TROJ_QHOSTS.A cleaning tool

Hi,
Does Eset have a cleaner for the October 1 QHosts trojan?
Paolo, are you listening?

I've got a customer with this trojan, and the cleaning is pretty technical, not something I want to try to talk her through.
thanks, Rob

 

Hi rflum,

If you could get your customer to follow these instructions I can talk you through removal.

Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Danke, Pieter,
Will do. I'm putting together something to mail to her now, and will come back when I have the log.
Rob

 

Symantec has a cleaning tool for QHosts: http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

 

BTW, MS issued yesterday an IE patch update that should prevent this object data vulnerability from being exploited by QHosts and its ilk: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

 

Does NOd32 even detect this?

I can't find it in the nod32 database.

 

http://www.wilderssecurity.com/showthread.php?t=14521

 

Hi all,

I would not recommend using the Norton removal tool for this trojan until they have resolved a few issues.
Running the removal tool does not undo all the changes made by QHosts, and corrupts your System Restore in the process, if you are running Windows ME or XP.

For the time being I would advise anyone that gets hijacked by this pest to post a HijackThis log in the Privacy Problems forum.

The tool was tested by Mosaic1 at SpywareInfo and the results were not satisfactory.

Regards,

Pieter

 

Wow! Kudos for posting that info, Pieter! I wouldn't have posted the link to Symantec had I known there were problems with it. Thanks for pointing out that it may create more problems.

 

Hi sig,

Removal turns out to be not as easy as we expected. Merijn has been working on HijackThis 1.97.3 for a few days and although the beta does a much better job then the Symantec tool, he is not satisfied enough to end the beta stage.

Regards,

Pieter

 

Unfortunately, I decided to send her the Symantec tool instead of HijackThis before Sig even posted, so I read Pieter's post with chagrin.

The customer had also moved quickly:
" I have Win98SE, but think I have successfully cleaned up my computer. I had deleted the Hosts file that it created and the empty c:\bdtmp\tmp files - it deleted the aolfix.exe itself, so I never saw that. I manually deleted all of the registry entries that Symantic said it created, and was then able to get online again without any problems. I was worried because I never found where it put the %Windir% files. "
When she ran the Symantec tool, it said she didn't have the trojan, so hopefully it didn't do anything.
She doesn't have System Restore, so that wasn't a problem.
I'm a little worried about her deleting the HKLM\SYSTEM\ControlSet00n\Services\Tcpip\Parameters registry entries, and I'm not sure how much she deleted under HKLM\SYSTEM\ControlSet00n\Services\Tcpip\Parameters\Interfaces. I don't know if doing that would disable something important. I sent her the default hosts file to put back.
Rob

 

Hi Rob,

Lucky she was smart enough to follow the directions at the Symantec site, which are pretty much accurate. (Can't understand why their tool doesn't follow them).
And she was on Windows 98 rather then a NT version.
Qhosts changes the path to the hosts file in the registry for Windows NT versions and the tool does not correct that and does not remove the hosts file in that location.

So, all in all I think she'll be fine.

Regards,

Pieter

 

Hi, Pieter,
Well, lucky is not my goal. I'm sorry I didn't follow your lead, even though it turned out ok.
How is Merijn doing with the cleaner?
Cheers, Rob

 

Unfortunately, this still doesn't address the original issue that we have to recommend the Norton cleaner when we're touting the advantages and strengths of NOD32 to our customers...? I'd really like to see the prompt release of a cleaner from NOD for major outbreaks of this type, rather than having to explain why I'm sending the Norton (or McAfee, or whateverbutitsnotNOD) cleaner when I've been telling them how great NOD32 is. It just doesn't look good.

 

yeah, what he said.........
Paolo isn't even an eset employee, and he's writing the only eset cleaners I know about......

 

Sorry for repeating myself, but where is this coming from?
Why should NOD come up with a cure for, admittedly a somewhat complicated, hosts file hijack? Do you have any idea how many of those are out there?

 

It's good enough to lift the consequences, but not yet perfect.

Regards,

Pieter

 

It's a customer relations thing. Customers generally don't know the difference between a virus, a worm, a hijack, etc. They just know eset is their anti-virus, and lumping all of the above into one bag, they look to eset for solutions.
When your major competitors furnish this service, you look second-rate when you don't.
Rob

 

^^^^^
My Point exactly!

How many individuals actually do a windows update? And how many would rather have an antivirus that ads another layer of defense in addition to a windows update (which might not be done for a month or two).
If I was a layman and I saw that Norton, panda etc detects this specific strain while I keep getting infected when I am using Nod then I would go with Norton, panda etc. It's just the fact of life.

 

Sorry, I tacked this onto this thread because the IDEA was relevant. If you want to split hairs about which infections should be picked vs. ignored, go right ahead. The problem, as someone has already mentioned, is one of customer relations. The great unwashed has come to EXPECT a cleaner for the more severe outbreaks (i.e. the ones they see on CNN...), and has become used to having them available in a timely fashion. Sysadmins also need them, since the patching schedule on a server (or servers) is generally behind the curve due to testing, especially when there are a large number of machines and applications involved. This opens a window of opportunity, however small, that could lead to the need for a cleaner/disinfector.

My point still remains that "it just looks bad" when we can't practice what we preach re: AV products. NOD is unparalleled in detecting the little buggers, and is one of the fastest with getting the definitions out to end users. That expertise just needs to be expanded to cleaners as well.

 

When a hijack has the potential to redirect users to sites containing malware for the purpose of further infecting the PC, which is the concern with the IE/Windows object data vulnerability and QHosts, then AV vendors should be taking a serious look at including it in their databases.

And if someone should say well this is a Windows problem, not an AV issue, the AV industry has been built and exists as it is in large part due to "Windows problems." In regards to this specific vulnerability/exploit, the first MS patch did not work, according to MS all windows users are vulnerable as long as they have IE on their systems even if they don't use IE, and reportedly even disabling ActiveX is not enough to prevent exploitation of this vulnerability. MS has now issued another patch but I imagine no one now believes that all Windows users have installed the patch, which one hopes actually works this time.

AV's and even some AT's are now increasingly including what might have previously been regarded as "nuisanceware" in their databases due to the consequences for this crud to mess up one's PC and/or the potential additional security risks which also could be exploited with more serious consequences.

Furthermore, perhaps most "viruses" in the wild now are not actually viruses but worms and varieties of trojans and bots. The concept of a "pure" AV that limits itself solely to viruses has been an outmoded concept for years now. In reality and in the marketplace as well. A look at NOD's own updates page confirms that.

As for standalone "fixes," kudos to Paolo for his work, but unfortunately they are not available on all ESET sites. I imagine that the individual local ESET sites are separately managed by local affiliates so it's up to them what they put on their sites. Some are better than others; Paolo's and Rod's sites come to mind. But if fixes are available they should at minimum also be available at/through ESET's own home site(s).

No one imagines that ESET's available resources are comparable to Symantec's when Symantec takes over and absorbs entire companies like a snack. But still where relatively simple improvements can be made they should be as ESET is undoubtedly aware that the marketplace is extremely competitive and VB results alone are not enough to not only initially sell a product but also retain customers.

 

Again, from the customer point of view, do I have to buy 15 different products to protect myself from the same kind of problem? I think viruses, trojans, and worms are close enough to be the same thing in a customer's mind. Even this kind of thing, that strictly speaking, isn't in the same league with the above, cripples the functionality of the PC and is therefore probably lumped in with the others.
Realistically, it's going to be way more expensive the more products you layer on.
Spyware is different; it's annoying, but it doesn't keep the customer from doing what they want to do until it reaches epic levels, and it doesn't cause damage to the PC's software. It's different enough to be separate to the customer.
I think (MHO) that like everything else, the breakout of functionality into different products has to be reasonable, not religious. I also think that in this case, the audience is sufficiently non-technical (Ever try to explain how to copy and paste to somebody who doesn't know how to bring a second window to the foreground?) to be unable to appreciate the nuances, and to be annoyed if the product doesn't cover what they think it "ought to".
Rob
....this thread is getting out of hand....
Somebody stop us before we break something!

 

Not at all. Suggesting that ESET include something notably in the wild that exploits a potentially dangerous known Windows vulnerability is not the same as suggesting NOD duplicate all anti-adware/spyware databases. QHosts and the exploit it uses isn't a doubleclick cookie.

AV's vendors, including NOD, do make choices on what to include in their databases and these choices appear not to be based on an adherence to some strict guideline between types of exploits and malware. For example, NOD's latest update includes Win32/AdClicker.C which I'd not heard of before. Since ESET's online db encyclopedia is still severely limited here is the description from Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.adclicker.c.trojan.html Note the threat metrics regarding this "trojan."

In contrast, here's Symantec's write up for QHosts (an exploit that has received public attention given the means of exploit and its apparent frequency ITW). Note the threat metrics for this "trojan" and compare to adclicker: http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

Consequently, suggesting that ESET include QHosts in its database, given what else it already has there, is far from an outlandish suggestion. I don't believe it is the equivalent to suggesting that NOD incorporate the complete databases of antispyware apps and neither does it merit such a comparison.