Another infection on my computer! Help

Hi,

Well thanks for everyone's help from the last infection but this time I ran a indepth scan with escan (KAV Engine) on my whole c drive and find this

File C:\WINDOWS\system32\drivers\etc\hosts infected by "Trojan.Win32.Qhost.r" Virus. Action Taken: No Action Taken.

Unfortunatly only Kav, Fortinet and MKS detect (According to Jotti scanner) and this blighter sailed straight through Nod32

File is on its way to Eset zipped!

In the meantime could someone advice if I can safely delete the file or should I ruan a hyjack this log?

Many Thanks

Jlo

 

jlo,

I removed your HJT log as this service is not permitted here anymore.

More info and help here,

https://www.wilderssecurity.com/showthread.php?t=42148


snowbound

 

sorry I did not realise.

Kind Regards

Jlo

 

No problem, it happens.



snowbound

 

Open this file with the editor and delete all lines, then paste this and save it:

Code:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

That's it

 

Many thanks Happy Bytes,

Do you mean go to run and use regedit?

Once in there would it be possible to give me some direction as to where to go as I am not used to editing regestries?

Thanks

Jlo

 

Nope.

Just open this file:
C:\WINDOWS\system32\drivers\etc\hosts
in Notepad and edit it so it looks like the one Happy Bytes posted over.

 

No, not the registry.

You have to edit the hosts file.

Take a look into your scanreport and you see the path + filename.

Edit this hosts file and do what i told you. After that ---> You're clean!

 

Here, this bugger you have to edit

 

General Info for all:

Take from time to time a look to this file!
If it's getting larger than around 700 bytes on a windows xp system without adding blocked URL's then there's something suspicious....

A lot of spyware and worms changing this file to prevent Antivirus programs from updating. So if you have update trouble - this file could be the reason for it !

8^) HB.

 

Thanks for the advice Happy Bytes.

Yep got the file and opened it in notpad is suggested, copied and pasted and saved. Rescanned at Jotti and all is fine.

Will keep an eye on the file in the future. The original sample is already zipped was sent just about 1hr ago.

Wonderful website with great support.

Cheers

Jlo

 

Thanks to kjempen as well

 

Interesting!

 

Hi jlo, here is a DIY site, I know absolutely nothing about it. I leave you to read and decide for yourself whether or not you wish to use it.
I have not used it so cannot give an opinion.

http://www.hijackthis.de/en

 

Have you checked your hosts file as suggested? A year or so ago I used to use Panda and it detected Spybot's host file as being the Qhost trojan simply because it modified the address of several known hacker sites to the local machine address. It(Panda) didn't check to see that the address listed was 127.0.0.1 it merely looked for the named address and detected it as a malicious change. Since then I take Qhost detections with a grain of salt and check the hosts file myself to see what the problem is.

 

For more info and links to do with the Hosts file see 14, 15 and 16 here.

Hope this helps...

Cheers

 

Since I know absolutely nothing about this subject, I decided to open C\Windows\system32\drivers\etc\hosts. This is what I found......


# Hosts file rewritten by Mydoom Removal Tool

127.0.0.1 localhost
127.0.0.1 AdSubtract # Added by AdSubtract for auto-dial.


I don't use AdSubtract anymore. I have no idea what to make of the Mydoom Removal Tool. What should I do?

 

Just overwrite your hosts file with what Happy Bytes gave you above, then make it "Read Only" so it can't be written into again.

To read more about your hosts file, take a look at #14 in the link that I gave you above.

Cheers

 

OK. All done. Thanks Blackspear.

 

My pleasure.

Cheers

 

Be sure to used Blackspear's settings... might keep this from happening again.

 

Better NOD32 should update its advanced heuristics to detect more Trojans.

 

Pykko, welcome to Wilders.

Eset are improving detection of Trojans at a rapid pace, they really don't need reminding about this, and as such please refrain from posting the same question/statement in multiple threads, as it starts to look like spam.

Cheers

Blackspear.