Can't seem to get rid of Qhost.A.2

Discussion in 'Trojan Defence Suite' started by mikethezipper, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. mikethezipper

    mikethezipper Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    5
    According to Anti-Vir, I have the trojan called Qhost.A.2 But Anti-Vir was unable to "kill" the trojan. It just keeps popping up with a different name whenever I delete it. Even deleting it is a problem. Whenever I select it, as in right click on it or left click on it once, it will try to run and destroy everything. So I spent hours online, and the only thing I found was something made by Symantec which didn't work. I downloaded TDS-3, but it only removes Qhost.B How can I remove Qhost.A ?
     
    Last edited: Jun 7, 2004
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hithere Mike and welcome!
    Are you able to zip the Qhost A (maybe in safe mode or from the dos box) and forward it to the TDS lab, submit@diamondcs.com.au ?
    So detection can be added asap if not covered already.

    Did TDS detect it with the latest database?
    If you see it running in the Process List, is it not possible to kill that running process there, in auitostart explorer kill the autostartkey if it has that and in the alert console after the scan press submit and delete the file?
    If still not there, then boot in safe mode and delete it there.

    After the scan you can rightclick on one of the alerts and save to text which overview you can paste in your next posting if you want us to look with you.

    And we would like to see your HijackThis log to see if there is anything else to fix. See in this thread [thread]15913[/thread] step #2 about getting the latest HJT software and how to post it so the experts can look with you for necessary fixes.
     
  3. mikethezipper

    mikethezipper Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    5
    It doesn't seem to me like it starts up when windows does. I don't really know though because I don't know the name of the file that makes it start. I sent in two copies of the file that Anti-Vir recognized as Qhost.A.2

    The thing that I don't understand is what it is trying to do. Whenever I did a search for it online, they said that it only made search engines useless. But I can't use Internet Explorer at all! I can go online and update programs like Ad-aware and Anti-Vir though.

    Unfortunately, the latest database didn't recognize it. But as TDS-3 scans over the file, the trojan starts trying to do something. Anti-Vir usually stops it though...
    This is the log from HijackThis (I used Ad-Aware)
    Logfile of HijackThis v1.97.7
    Scan saved at 1:50:33 PM, on 6/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\AVPersonal\AVSCHED32.EXE
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.xanga.com/home.aspx?user=pinkdepths
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {50DA5DE7-2B80-FEB6-E1DA-116992FF1E7B} - C:\WINDOWS\system32\quwjfskp.dll (file missing)
    O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\Jccatch.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37696.2766203704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com/ActiveX/BMAXSetup.cab
    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)
     
    Last edited: Jun 7, 2004
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Mike,
    i asked expert advice for the HJT log you just posted.
    Hope they'll be looking soon for you!

    When scanning with TDS, did you have all other scanners and their resident protection closed, had you updated with the latest database and all scan options checked in TDS scan?
     
  5. mikethezipper

    mikethezipper Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    5
    I had all the boxes checked in, and I had every scan option on. I also had the latest database. Thanks! :D
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi mikethezipper,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {50DA5DE7-2B80-FEB6-E1DA-116992FF1E7B} - C:\WINDOWS\system32\quwjfskp.dll (file missing)

    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Regards,

    Pieter
     
  7. mikethezipper

    mikethezipper Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    5
    ok I did that. The only difference I noticed was that instead of redirecting me to a nonexistant %20www%20.something.com website, it just says Internet Explorer could not open the page. Thanks! (not a sarcastic) the qhost.a is still there though :doubt:
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    This was one fix too many, please keep that redirection in the HOSTS file, as TDS puts it there, to avoid you being diercted to the www.dcsresearch.com domain which name no longer belongs to DiamondCS, and so using the F5 or menu option to get to the DiamondCS forum brings you thanks to that entry in the HOSTS file to the right place.

    http://www.f-prot.com/virusinfo/descriptions/qhost_a.html
    Does this Qhost.A description fit the A.2 or is it much different?
     
    Last edited: Jun 7, 2004
  9. mikethezipper

    mikethezipper Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    5
    It kind of matches it. Qhost.A.2 has some of the same file names, but it completely disables the internet, not just some websites. I already followed all the instructions, and it "seems" as if it went away, but the same file keeps on popping up but this time instead of being 2kb it now says 0kb.
     
Thread Status:
Not open for further replies.