[Desperate] I need your help, can't get rid of Win32/Qhosts-trojan

Hey everyone!

I've used a licensed version of NOD32 for the laast four years and have been a very satisfies customer. Today I got a file of the Internet, I deep-scanned it manually before unpacking it and NOD32 found nothing. I then unzipped the file and ran it. Immediately I got a warning about Win32/Qhosts trojan. NOD could not clean it, not delete it. All I could to was to put it in the quarantine. I did so and 0.1 seconds later I got the same warning message again. I've tried:

1. Running NOD32 deep-scan of all my drives and folders - nothing
2. I have downloaded Symantecs Qhosts-tool, it finds nothing.
3. I have manually tried to remove the trojan by following Symantecs steps
4. I have downloaded Hijackthis (log available)
5. I have run Ad-aware
6. Spybot
7. Outpost Firewall with the latest updates

And the trojan is still in my computer.

Any help would be greatly appreciated!

Thanks!

 

Just to make sure....was this some type of Hosts file you downloaded ?

Previous thread concerning Win32/Qhosts-trojan---> NOD32 detect virus on my HOST...

 

have you tried rebooting into safe mode and running a deep scan and clean?

 

I assume the trojan was dropped by the file you ran, and AMON moved it to quarantine automatically upon create. The best would be to get a screenshot of the AMON alert window which would show what actually happened.

 

Thank you for your replies!

I have fixed the issue now thanks to Outpost Firewall with the included Anti-spyware plugin. The AMOM alert window is exactly the same as in this thread:
https://www.wilderssecurity.com/showthread.php?t=79602
Although in my case it does not point to a file but to this directory:
C:\WINDOWS\system32\drivers\etc

I'm afraid I don't have a screenshot available.

How come NOD32 could't clean that file?

 

Hi . Marcos said it well , the application yoy started download malicius host files and attempted to place them into your Host dir . NOD32's AMON immediately got the malicious files upon created .

Because this is not a virus/file infector , it is a trojan and trojans are not cleaned , they can only be deleted . AMON is set by default to move newly created infected files to quarantine , which is excellent option . You just got informed the malware is now gone

And to add , delete that file you d/l from Internet and never use it again . Be careful and never download/run stuff from untrusted sourse

 

That is the location for a Hosts file.

Bubba

 

The thing is that if I choose to delete the file, NOD32 said it couldn't delete. If I closed down the alert window, it took NOD less than a second to display the same alert window, over and over and over again. So no, NOD32 did not clean it, maybe it put it in the quarantine but some "left-overs" were still on my hdd as it never stopped. The only thing that saved me was Outpost.

 

No , NOD32 didn't let you delete the file (the options are blank) because the file is moved to quarantine , previously auto-deleted by NOD32 and later moved to quarantine . The alert poped-up again because the trojan-downloader (the one that downloads the malicious host files) is still loaded in memory and attempt second downloading because the first one was unsuccessful thanks to NOD32

I would also suggest your email ESET's lab and send them (as attachment) the file you downloaded from internet , the one that you mention in your first post + a link to be downloaded and a link to this thread ; the address is samples@eset.com