[Desperate] I need your help, can't get rid of Win32/Qhosts-trojan

Discussion in 'NOD32 version 2 Forum' started by Xophile, Feb 10, 2007.

Thread Status:
Not open for further replies.
  1. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Hey everyone!

    I've used a licensed version of NOD32 for the laast four years and have been a very satisfies customer. Today I got a file of the Internet, I deep-scanned it manually before unpacking it and NOD32 found nothing. I then unzipped the file and ran it. Immediately I got a warning about Win32/Qhosts trojan. NOD could not clean it, not delete it. All I could to was to put it in the quarantine. I did so and 0.1 seconds later I got the same warning message again. I've tried:

    1. Running NOD32 deep-scan of all my drives and folders - nothing
    2. I have downloaded Symantecs Qhosts-tool, it finds nothing.
    3. I have manually tried to remove the trojan by following Symantecs steps
    4. I have downloaded Hijackthis (log available)
    5. I have run Ad-aware
    6. Spybot
    7. Outpost Firewall with the latest updates

    And the trojan is still in my computer.

    Any help would be greatly appreciated!

    Thanks!
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just to make sure....was this some type of Hosts file you downloaded ?

    Previous thread concerning Win32/Qhosts-trojan---> NOD32 detect virus on my HOST...
     
    Last edited: Feb 10, 2007
  3. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    have you tried rebooting into safe mode and running a deep scan and clean?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume the trojan was dropped by the file you ran, and AMON moved it to quarantine automatically upon create. The best would be to get a screenshot of the AMON alert window which would show what actually happened.
     
  5. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Thank you for your replies!

    I have fixed the issue now thanks to Outpost Firewall with the included Anti-spyware plugin. The AMOM alert window is exactly the same as in this thread:
    https://www.wilderssecurity.com/showthread.php?t=79602
    Although in my case it does not point to a file but to this directory:
    C:\WINDOWS\system32\drivers\etc

    I'm afraid I don't have a screenshot available.

    How come NOD32 could't clean that file?
     
  6. ASpace

    ASpace Guest

    Hi . Marcos said it well , the application yoy started download malicius host files and attempted to place them into your Host dir . NOD32's AMON immediately got the malicious files upon created .

    Because this is not a virus/file infector , it is a trojan and trojans are not cleaned , they can only be deleted . AMON is set by default to move newly created infected files to quarantine , which is excellent option . You just got informed the malware is now gone ;)

    And to add , delete that file you d/l from Internet and never use it again . Be careful and never download/run stuff from untrusted sourse
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That is the location for a Hosts file.

    Bubba
     
  8. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    The thing is that if I choose to delete the file, NOD32 said it couldn't delete. If I closed down the alert window, it took NOD less than a second to display the same alert window, over and over and over again. So no, NOD32 did not clean it, maybe it put it in the quarantine but some "left-overs" were still on my hdd as it never stopped. The only thing that saved me was Outpost.
     
  9. ASpace

    ASpace Guest

    No , NOD32 didn't let you delete the file (the options are blank) because the file is moved to quarantine , previously auto-deleted by NOD32 and later moved to quarantine . The alert poped-up again because the trojan-downloader (the one that downloads the malicious host files) is still loaded in memory and attempt second downloading because the first one was unsuccessful thanks to NOD32 :thumb:

    I would also suggest your email ESET's lab and send them (as attachment) the file you downloaded from internet , the one that you mention in your first post + a link to be downloaded and a link to this thread ; the address is samples@eset.com

     
Thread Status:
Not open for further replies.