Can't seem to get rid of Qhost.A.2

According to Anti-Vir, I have the trojan called Qhost.A.2 But Anti-Vir was unable to "kill" the trojan. It just keeps popping up with a different name whenever I delete it. Even deleting it is a problem. Whenever I select it, as in right click on it or left click on it once, it will try to run and destroy everything. So I spent hours online, and the only thing I found was something made by Symantec which didn't work. I downloaded TDS-3, but it only removes Qhost.B How can I remove Qhost.A ?

 

Hithere Mike and welcome!
Are you able to zip the Qhost A (maybe in safe mode or from the dos box) and forward it to the TDS lab, submit@diamondcs.com.au ?
So detection can be added asap if not covered already.

Did TDS detect it with the latest database?
If you see it running in the Process List, is it not possible to kill that running process there, in auitostart explorer kill the autostartkey if it has that and in the alert console after the scan press submit and delete the file?
If still not there, then boot in safe mode and delete it there.

After the scan you can rightclick on one of the alerts and save to text which overview you can paste in your next posting if you want us to look with you.

And we would like to see your HijackThis log to see if there is anything else to fix. See in this thread [thread]15913[/thread] step #2 about getting the latest HJT software and how to post it so the experts can look with you for necessary fixes.

 

It doesn't seem to me like it starts up when windows does. I don't really know though because I don't know the name of the file that makes it start. I sent in two copies of the file that Anti-Vir recognized as Qhost.A.2

The thing that I don't understand is what it is trying to do. Whenever I did a search for it online, they said that it only made search engines useless. But I can't use Internet Explorer at all! I can go online and update programs like Ad-aware and Anti-Vir though.

Unfortunately, the latest database didn't recognize it. But as TDS-3 scans over the file, the trojan starts trying to do something. Anti-Vir usually stops it though...
This is the log from HijackThis (I used Ad-Aware)
Logfile of HijackThis v1.97.7
Scan saved at 1:50:33 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVSCHED32.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.xanga.com/home.aspx?user=pinkdepths
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {50DA5DE7-2B80-FEB6-E1DA-116992FF1E7B} - C:\WINDOWS\system32\quwjfskp.dll (file missing)
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\Jccatch.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37696.2766203704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com/ActiveX/BMAXSetup.cab
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

 

Hi Mike,
i asked expert advice for the HJT log you just posted.
Hope they'll be looking soon for you!

When scanning with TDS, did you have all other scanners and their resident protection closed, had you updated with the latest database and all scan options checked in TDS scan?

 

I had all the boxes checked in, and I had every scan option on. I also had the latest database. Thanks!

 

Hi mikethezipper,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {50DA5DE7-2B80-FEB6-E1DA-116992FF1E7B} - C:\WINDOWS\system32\quwjfskp.dll (file missing)

O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

Download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Regards,

Pieter

 

ok I did that. The only difference I noticed was that instead of redirecting me to a nonexistant %20www%20.something.com website, it just says Internet Explorer could not open the page. Thanks! (not a sarcastic) the qhost.a is still there though

 

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
This was one fix too many, please keep that redirection in the HOSTS file, as TDS puts it there, to avoid you being diercted to the www.dcsresearch.com domain which name no longer belongs to DiamondCS, and so using the F5 or menu option to get to the DiamondCS forum brings you thanks to that entry in the HOSTS file to the right place.

http://www.f-prot.com/virusinfo/descriptions/qhost_a.html
Does this Qhost.A description fit the A.2 or is it much different?

 

It kind of matches it. Qhost.A.2 has some of the same file names, but it completely disables the internet, not just some websites. I already followed all the instructions, and it "seems" as if it went away, but the same file keeps on popping up but this time instead of being 2kb it now says 0kb.