cnwilson
asked on
Bizarre problem......cannot access search engines but everything else OK
Hi guys,
I'm at my wit's end.
I cannot access google, lycos, or any of the other major search engines. Yet all other websites work fine. I have windows 98, IE 6 and Netscape 7.1 (same problem with both). I have scanned for viruses AND adware, and no viruses were found, tons of adware was found and removed, but the problem persists. Any ideas?
Thanks,
Chad
I'm at my wit's end.
I cannot access google, lycos, or any of the other major search engines. Yet all other websites work fine. I have windows 98, IE 6 and Netscape 7.1 (same problem with both). I have scanned for viruses AND adware, and no viruses were found, tons of adware was found and removed, but the problem persists. Any ideas?
Thanks,
Chad
Clicking on this link will not open google??
http://www.google.com/
http://www.google.com/
What is your ISP? do you use their software? or just use a DUN with their settings and then browse with IE or Netscape?
You've most likely acquired the QHosts.Trojan
The removal tool is here
http://www.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
The removal tool is here
http://www.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Trojan will just rewrite to the HOSTS file.
ASKER
To all who replied, thank you very much.
Spiderfix, I tried your solution first but the trojan wasn't detected. I then followed BillDL's instructions and the worked like a charm, so I awarded him the points. I'll keep an eye on it to see if it rewrites.
Spiderfix, I tried your solution first but the trojan wasn't detected. I then followed BillDL's instructions and the worked like a charm, so I awarded him the points. I'll keep an eye on it to see if it rewrites.
Thank you, cnwilson.
I'll dig out a text file I saved with a few more details about the misuse and uses of the hosts file and post back here.
Meantime, here's some general notes I post for people experiencing issues concerning spyware and rogue processes running. While it obviously doesn't all apply to you, take a look at the program "HiJack This".
This identifies known tracking cookies, and I'm sure it once identified entries in the hosts file on a computer I was fixing.
Firstly, download, install and run the freeware personal version of "Adaware" from Lavasoft. It will identify any rogue Advertising Software or components on your system and allow you to get rid of them.
http://www.lavasoft.de/software/adaware/
Download, unzip, and run (no need to install) the freeware "BHO Demon". Browser Helper Objects (or BHO's) are small programs that run automatically when you start your Internet Browser, come in many forms including the legitimate Adobe Acrobat Reader, and Norton AntiVirus, but also can be malicious or just a plain nuisance. This program allows you to enable or disable them. Take for example Go!Zilla, the downloading utility, which installs a BHO created by Radiate (formerly Aureate Media). This BHO tracks which advertisements you see as you surf the Web, which may not bother you too much, but it is using up resources.
That said, there is no restriction on what a BHO can do your system. It can do anything any other program can do ie. read or write (or delete) anything on your system. Usually, software is installed on your system explicitly by you, but BHO's have a history of being installed without the users knowledge.
With BHO Demon, BHO's are disabled by simply renaming the DLL that houses them. By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish.
http://www.definitivesolutions.com/bhodemon.htm
http://www.definitivesolutions.com/files/bhodmon1.zip
You should also run a Full virus scan of your system after updating your AntiVirus software with the latest definition download. Scan ALL files, memory and boot sector where these are options.
To inspect what processes are running on your system:
Use the Start Menu as follows:
1. Start > Run > and type MSINFO32
2. In the left pane, find "Software Environment"
3. For each of the following sections, click on it and then use the menu as follows:
Edit > Select All > Edit Copy
4. Paste each into NotePad and save by the name of the section in MSINFO32
Software Environment\
Running Tasks
Startup Programs
System Hooks
You need to decide what you need and don't need to run automatically when Windows boots. You could disable many of them using "Start > Run" > and typing MSCONFIG. The checkboxes are in the "startup" tab, and the only one you usually require is the System Tray. You could retore them again one at a time again, rebooting between, and test until you find the culprit.
A helpful page to assist you in identifying Startup items is:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
Another useful program for finding things that take over your system is "HiJack This" from:
http://www.spywareinfo.com/downloads.php#det
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
It will run from any folder without needing installation. Just unzip it, launch Hijack This, and configure it quickly. It will scan your system for evidence of known parasites and allow you to remove them. You can also obtain an instant list. Press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log".
No application will identify ALL potential risks, but these are a few good ones that are easy to use.
I'll dig out a text file I saved with a few more details about the misuse and uses of the hosts file and post back here.
Meantime, here's some general notes I post for people experiencing issues concerning spyware and rogue processes running. While it obviously doesn't all apply to you, take a look at the program "HiJack This".
This identifies known tracking cookies, and I'm sure it once identified entries in the hosts file on a computer I was fixing.
Firstly, download, install and run the freeware personal version of "Adaware" from Lavasoft. It will identify any rogue Advertising Software or components on your system and allow you to get rid of them.
http://www.lavasoft.de/software/adaware/
Download, unzip, and run (no need to install) the freeware "BHO Demon". Browser Helper Objects (or BHO's) are small programs that run automatically when you start your Internet Browser, come in many forms including the legitimate Adobe Acrobat Reader, and Norton AntiVirus, but also can be malicious or just a plain nuisance. This program allows you to enable or disable them. Take for example Go!Zilla, the downloading utility, which installs a BHO created by Radiate (formerly Aureate Media). This BHO tracks which advertisements you see as you surf the Web, which may not bother you too much, but it is using up resources.
That said, there is no restriction on what a BHO can do your system. It can do anything any other program can do ie. read or write (or delete) anything on your system. Usually, software is installed on your system explicitly by you, but BHO's have a history of being installed without the users knowledge.
With BHO Demon, BHO's are disabled by simply renaming the DLL that houses them. By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish.
http://www.definitivesolutions.com/bhodemon.htm
http://www.definitivesolutions.com/files/bhodmon1.zip
You should also run a Full virus scan of your system after updating your AntiVirus software with the latest definition download. Scan ALL files, memory and boot sector where these are options.
To inspect what processes are running on your system:
Use the Start Menu as follows:
1. Start > Run > and type MSINFO32
2. In the left pane, find "Software Environment"
3. For each of the following sections, click on it and then use the menu as follows:
Edit > Select All > Edit Copy
4. Paste each into NotePad and save by the name of the section in MSINFO32
Software Environment\
Running Tasks
Startup Programs
System Hooks
You need to decide what you need and don't need to run automatically when Windows boots. You could disable many of them using "Start > Run" > and typing MSCONFIG. The checkboxes are in the "startup" tab, and the only one you usually require is the System Tray. You could retore them again one at a time again, rebooting between, and test until you find the culprit.
A helpful page to assist you in identifying Startup items is:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
Another useful program for finding things that take over your system is "HiJack This" from:
http://www.spywareinfo.com/downloads.php#det
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
It will run from any folder without needing installation. Just unzip it, launch Hijack This, and configure it quickly. It will scan your system for evidence of known parasites and allow you to remove them. You can also obtain an instant list. Press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log".
No application will identify ALL potential risks, but these are a few good ones that are easy to use.
Taken from http://www.accs-net.com/hosts/what_is_hosts.html
The "Hosts" file in Windows and other operating systems is used to associate host names with IP addresses. Host names are the www.yahoo.com addresses that you see every day. IP addresses are numbers that mean the same thing as the www words - the computers use the numbers to actually find the sites, but we have words like www.yahoo.com so humans do not need to remember the long strings of numbers when they want to visit a site.
For instance, the host name for Yahoo! is www.yahoo.com, while its IP address is 204.71.200.67 Either address will take you to Yahoo!'s site, but the www address will first have to be translated into the IP address. If you type in the IP address directly, your computer will not have to look it up.
A series of steps are used when searching for IP addresses that go with these host names. The first step, and the one that concerns us here, is the hosts file on your local computer. The Hosts file tells your computer what the name is in numbers so the computer can go find it. If the IP address is found in your Hosts file, the computer will stop looking and go to that site, but if it is not it will ask a DNS computer (domain name server) for the information. Since the search ends once a match is found, that provides us with a mechanism to block sites we have no interest in. You may block sites that serve advertisements, sites that serve objectionable content, or any other site that you choose to block.
We can put names and addresses into the Hosts file so your computer does not have to ask a DNS server to translate the domain name into an IP number. This speeds up access to the host site you want to see because your computer no longer has to query other systems on the Internet for the address translation. When you type in a web address like www.yahoo.com, the host name portion of the web address is translated into an IP address before the site is accessed. If you put Yahoo!'s host and IP settings into your Hosts file, it would load a little quicker because your computer doesn't have to ask another to translate where to look for Yahoo!
Computers have a host address of their own - it is known as the "localhost" address, with an IP address of 127.0.0.1 which it uses to refer to itself. If you associate another computer's host name with your localhost IP address, you have effectively blocked that host since all attempts to access it will lead back to you. That is how we will block sites using the Hosts file. We will tell our computer that the IP address of the site we want to block is our own address. That way, our computer will not ever leave and go looking for the site we are blocking - which keeps that site from appearing because the computer thinks it has found the site and displayed it already.
Many web sites have links to other servers for the retrieval of advertisements. In the case of those web servers, the browser will quickly fail to locate the requested data (scripts, images, etc.) from the advertising server because we told our computer to look for the information on itself - of course it won't find any of it and will quit looking for it - and will continue loading the pertinent portions of the page you want to see. This will keep your computer from even talking to the ad servers, and thus you won't see the ads, they can't put cookies on your hard drive, and you can't be profiled by them.
http://www.accs-net.com/hosts/benefits_restrictions.html
References:
http://www.accs-net.com/hosts/important_notes.html
http://www.accs-net.com/hosts/how_to_use_hosts.html
http://doa2.host.sk
http://doa2.host.sk/supertrick.htm
http://doa2.host.sk/download.htm
Download sample hosts files with blocked web sites:
http://www.accs-net.com/hosts/get_hosts.html
http://www.smartin-designs.com/downloads/hosts_127001.zip
(blocks over 12,800 servers)
http://doa2.host.sk/hosts.zip
Ready-made template:
http://www.accs-net.com/hosts/Downloads/hostsplain.txt
Other configuation:
http://www.accs-net.com/hosts/eDexter.html
eDexter is a program that acts as a local-only (it is not accessible throught the Internet) HTTP server on your computer. It is used to replace the empty boxes that occur when you use the Hosts file to block ads. eDexter will put one of its own images into the box that would have been occupied by the advertisement. This way, you will not have large, empty boxes in your browser and will instead have an image where the box used to be.
The "Hosts" file in Windows and other operating systems is used to associate host names with IP addresses. Host names are the www.yahoo.com addresses that you see every day. IP addresses are numbers that mean the same thing as the www words - the computers use the numbers to actually find the sites, but we have words like www.yahoo.com so humans do not need to remember the long strings of numbers when they want to visit a site.
For instance, the host name for Yahoo! is www.yahoo.com, while its IP address is 204.71.200.67 Either address will take you to Yahoo!'s site, but the www address will first have to be translated into the IP address. If you type in the IP address directly, your computer will not have to look it up.
A series of steps are used when searching for IP addresses that go with these host names. The first step, and the one that concerns us here, is the hosts file on your local computer. The Hosts file tells your computer what the name is in numbers so the computer can go find it. If the IP address is found in your Hosts file, the computer will stop looking and go to that site, but if it is not it will ask a DNS computer (domain name server) for the information. Since the search ends once a match is found, that provides us with a mechanism to block sites we have no interest in. You may block sites that serve advertisements, sites that serve objectionable content, or any other site that you choose to block.
We can put names and addresses into the Hosts file so your computer does not have to ask a DNS server to translate the domain name into an IP number. This speeds up access to the host site you want to see because your computer no longer has to query other systems on the Internet for the address translation. When you type in a web address like www.yahoo.com, the host name portion of the web address is translated into an IP address before the site is accessed. If you put Yahoo!'s host and IP settings into your Hosts file, it would load a little quicker because your computer doesn't have to ask another to translate where to look for Yahoo!
Computers have a host address of their own - it is known as the "localhost" address, with an IP address of 127.0.0.1 which it uses to refer to itself. If you associate another computer's host name with your localhost IP address, you have effectively blocked that host since all attempts to access it will lead back to you. That is how we will block sites using the Hosts file. We will tell our computer that the IP address of the site we want to block is our own address. That way, our computer will not ever leave and go looking for the site we are blocking - which keeps that site from appearing because the computer thinks it has found the site and displayed it already.
Many web sites have links to other servers for the retrieval of advertisements. In the case of those web servers, the browser will quickly fail to locate the requested data (scripts, images, etc.) from the advertising server because we told our computer to look for the information on itself - of course it won't find any of it and will quit looking for it - and will continue loading the pertinent portions of the page you want to see. This will keep your computer from even talking to the ad servers, and thus you won't see the ads, they can't put cookies on your hard drive, and you can't be profiled by them.
http://www.accs-net.com/hosts/benefits_restrictions.html
References:
http://www.accs-net.com/hosts/important_notes.html
http://www.accs-net.com/hosts/how_to_use_hosts.html
http://doa2.host.sk
http://doa2.host.sk/supertrick.htm
http://doa2.host.sk/download.htm
Download sample hosts files with blocked web sites:
http://www.accs-net.com/hosts/get_hosts.html
http://www.smartin-designs.com/downloads/hosts_127001.zip
(blocks over 12,800 servers)
http://doa2.host.sk/hosts.zip
Ready-made template:
http://www.accs-net.com/hosts/Downloads/hostsplain.txt
Other configuation:
http://www.accs-net.com/hosts/eDexter.html
eDexter is a program that acts as a local-only (it is not accessible throught the Internet) HTTP server on your computer. It is used to replace the empty boxes that occur when you use the Hosts file to block ads. eDexter will put one of its own images into the box that would have been occupied by the advertisement. This way, you will not have large, empty boxes in your browser and will instead have an image where the box used to be.
Any error messages?