Search Engine Woes!

[ProfessorGumby]

Howdy,

Does anyone know where to find a program that has installed itself as my default search engine, that also blocks ALL other search engines and search sites?

I have searched for files and folders using the search assistant, I have manually went in looking through explore, and I have run ad aware 2x and I am gettin pissed! I cant find the friggin program and it is making me crazy.

I have searched using every name I can find to no avail. I have restored defaults run spyware checks, deleted cookies etc...

Late last night, when I would do a search on one of them, it would not go to the site (google hotbot etc..) the search brought up.

I can get to MSN search if I type in the addy, www.search.msn.com and it works fine, unless I am trying to go to google from there. Any other site that MSN search finds will load just fine, just not search engine sites. It is like something is blocking them.

I have looked at all my internet security settings and tried everything I know, including looking at the files on my other computer to see whats different between the two. (Both have XP pro)

I have done a system restore and reinstalled IE 6.0 to no avail.

I am wondering if a file is missing or something.

Any help?

[not important]

Have you tried Spybot Search and Destroy?

[ProfessorGumby]

Actually, no. I have not. I will give them a try.

[ProfessorGumby]

I tripped over this on the net...(at PC World)...

Trojan Horse Hijacks IE

Attack sends browsers aiming for search engines to hackers' site instead.

Paul Roberts, IDG News Service
Thursday, October 02, 2003
Computer hackers have found another way to exploit an unpatched hole in Microsoft's Internet Explorer Web browser, using a specially designed attack Web site to install a Trojan horse program on vulnerable Windows machines.



The Trojan program changes the DNS configuration on the Windows machine so that requests for popular Web search engines like Google and Alta Vista bring the Web surfer to a Web site maintained by the hackers, according to warnings from leading security companies.



Still Vulnerable
The attacks are just the latest in a string of online scams that rely on an easy-to-exploit flaw in IE known as the ObjectData vulnerability. Earlier attacks that relied on the vulnerability include a worm that spreads using American Online's Instant Messenger network.

Microsoft released a patch for the ObjectData vulnerability, MS03-032, in August. However, even machines that applied that patch are vulnerable to the latest attack because of holes in that security patch, according to a bulletin posted by Network Associates.

The Trojan horse program is called Qhosts-1 and is rated a "low" threat, Network Associates said. Trojan horse programs do not attempt to find and infect other systems. However, they do give attackers access to a compromised computer, often allowing a remote hacker to control the machine as if he or she were sitting in front of it.

Microsoft issued a statement Thursday saying that it was investigating reports of exploits for a variation on a vulnerability originally patched in Microsoft Security Bulletin MS03-032 and would release a fix for that hole shortly. A company spokesman could not say when the patch update will be released.

The Redmond, Washington, company recommended that customers worried about attacks install the latest Windows updates and change their IE Internet security zone settings to notify the user when suspicious programs are being run.



Threat Averted?
Qhosts-1 was installed on vulnerable Windows machines using attack code planted in a pop-up ad connected to a Web page set up by the hackers on a free Web hosting site, www.fortunecity.com, NAI said. The DNS servers used in the attack resided on systems owned by Houston, Texas-based hosting firm Everyone's Internet, according to Richard Smith, an independent computer security consultant in Boston.

Those servers, as well as the fortunecity.com site used to install the Trojan, have been taken offline since the attack caught the attention of security experts. That will stop the DNS hijackings, but will also make it impossible for users on infected computers to browse the Web until their DNS configuration is restored, he said. However, as long as the Microsoft hole remains unpatched, similar attacks could be launched.

To be attacked, Windows machines had to be running Internet Explorer versions 5.01, 5.5 or 6.0, which contain the ObjectData vulnerability, and visit the Web site that launched the pop-up. The pop-up ad exploited the ObjectData vulnerability then downloaded the Qhosts-1 Trojan from a Web site in Seattle, Smith said.

Counterpane Internet Security , of Cupertino, California, said in a statement that it was tracking three possible infections by the Qhosts-1 Trojan on networks that it monitors.



Sophisticated Attack
There are still questions about how users were lured to the fortunecity.com site that installed the Trojan horse, but unsolicited commercial e-mail with links to the site was a likely suspect and economic gain was a likely motive, Smith said.

Hackers used the DNS changes to drive Web surfers to a site that launched a variety of pop-up advertisements, resulting in increased Web traffic and advertising revenue for the individuals behind the scheme, he said.

The latest attack is an example of the increasingly sophisticated strategies used by malicious hackers, who adopt the strategies of legitimate online businesses, cobbling together available Web technologies in a "Tinker Toy" fashion to create sophisticated attacks, Smith said.

By relying on a network of sites hosted on free and fee-based Internet hosting sites, hackers also make it more difficult for authorities to follow their tracks. Identity theft frequently plays a role in the latest scams as well. Hackers use stolen credit card information to set up hosting accounts which are then used as part of Internet based attacks, he said.

[Miz]

If it is a Qhosts infection, you can download a removal tool here.

[ProfessorGumby]

Nope that wasnt it, Trojan Qhosts has not been found on my computer. Dang, and that sounds exactly like what is happenening here.

I guess I will just have to keep looking.

[Wrnchhead76]

What kind of search engine is it exactly? I had the same problem, and i had to uninstall it, check your add remove programs list and see if anything unusual is there.

[Evo]

hmm i think i have it also cause i cant get into any search engines. is there a way to find out if i have the trojan in my computer?

[ProfessorGumby]

Quote:

Originally posted by Wrnchhead76 What kind of search engine is it exactly? I had the same problem, and i had to uninstall it, check your add remove programs list and see if anything unusual is there.

I have done that. The two that come up are Your.com or com.net. I have searched for these two and the com.net says it is by Gigantics, and I have searched for that, nothing turns up. The add/remove programs list in widoze XP, quite frankly, sucks. Neither program or any reference that could be the program is there. I have hit Control/alt/delete when it was open and looked for it in that window, nothing. According to Symantec I do not have the trojan, and I even ran the fix anyway, it said it was not on my computer too.

So, I am confused more than ever....

[Doobie]

have you checked HOST?

[glc]

With Windows XP, flush your DNS cache. The major search engines have changed their DNS to sidestep this worm and your PC is still using the cached DNS info.

Open a command prompt (Start - Run - cmd) and type:

ipconfig /flushdns

This should fix it right up as long as your ISP's DNS servers are updated.

[ProfessorGumby]

Flushing the DNS Cache did not do it.....

Check the Host?

The saga continues....

[Evo]

Quote:

Originally posted by ProfessorGumby Flushing the DNS Cache did not do it..... Check the Host? The saga continues....

i tried it also it didnt work :-/

[Doobie]

yeah I have tried everything and nothing seems to work on my friends computer that has it.

[Evo]

so i can never use google again till i find a way to clean it out?

[glc]

Host name: www.google.akadns.net
IP address: 216.239.53.99
Alias(es): www.google.com


Try browsing to that IP address. If it works, you have a DNS issue of some sort.

[Evo]

Quote:

Originally posted by glc Host name: www.google.akadns.net IP address: 216.239.53.99 Alias(es): www.google.com Try browsing to that IP address. If it works, you have a DNS issue of some sort.

the ip works..


and its not just google its lycos and yahoo and probly someothers

[ProfessorGumby]

Okay, typing in Googles IP number works and it works fine. I can also get yahoo by typing in www.yahoo.com. And I can get to MSN search by typing in www.search.msn.com. But Ask Jeeves, Google, Hot Bot Yahoo or anything elese in the search window or the address bar brings up com.net search engine or Your.com.

There has to be a program somewhere that is re directing things. I will find it, even if I have to re format the whole friggin computer again!

[glc]

Check your HOSTS file. Search for it - it's HOSTS with NO extension - rename it to HOSTS.OLD and try it.

[Evo]

IT has Hosts in C:/1386 and c:/WINDOWS/I386 which one do i edit?

[glc]

Both of them. Just rename them to HOSTS.OLD and see what happens.

[Evo]

it won let me change C:/1386 to .old come up with cant read it

[glc]

That's i386, not 1386.

Open a command prompt

ren c:\i386\hosts c:\i386\hosts.old

[CorruptedSanitY]

glc WORKED for me!!

thanks

Now my Q is :

1- What is this HOSTS file?

2- Why does changing or adding an extension to it fix the problem?

3- Why does .old in particular fix the problem?

[9600baud]

Ugh i was infected... the HOSTS fix worked like a charm, since the symantec thing didnt... damn! So annoying... What if they blocked symantec.com and microsoft.com? Then no one could download patches or anything and really mess things up. O well, thanks GLC!

[ProfessorGumby]

I searched for hosts.

I got several files that say hosts but
Nothing for i386 or 386

[glc]

It doesn't matter WHERE the HOSTS file is, what DOES matter is the fact that it has NO file extension.

There is a HOSTS.SAM file in there - this is simply a sample file. Renaming HOSTS to HOSTS.OLD will make it so it doesn't work, that's what you are trying to do. It doesn't HAVE to specifically be .OLD, it could be almost anything except a registered file extension (like .EXE or .BAT).

The HOSTS file has entries that Windows looks at before it even hits the DNS.

Yep - if malware put an entry in there for microsoft.com (or symantec.com, whatever) pointing to their IP address instead, this will screw you up big time - and that's exactly what some of these things do!

Spybot Search & Destroy has a setting to lock the hosts file to read-only to prevent this - it's at the bottom of the Immunize page with the locks for Internet Settings and Start Page.

A proper hosts file should only have one entry - that references 127.0.0.1 to localhost.

[Evo]

hm i tried that but it doenst seem to work . tho it works with the ip that someone posted above. do you think i have something in my computer?

[Evo]

o also i did the FixQhosts scan and i found it but it didnt let me go into google still

[tarawalsh_lfc]

Thanks glc, worked like a charm!