Info on Qhost - a browser hijacker

Qhost - 10.04.03

Update 10.10.03 - Microsoft has patched this exploit http://www.microsoft.com/security/security_bulletins/MS03-040.asp

http://www.microsoft.com/technet/security/bulletin/MS03-040.asp a few additional details, also in the host file was 88.88.88.88 elite and on a different PC's host file (In Sandwich) I found 127.127.127.127 elite There is a method to stop add sites using the host file explained here: And one of my favorite sites is grc.com Look there for free security utilities written by Steve Gibson who's Spinrite product is a familar name to most PC technicians. 10.06.03 I used Spybot search and distroy when the kid complained that no search sites were working. Spybot S+D found something it labeled 'Common Hijacker' redirected host search.msn.com=207.44.194.56. The exploit occurred on 09.30.03 and 10.01.03. I let spybot delete it but the PC still had problems. Note: this kid likes neopets.com and related seemingly harmless sites Qhosts seemed to be related to a site www.fortunecity.com as this problem began on 09.30.03; There was a cookie from fortunecity with that date. I found the DNS settings had been changed to 69.57.146.14 and 69.57.147.175 owned by Everyones Internet. Also, if a common search page like www.google.com was used, eventually a page labeled 'Cpanel' would come up and it had a link to www.cPanel.net - a site also related to Everyones Internet - Ev1.servers.net I ultimately found that the host file in c:\windows had been appended. the entries looked like this: 207.44.194.56 www.google.com The exploit actually backed up the host file but with the extra entries. Once I reset the DNS back to what it was supposed to be ( my local server ) and removed the extra entries in the host file, the pc was able to go to search sites. A folder C:\Bdtmp\Tmp that was created on 09.30.03 and the DNS setting had "HostName"="host" and "Domain"="mydomain.com", in the registry key; HKCU\Software\Microsoft\Internet Explorer\Main, "Search Page"="http://www.google.com" and "Search Bar"="http://www.google.com/ie" had been added. I deleted those. Stanford has a good write-up on the exploit Qhosts Trojan at Stanford -- 2 October 2003 Symantec has more details and specifies registry changes Here , Network associates; NAI writeup of Qhost and NAI writeup of related issue