dcsres.exe detected as Trojan.win32.qhost.cq

Discussion in 'Trojan Defence Suite' started by DAMOX, Jul 19, 2005.

Thread Status:
Not open for further replies.
  1. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    FYI: Kaspersky Anti-virus latest definitions have identified dcsres.exe as Trojan.win32.qhost.cq. I have Kaspersky scheduled to update and scan every night, but last night it brought up the alert. I am pretty sure it is a false positive. I also have an older version of the TDS-3 installation among my files, and it alerted on that also as the same file: Trojan.win32.qhost.cq.

    Seems kind of odd . . . as I noticed the earlier post about Panda which also seems to have alerted on the same file.
     
    Last edited: Jul 19, 2005
  2. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    Hi Damax,

    I have already added my findings to the 2003 post but seeing as yours is current I have cut n paste to put it here; hope you don't mind.

    "I have just installed KAV Personal Trial version 5.

    It picked up one Trojan which was dcsres.exe or Trojaan.Win32.Qhost.cq in my C:/Programme/Protection folder which I forgot (I blame my age and medication that makes me forgetful early morning) that this is my TDS-3 Licenced Edition folder. I have deleted this "virus" as KAV said it was necessary to do so.

    Having not used KAV before and I am doing so on trial for 2 days then I will move onto NOD32 on trial. I want to see for myself out of the two which I prefere before I wipe my hard drives and re-install windows next week.

    Back to the so called infection it is in the backup of KAV so whether I can reinstall the file I do not know; it is not in quarantine just backup.

    Why has KAV picked this up as a Trojan seeing as though this appears to be an old post?

    Will I have to reinstall TDS-3 now?

    Thanks"
     
  3. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    Depending on your settings in Kaspersky, you should be able to go into the Kaspersy interface|General Tab|View File From Backup|Restore File. Kaspersky will warn you, but you can still restore it. I don't know how necessary the file is, as I was able to shut down TDS-3 and start it up again without a problem . . . but I was able to restore it after Kaspersky deleted it.
     
  4. polak

    polak Registered Member

    Joined:
    Sep 1, 2003
    Posts:
    38
    Location:
    Canada
    Appears several antivirus software programs are identifying the dcsres.exe file as a trojan.

    Results of a file scan
    This is a report processed by VirusTotal on 07/19/2005 at 21:01:12 (CET) after scanning the file "dcsres.exe" file.
    Antivirus Version Update Result
    AntiVir 6.31.0.9 07.19.2005 no virus found
    AVG 718 07.19.2005 no virus found
    Avira 6.31.0.9 07.19.2005 no virus found
    BitDefender 7.0 07.19.2005 no virus found
    CAT-QuickHeal 7.03 07.19.2005 (Suspicious) - DNAScan
    ClamAV devel-20050712 07.19.2005 no virus found
    DrWeb 4.32b 07.19.2005 no virus found
    eTrust-Iris 7.1.194.0 07.19.2005 no virus found
    eTrust-Vet 11.9.1.0 07.19.2005 no virus found
    Fortinet 2.36.0.0 07.19.2005 W32/Qhost.CQ-tr
    F-Prot 3.16c 07.19.2005 no virus found
    Ikarus 2.32 07.19.2005 no virus found
    Kaspersky 4.0.2.24 07.19.2005 no virus found
    McAfee 4538 07.19.2005 no virus found
    NOD32v2 1.1173 07.19.2005 no virus found
    Norman 5.70.10 07.19.2005 no virus found
    Panda 8.02.00 07.19.2005 Trj/Qhost.BM
    Sybari 7.5.1314 07.19.2005 no virus found
    Symantec 8.0 07.19.2005 no virus found
    TheHacker 5.8.2.072 07.19.2005 no virus found
    VBA32 3.10.4 07.19.2005 Trojan.Win32.Qhost.cq
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Panda have now fixed it in this Mornings Update, they inform me

    And If VBA haven't already then they will very soon
     
  6. FanJ

    FanJ Guest

    Hi Derek,

    Do you know whether KAV has fixed it?

    The strange thing is that I didn't get the warning from KAV 4.5 on W98SE (scanned in Safe Mode).

    Cheers, Jan.
     
  7. m?rio

    m?rio Guest

    Hi
    I have descovered the false alarm with panda and the antivirus desinfected the file, do i have to reinstall the TDS3 antitrojan.
    Thank you


    Mário
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Kav wasn't detecting it yesterday on my computer BUT it is with this mornings update so I have emailed KAV and alerted them

    If I don't get a response within a couple of hours and I normally do then I have a private email for head of development who will definitely respond quickly
     
  9. FanJ

    FanJ Guest

    Thanks Derek !!!
     
  10. FanJ

    FanJ Guest

    Well, just got the warning now too from KAV 4.5 on W98SE, defs 131200

    Edited to add:
    And with the defs 131253
     

    Attached Files:

  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I think Gavin or Wayne had better email to Eugene at KAV about this as their analysts seem to be saying that as it does change the hosts file with no apparant warning to the user it stays detected as part of the q-hosts general detection I assume

    If Wayne of Gavin can convince them it's good something might happen

    I have sent a private message to a couple of KAV boids I know to see if they can sort it out but it doesn't look hopeful from my end
     
  12. FanJ

    FanJ Guest

    Just heard back from Aleks Gostev, Kaspersky Lab:

    "False will be fixed in next update."
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    After several emails back and forth he has also replied to me saying it will be removed in next update so that is a result as well
     
  14. FanJ

    FanJ Guest

    With the defs 131261 still detected as Trojan-Clicker.Win32.Qhost.i
     
  15. FanJ

    FanJ Guest

    Checked again (with the defs 131323): it looks like it is fixed :)
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Mario,

    I can just send you the file if you like, I'll email it shortly.

    Thanks to everyone for alerting KAV, and thanks to KAV for a speedy fix :)
     
  17. m?rio

    m?rio Guest

    Hi
    Thank you gavin i received it and because i am a newbie i want to make sure that i did the right thing i have placed it in c:\programas\tds3 is it correct?
    Thank you very much this is a great forum and i have learned and still learn a lot with it.
    Best regards


    Mário
     
  18. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, mário

    Yes you have put it in the correct folder [place].

    Take Care,
    TheQuest :cool:
     
Thread Status:
Not open for further replies.