Why can't I see google
08 October 2003, 03:03 PM
#1
Scooby Regular
Thread Starter
Join Date: Feb 2003
Posts: 747
Likes: 0
Received 0 Likes
on
0 Posts
for some reason my computer can no longer access google! even though I can access the rest of the internet. Its definately a pc software problem because I have tried/swapped everything that should affect me accessing google.
This includes - replacing broadband line, broadband hardware, network card.
Everything is set to default tcp/ip settings. the computer can resolve google.com & co.uk but can't ping or access the sites [img]images/smilies/mad.gif[/img]
My only conclusion is that its a virus but my AV isn't detecting anything
Has anyone seen or heard of this problem before
This includes - replacing broadband line, broadband hardware, network card.
Everything is set to default tcp/ip settings. the computer can resolve google.com & co.uk but can't ping or access the sites [img]images/smilies/mad.gif[/img]
My only conclusion is that its a virus but my AV isn't detecting anything
Has anyone seen or heard of this problem before
08 October 2003, 03:07 PM
#2
Scooby Regular
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
QHosts-1 Virus McAfee
-- Update - 10/02/2003 --
Microsoft has released a patch for the vulnerablity exploited by QHost-1. See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
-- Update - 10/02/2003 --
This trojan has been reclassified as Low-Profiled due to media attention at: http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b
The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.
This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ. The operations of the trojan are as follows:
A user is directed to a web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file
Top of Page
Symptoms
System changes include:
A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
Configuring DNS servers to use different IP addresses, such as:
69.57.146.14
69.57.147.175
The creation of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
A marker file is created in the Windows directory named winlog
A temp directory is created and left behind by the trojan:
c:\bdtmp\tmp
Several Internet Explorer registry entries are changed/created:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie
Top of Page
Method Of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
A popup ad at http://www.fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan. This trojan relies on an Internet Explorer vulnerability to get installed on the local system. Once installed, the trojan redirects Domain Name requests to a specified address.
-- Update - 10/02/2003 --
Microsoft has released a patch for the vulnerablity exploited by QHost-1. See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
-- Update - 10/02/2003 --
This trojan has been reclassified as Low-Profiled due to media attention at: http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b
The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.
This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ. The operations of the trojan are as follows:
A user is directed to a web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file
Top of Page
Symptoms
System changes include:
A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
Configuring DNS servers to use different IP addresses, such as:
69.57.146.14
69.57.147.175
The creation of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
A marker file is created in the Windows directory named winlog
A temp directory is created and left behind by the trojan:
c:\bdtmp\tmp
Several Internet Explorer registry entries are changed/created:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie
Top of Page
Method Of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
A popup ad at http://www.fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan. This trojan relies on an Internet Explorer vulnerability to get installed on the local system. Once installed, the trojan redirects Domain Name requests to a specified address.
Thread
Thread Starter
Forum
Replies
Last Post
14500rpm
Suspension
15
18 September 2015 09:15 AM