to a web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file
Top of Page
Symptoms
System changes include:
A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
Configuring DNS servers to use different IP addresses, such as:
69.57.146.14
69.57.147.175
The creation of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
A marker file is created in the Windows directory named winlog
A temp directory is created and left behind by the trojan:
c:\bdtmp\tmp
Several Internet Explorer registry entries are changed/created:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie
Top of Page
Method Of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
A popup ad at http://www.fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan. This trojan relies on an Internet Explorer vulnerability to get installed on the local system. Once installed, the trojan redirects Domain Name requests to a specified address.
Top of Page
Removal Instructions
All Windows Users :
Use current engine and DAT files for detection and removal. This will delete the dropped HOSTS file as any remaining AOLFIX.EXE files.
Manual Removal Instructions
Apply the MS03-040 patch
Delete the following files:
%WinDir%\Help\hosts
%WinDir%\winlog
Set the following registry key value (Information on editing registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
Delete the following registry key value (Information on deleting registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x"
Reconfigure your DNS server settings as desired
Reconfigure your Internet Explorer settings as desired
I think ? You have a virus called QHosts-1
Microsoft has released a patch for the vulnerablity exploited by QHost-1. See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
-- Update - 10/02/2003 --
This trojan has been reclassified as Low-Profiled due to media attention at: http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b
The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.
This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ. The operations of the trojan are as follows:
A user is directed to a web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file
Top of Page
Symptoms
System changes include:
A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
Configuring DNS servers to use different IP addresses, such as:
69.57.146.14
69.57.147.175
The creation of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
A marker file is created in the Windows directory named winlog
A temp directory is created and left behind by the trojan:
c:\bdtmp\tmp
Several Internet Explorer registry entries are changed/created:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie
Top of Page
Method Of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
A popup ad at http://www.fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan. This trojan relies on an Internet Explorer vulnerability to get installed on the local system. Once installed, the trojan redirects Domain Name requests to a specified address.
Top of Page
Removal Instructions
All Windows Users :
Use current engine and DAT files for detection and removal. This will delete the dropped HOSTS file as any remaining AOLFIX.EXE files.
Manual Removal Instructions
Apply the MS03-040 patch
Delete the following files:
%WinDir%\Help\hosts
%WinDir%\winlog
Set the following registry key value (Information on editing registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
Delete the following registry key value (Information on deleting registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x"
Reconfigure your DNS server settings as desired
Reconfigure your Internet Explorer settings as desired
Thread
Thread Starter
Forum
Replies
Last Post