About ten days ago, I became unable to get onto google homepage or to
do searches.  This is a serious problem, as I use Google a lot for
research.  One of several things would happen.  1) I might get
redirected to MyWeb 2) I might get redirected to cPanel, which would
say ' There is no website configured at this address' 3) I might get
the default 'The page cannot be displayed...'
I emailed help@google and toolbar-support, who put me in touch with
various sites.  Toolbar-support asked a lot of questions which I
answered, but got nothing back from them after this.  From help@google
addresses I downloaded both Spy-bot and Ad-Aware.  These identifed and
removed many unwanted things.  I also had previously deleted temporary
internet files and cookies, via the internet explorer 'tools -
internet options'route.  I removed MyWeb and Electronic Group
intruders as described in the material from  www.doxdesk.com/parasite/
 which help@google pointed me to.  NONE OF THIS HAS WORKED IN ALLOWING
ME TO ACCESS GOOGLE.  I still get either cPanel or 'the page cannot be
displayed'.
 
My question is: how can I ever restore connection to Google? 
 
It's in this machine, as another computer here at home which is
networked behaves normally.  I can also search via CNN (my home page).
 I can get to Yahoo, but when I try to search I get a similar problem
to Google.  PLEASE HELP!!


to sublime1-ga  I hope this is what is needed -- please let me know!  
many thanks again.  PS -- do you think it was MyWeb that did the
hijack?   JM

JM...

First, I'll reproduce the working answer below:

-
It seems evident from what you've told mvguy-ga that your hosts 
file has been hijacked (re-written). The simplest thing to do 
to test a fix would be to rename your current hosts file to 'hosts0' 
and then create a new file, in a text editor such as notepad, which 
contains the contents of the original file (everything between the 
dotted lines): 
 
----------------------------------------------------- 
# Copyright (c) 1993-1999 Microsoft Corp. 
# 
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. 
# 
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should 
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space. 
# 
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol. 
# 
# For example: 
# 
#      102.54.94.97     rhino.acme.com          # source server 
#       38.25.63.10     x.acme.com              # x client host 
 
127.0.0.1       localhost 
----------------------------------------------------- 
 
Exit notepad, saving the file as 'hosts' in the same directory that 
'hosts0' resides. Close any open browser(s) and re-open them, and 
you should be able to get to Google. 
 
If this works, you can prevent the same problem in the future by 
left-clicking you new 'hosts' file and selecting 'properties'. 
Then place a checkmark in the 'Read-only' box on the general tab. 
This will prevent anything from being written to it without your 
knowledge.
-

As to MyWeb being the source of this annoyance, no. A quick search
revealed no relationship between MyWeb and the hosts file.

So I ran a search of the IP address that you were being redirected
to whenever you tried to go to Google, that showed up repeatedly in
your hosts file: 207.44.194.56

This turned up a number of links which summarily noted that their
hosts file had somehow been hijacked and rewritten to look like
yours. A page at the Security Forums Bulletin Board finally
identified the problem precisely. It is a vulnerability in 
the IE browser which is being taken advantage of by hackers
using ActiveX programs which download without your knowledge
when you visit a malicious website, according to the posts
on the Security Forums Board:
http://www.security-forums.com/forum/viewtopic.php?t=8781&highlight=

...which quotes this article from Silicon.com:

"The 'object type' vulnerability, which was first acknowledged
 publicly by Microsoft on 20 August this year, allows an
 attacker to take control of a system by embedding malicious
 code in a web page. If the web page is viewed by an Internet
 Explorer browser - even a fully patched browser - the malicious
 code embedded in the web page will execute, experts say.
 Despite Microsoft acknowledging the patch doesn't work, it
 evidently has not yet issued a working fix for the vulnerability."
http://www.silicon.com/news/500013/1/6192.html

Other links about the 'Qhosts trojan' provided on the Board:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&D=0&F=P&P=1879
http://isc.sans.org/diary.html?date=2003-10-01
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_QHOSTS.A

It is also noted that, in some instances, the hosts file is
relocated from its proper home in C:\%systemroot%\system32\drivers\etc
to C:\%systemroot%\help. You may want to check this out on your
system.
'%systemroot%' is either the 'Windows' or 'WINNT' directory, depending
on what operating system you're using.

If it is in its correct location, the tips I gave you should keep
it safe. If it was relocated, or exists in two locations, you may
need to edit your Windows Registry to eliminate the entries that
direct Windows to the C:\%systemroot%\help location, and delete
the hosts file from C:\%systemroot%\help. Or you can use the
automatic removal instructions cited at Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_QHOSTS.A

A bulletin about the vulnerability is given at Microsoft.
It notes that a workaround is to set your browser to ask
you before opening any ActiveX objects, though this can
be annoying. More on the page:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp?frame=true&hidetoc=true

And a patch can be downloaded from Microsoft here:
http://www.microsoft.com/windows/ie/downloads/critical/828750s/default.asp

The title of the patch is "October 2003, Cumulative Patch for
Internet Explorer for Windows Server 2003", so unless you're
running IE for Windows Server 2003, I'd hesitate to install it.

To be safe, you could just go to Windows Update, and look for 
828750 among the critical updates. If it's not there, this
patch would not seem to apply to your system.

Making the hosts file 'Read-only' should keep this from happening
again, and as long as your hosts file is in the correct location
and there is not another one at C:\%systemroot%\help, and your
browser is currently working, you should be fine.


Please do not rate this answer until you are satisfied that
the answer cannot be improved upon by means of a dialog
established through the "Request for Clarification" process.

sublime1-ga


Searches done, via Google:

207.44.194.56 "hosts file"
://www.google.com/search?q=207.44.194.56+%22hosts+file%22

Great help, many thanks.  Am off travelling for 2 weeks or so
therefore cannot test all your suggestions at this time.  Will on
return.  Meanwhile will close question and revert if anything like
this happens again   Keep up the good work.  JM

John...

Thanks very much for the great rating and generous tip.