Another infection on my computer! Help

Discussion in 'NOD32 version 2 Forum' started by jlo, Apr 23, 2005.

Thread Status:
Not open for further replies.
  1. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    Well thanks for everyone's help from the last infection but this time I ran a indepth scan with escan (KAV Engine) on my whole c drive and find this

    File C:\WINDOWS\system32\drivers\etc\hosts infected by "Trojan.Win32.Qhost.r" Virus. Action Taken: No Action Taken.

    Unfortunatly only Kav, Fortinet and MKS detect (According to Jotti scanner) and this blighter sailed straight through Nod32 :'(

    File is on its way to Eset zipped!

    In the meantime could someone advice if I can safely delete the file or should I ruan a hyjack this log?

    Many Thanks

    Jlo
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    sorry I did not realise.

    Kind Regards

    Jlo
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    No problem, it happens. ;)



    snowbound
     
  5. Happy Bytes

    Happy Bytes Guest

    Open this file with the editor and delete all lines, then paste this and save it:

    Code:
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    
    127.0.0.1       localhost
    
    That's it :D
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Many thanks Happy Bytes,

    Do you mean go to run and use regedit?

    Once in there would it be possible to give me some direction as to where to go as I am not used to editing regestries?

    Thanks

    Jlo
     
  7. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Nope.

    Just open this file:
    C:\WINDOWS\system32\drivers\etc\hosts
    in Notepad and edit it so it looks like the one Happy Bytes posted over.
     
  8. Happy Bytes

    Happy Bytes Guest

    No, not the registry.

    You have to edit the hosts file.

    Take a look into your scanreport and you see the path + filename.

    Edit this hosts file and do what i told you. After that ---> You're clean!
     
  9. Happy Bytes

    Happy Bytes Guest

    Here, this bugger you have to edit :D
     
  10. Happy Bytes

    Happy Bytes Guest

    General Info for all:

    Take from time to time a look to this file!
    If it's getting larger than around 700 bytes on a windows xp system without adding blocked URL's then there's something suspicious....

    A lot of spyware and worms changing this file to prevent Antivirus programs from updating. So if you have update trouble - this file could be the reason for it !

    8^) HB.
     
  11. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks for the advice Happy Bytes.

    Yep got the file and opened it in notpad is suggested, copied and pasted and saved. Rescanned at Jotti and all is fine.

    Will keep an eye on the file in the future. The original sample is already zipped was sent just about 1hr ago.

    Wonderful website with great support.

    Cheers

    Jlo
     
  12. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks to kjempen as well :)
     
  13. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    Interesting!
     
  14. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hi jlo, here is a DIY site, I know absolutely nothing about it. I leave you to read and decide for yourself whether or not you wish to use it.
    I have not used it so cannot give an opinion. ;)

    http://www.hijackthis.de/en
     
  15. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Have you checked your hosts file as suggested? A year or so ago I used to use Panda and it detected Spybot's host file as being the Qhost trojan simply because it modified the address of several known hacker sites to the local machine address. It(Panda) didn't check to see that the address listed was 127.0.0.1 it merely looked for the named address and detected it as a malicious change. Since then I take Qhost detections with a grain of salt and check the hosts file myself to see what the problem is.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    For more info and links to do with the Hosts file see 14, 15 and 16 here.

    Hope this helps...

    Cheers :D
     
  17. Shaker

    Shaker Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    153
    Location:
    Norther California
    Since I know absolutely nothing about this subject, I decided to open C\Windows\system32\drivers\etc\hosts. This is what I found......


    # Hosts file rewritten by Mydoom Removal Tool

    127.0.0.1 localhost
    127.0.0.1 AdSubtract # Added by AdSubtract for auto-dial.



    I don't use AdSubtract anymore. I have no idea what to make of the Mydoom Removal Tool. What should I do?
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just overwrite your hosts file with what Happy Bytes gave you above, then make it "Read Only" so it can't be written into again.

    To read more about your hosts file, take a look at #14 in the link that I gave you above.

    Cheers :D
     
  19. Shaker

    Shaker Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    153
    Location:
    Norther California

    OK. All done. Thanks Blackspear. :)
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure.

    Cheers :D
     
  21. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Be sure to used Blackspear's settings... might keep this from happening again.
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Better NOD32 should update its advanced heuristics to detect more Trojans. :)
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Pykko, welcome to Wilders.

    Eset are improving detection of Trojans at a rapid pace, they really don't need reminding about this, and as such please refrain from posting the same question/statement in multiple threads, as it starts to look like spam.

    Cheers

    Blackspear.
     
Thread Status:
Not open for further replies.