hey guys,

I have a very weird problem. When I type google.com, or altavista.com, or ask.com, or any other major search engine they don't load, or a site that has a cpanel.net logo on it saying that the page is "There is no website configured at this address."

Any ideas?

Wild guess: Trojan.QHost?

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

Check the modify date of the hosts file in %windir%\system32\drivers\etc\


Goodluck

oh man..hosts has been modified 8/24/03...so that's not good.

I used the symantec prog and it doesnt find it :( uh oh

Well have look what's inside hosts then ;)

Maybe copy & paste it inhere..
Dunno if there was such a virus at 23/8 though, still could be something else.

See this writeup on the trojan: http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html

yea..thanks

I tried those before, and it didn't work, but I did install the patch MS released, and it seems to be working.

Something was very fishy about this: all the popular search engines are not functioning. Used a generic search engine to find this web site with this topic. It's the only place that mentioned it (that I could find with crippled access to search engines). One member mentioned to check the hosts file. Well here it is pasted below. It was modified this last month. Tried all the MS updates. Now going to try semantec's tool.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.127.127.127 elite
207.44.194.56 www.google.com
207.44.194.56 google.com
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com
207.44.194.56 search.yahoo.com
207.44.194.56 uk.search.yahoo.com
207.44.194.56 ca.search.yahoo.com
207.44.194.56 jp.search.yahoo.com
207.44.194.56 au.search.yahoo.com
207.44.194.56 de.search.yahoo.com
207.44.194.56 search.yahoo.co.jp
207.44.194.56 www.lycos.de
207.44.194.56 www.lycos.ca
207.44.194.56 www.lycos.jp
207.44.194.56 www.lycos.co.jp
207.44.194.56 alltheweb.com
207.44.194.56 web.ask.com
207.44.194.56 ask.com
207.44.194.56 www.ask.com
207.44.194.56 www.teoma.com
207.44.194.56 search.aol.com
207.44.194.56 www.looksmart.com
207.44.194.56 search.msn.com
207.44.194.56 ca.search.msn.com
207.44.194.56 fr.ca.search.msn.com
207.44.194.56 search.fr.msn.be
207.44.194.56 search.fr.msn.ch
207.44.194.56 search.latam.yupimsn.com
207.44.194.56 search.msn.at
207.44.194.56 search.msn.be
207.44.194.56 search.msn.ch
207.44.194.56 search.msn.co.in
207.44.194.56 search.msn.co.jp
207.44.194.56 search.msn.co.kr
207.44.194.56 search.msn.com.br
207.44.194.56 search.msn.com.hk
207.44.194.56 search.msn.com.my
207.44.194.56 search.msn.com.sg
207.44.194.56 search.msn.com.tw
207.44.194.56 search.msn.co.za
207.44.194.56 search.msn.de
207.44.194.56 search.msn.dk
207.44.194.56 search.msn.es
207.44.194.56 search.msn.fi
207.44.194.56 search.msn.fr
207.44.194.56 search.msn.it
207.44.194.56 search.msn.nl
207.44.194.56 search.msn.no
207.44.194.56 search.msn.se
207.44.194.56 search.ninemsn.com.au
207.44.194.56 search.t1msn.com.mx
207.44.194.56 search.xtramsn.co.nz
207.44.194.56 search.yupimsn.com
207.44.194.56 uk.search.msn.com
207.44.194.56 search.lycos.com
207.44.194.56 www.lycos.com
207.44.194.56 www.google.ca
207.44.194.56 google.ca
207.44.194.56 www.google.uk
207.44.194.56 www.google.co.uk
207.44.194.56 www.google.com.au
207.44.194.56 www.google.co.jp
207.44.194.56 www.google.jp
207.44.194.56 www.google.at
207.44.194.56 www.google.be
207.44.194.56 www.google.ch
207.44.194.56 www.google.de
207.44.194.56 www.google.dk
207.44.194.56 www.google.fi
207.44.194.56 www.google.fr
207.44.194.56 www.google.com.gr
207.44.194.56 www.google.com.hk
207.44.194.56 www.google.ie
207.44.194.56 www.google.co.il
207.44.194.56 www.google.it
207.44.194.56 www.google.co.kr
207.44.194.56 www.google.com.mx
207.44.194.56 www.google.nl
207.44.194.56 www.google.co.nz
207.44.194.56 www.google.pl
207.44.194.56 www.google.pt
207.44.194.56 www.google.com.ru
207.44.194.56 www.google.com.sg
207.44.194.56 www.google.co.th
207.44.194.56 www.google.com.tr
207.44.194.56 www.google.com.tw
207.44.194.56 google.at
207.44.194.56 google.be
207.44.194.56 google.de
207.44.194.56 google.dk
207.44.194.56 google.fi
207.44.194.56 google.fr
207.44.194.56 google.com.hk
207.44.194.56 google.ie
207.44.194.56 google.co.il
207.44.194.56 google.it
207.44.194.56 google.co.kr
207.44.194.56 google.com.mx
207.44.194.56 google.nl
207.44.194.56 google.co.nz
207.44.194.56 google.pl
207.44.194.56 google.com.ru
207.44.194.56 google.com.sg
207.44.194.56 www.hotbot.com
207.44.194.56 hotbot.com

mlawre you have been compromised, probably by visiting a malicious site...

I'd update your system, virus scan several times and to fix your hosts file to solve your problem

remove these lines:

127.127.127.127 elite
207.44.194.56 www.google.com
207.44.194.56 google.com
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com
.
.
.
207.44.194.56 hotbot.com

Btw new RPC DCOM (MS03-039) exploit is getting to the surface, patches won't work.

If you don't need DCOM, turn it off !

http://www.www.grc.com/dcom/

Grts

Thanks.
That helped. Apparently the scanner removed its recognized files, but did not repair the HOSTS file. So, merely running the synmantec tool or installing the MS patch was not enough. You're right about getting it from the web. According to MS this virus came via a pop-up on one of fortune city.com's servers. The pop-up redirected people to its url. I personally don't think the culprit originally intended this to be a virus per se. I think someone thought they found a clever way to bombard unsuspecting surfers with pop-ups. They tried to exploit the most common urls typed in by surfers: the search engine urls. I already get offended by creative methods to flash annoying hard- to-remove ads from the forescreen of browsers, but modifying someone's system files is a bit too far!

I already get offended by creative methods to flash annoying hard- to-remove ads from the forescreen of browsers, but modifying someone's system files is a bit too far!

The first thing to remember about spammers is that they have no respect for anyone. If they had any respect at all they wouldn't be in that slimy business.