Hey everyone... I come again to ask for your help.

A couple of days ago, I noticed that Google would not come up. Instead, I would get this page saying "There is no website configured at this address." I thought this was a hack until someone told me that there was a recent trojan that went around that involved this page. It's supposedly spread by a Fortunecity pop-up... which, sad to say, I do remember going to a Fortunecity site recently.

It's proving to be hard to get rid of. I've run the Symantec tool three times already and tried to remove it manually. Anyone that knows about this... what can I do to get rid of this thing? Thanks.

I think I know how you got this.

Alan has already fixed one of these.

Pm him or do what I do.

put ALAN!!!!!HELP!!!!!!!
in your title.

What do people do who don't have an Alan?

They give birth to a steinmto!!!!!

For anyone that gets this, if you are running XP:

To get that computer back to regular dns settings (no search though)

---> start
---> control panel
----> network connections
right click on Local area connection
select properties
Highlight internet protocol -----> click properties
It if does not say
obtain dns setting automatically, click that,
click ok

That will allow you to surf, but not search.

You go here to remove it...

http://securityresponse.symantec.com/avcen...jan.qhosts.html

run the tool:
http://securityresponse.symantec.com/avcen...jan.qhosts.html


This does not fix the problem, but removes it. Then, Alan tells you how to remove it completely. So PI, you need to wait for him, because while I could tell you what he told me, what if I mess up?

Now, before anyone does run the tool, wait for Alan. He had thought I might be able to restore to the point before I got the ghost (since I knew exactly when and where I picked it up). Since the tool requires you turn off restore, and I had already run it twice, that is not an option for me.

Good luck. This drove me insane.

Alan is my current hero.

And I quote *Alan was VERY good.*

Per Kat's and AMS's suggestion, I'll wait for Alan's help. Thanks.

I did notice the DNS settings were tampered with. The day before I noticed the problems with Google, I have no internet the whole day. I thought Comcast was down before realizing all the other computers in the house had internet, and it wasn't the router's fault.

Unfortunately... I've ran the tool three times now, and didn't even think about system restore. I've deleted the two Hosts files in C:\Windows\Help. I've tried to fix some of the registry problems that weren't fixed by the tool based on Symantec's site. Still no go.

The way I helped AMS fix this was not to delete the hosts file in C:\Windows\help, but to edit it. FYI: the hosts file in C:\Windows\help should not be there. It is placed there by the trojan and a registry modification is made pointing to it instead of the hosts file in C:\Windows\System32\drivers\etc.

This is the process I would go through to get the search functionality back.
1) Update your virus definitions and run a full system scan, or download a removal tool and run it. This should remove the virus/trojan from your system, but may not repair changes that were made.
2) Look at your DNS settings in Network Properties and make sure they are correct. For most of us the setting should be "Obtain DNS server address automatically" because it is assigned to you by your ISP.
3)* Edit the hosts file residing in C:\Windows\help (or C:\Winnnt\help in Windows 2000). What you want to delete from that file are all the entries that look like xxx.xxx.xxx.xxx Name of Search Engine URL where xxx are numbers. Also, look at the hosts file in C:\Windows\system32\drivers\etc and make sure that has not been tampered with. If it has, edit that also.
4) Turn your computer off, wait 30 seconds then turn it back on so changes can take effect. You can also run the command ipconfig /flushdns from a command prompt. I think it's better to reboot though, just to make sure everything resets.

*As an alternative to #3, you can delete the hosts files in C:\Windows\help, but then you should also make changes to the associated registry entry to change it back to pointing to the hosts file in C:\Windows\System32\drivers\etc. Because I'm somewhat "old school" I don't like advising people to edit the registry, so I'm not posting instructions on how to edit it.

partialinsomniac, I see that you have already done some of the steps for getting rid of the trojan. I don't know what registry changes you made or if you deleted all of the hosts files on your computer. You should have one that is legit sitting in C:\Windows\System32\drivers\etc. You can copy and paste that one into C:\Windows\help and reboot. Just make sure it hasn't been tampered with and remove any of the xxx.xxx.xxx.xxx Name of search engine entries.

In case anyone needs it, here's the text from an unchanged hosts file. Copy and paste into notepad and save as hosts (without a file extension) in the necessary Windows folders.

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


EDIT: Forgot to add the following: Install the Microsoft Security updates.

Oddly enough, I turned on the computer when I got home today to read Alan's response on how to fix it... and Google starts working again. So do the other sites. I guess the changes I made didn't set in yet.

Thanks for taking the time to type up that lengthy explaination though, Alan.