TROJ_QHOSTS.A cleaning tool

Discussion in 'NOD32 version 2 Forum' started by rflum, Oct 3, 2003.

Thread Status:
Not open for further replies.
  1. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    Hi,
    Does Eset have a cleaner for the October 1 QHosts trojan?
    Paolo, are you listening? ;)

    I've got a customer with this trojan, and the cleaning is pretty technical, not something I want to try to talk her through.
    thanks, Rob
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi rflum,

    If you could get your customer to follow these instructions I can talk you through removal.

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    Danke, Pieter,
    Will do. I'm putting together something to mail to her now, and will come back when I have the log.
    Rob
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Symantec has a cleaning tool for QHosts: http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
     
  5. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    BTW, MS issued yesterday an IE patch update that should prevent this object data vulnerability from being exploited by QHosts and its ilk: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
     
  6. testg

    testg Guest

    Does NOd32 even detect this?

    I can't find it in the nod32 database.
     
  7. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    http://www.wilderssecurity.com/showthread.php?t=14521
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi all,

    I would not recommend using the Norton removal tool for this trojan until they have resolved a few issues.
    Running the removal tool does not undo all the changes made by QHosts, and corrupts your System Restore in the process, if you are running Windows ME or XP.

    For the time being I would advise anyone that gets hijacked by this pest to post a HijackThis log in the Privacy Problems forum.

    The tool was tested by Mosaic1 at SpywareInfo and the results were not satisfactory.

    Regards,

    Pieter
     
  9. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Wow! Kudos for posting that info, Pieter! I wouldn't have posted the link to Symantec had I known there were problems with it. Thanks for pointing out that it may create more problems.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi sig,

    Removal turns out to be not as easy as we expected. Merijn has been working on HijackThis 1.97.3 for a few days and although the beta does a much better job then the Symantec tool, he is not satisfied enough to end the beta stage.

    Regards,

    Pieter
     
  11. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    Unfortunately, I decided to send her the Symantec tool instead of HijackThis before Sig even posted, so I read Pieter's post with chagrin.

    The customer had also moved quickly:
    " I have Win98SE, but think I have successfully cleaned up my computer. I had deleted the Hosts file that it created and the empty c:\bdtmp\tmp files - it deleted the aolfix.exe itself, so I never saw that. I manually deleted all of the registry entries that Symantic said it created, and was then able to get online again without any problems. I was worried because I never found where it put the %Windir% files. "
    When she ran the Symantec tool, it said she didn't have the trojan, so hopefully it didn't do anything.
    She doesn't have System Restore, so that wasn't a problem.
    I'm a little worried about her deleting the HKLM\SYSTEM\ControlSet00n\Services\Tcpip\Parameters registry entries, and I'm not sure how much she deleted under HKLM\SYSTEM\ControlSet00n\Services\Tcpip\Parameters\Interfaces. I don't know if doing that would disable something important. I sent her the default hosts file to put back.
    Rob
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Rob,

    Lucky she was smart enough to follow the directions at the Symantec site, which are pretty much accurate. (Can't understand why their tool doesn't follow them).
    And she was on Windows 98 rather then a NT version.
    Qhosts changes the path to the hosts file in the registry for Windows NT versions and the tool does not correct that and does not remove the hosts file in that location.

    So, all in all I think she'll be fine. :)

    Regards,

    Pieter
     
  13. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    Hi, Pieter,
    Well, lucky is not my goal. :p I'm sorry I didn't follow your lead, even though it turned out ok.
    How is Merijn doing with the cleaner?
    Cheers, Rob
     
  14. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    Unfortunately, this still doesn't address the original issue that we have to recommend the Norton cleaner when we're touting the advantages and strengths of NOD32 to our customers...? I'd really like to see the prompt release of a cleaner from NOD for major outbreaks of this type, rather than having to explain why I'm sending the Norton (or McAfee, or whateverbutitsnotNOD) cleaner when I've been telling them how great NOD32 is. It just doesn't look good.
     
  15. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    yeah, what he said.........
    Paolo isn't even an eset employee, and he's writing the only eset cleaners I know about...... :eek: o_O :(
     
  16. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Sorry for repeating myself, but where is this coming from?
    Why should NOD come up with a cure for, admittedly a somewhat complicated, hosts file hijack? Do you have any idea how many of those are out there?
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    It's good enough to lift the consequences, but not yet perfect.

    Regards,

    Pieter
     
  18. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    It's a customer relations thing. Customers generally don't know the difference between a virus, a worm, a hijack, etc. They just know eset is their anti-virus, and lumping all of the above into one bag, they look to eset for solutions.
    When your major competitors furnish this service, you look second-rate when you don't.
    Rob
     
  19. testg

    testg Guest

    ^^^^^
    My Point exactly!

    How many individuals actually do a windows update? And how many would rather have an antivirus that ads another layer of defense in addition to a windows update (which might not be done for a month or two).
    If I was a layman and I saw that Norton, panda etc detects this specific strain while I keep getting infected when I am using Nod then I would go with Norton, panda etc. It's just the fact of life.
     
  20. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    Sorry, I tacked this onto this thread because the IDEA was relevant. If you want to split hairs about which infections should be picked vs. ignored, go right ahead. The problem, as someone has already mentioned, is one of customer relations. The great unwashed has come to EXPECT a cleaner for the more severe outbreaks (i.e. the ones they see on CNN...), and has become used to having them available in a timely fashion. Sysadmins also need them, since the patching schedule on a server (or servers) is generally behind the curve due to testing, especially when there are a large number of machines and applications involved. This opens a window of opportunity, however small, that could lead to the need for a cleaner/disinfector.

    My point still remains that "it just looks bad" when we can't practice what we preach re: AV products. NOD is unparalleled in detecting the little buggers, and is one of the fastest with getting the definitions out to end users. That expertise just needs to be expanded to cleaners as well.
     
  21. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    When a hijack has the potential to redirect users to sites containing malware for the purpose of further infecting the PC, which is the concern with the IE/Windows object data vulnerability and QHosts, then AV vendors should be taking a serious look at including it in their databases.

    And if someone should say well this is a Windows problem, not an AV issue, the AV industry has been built and exists as it is in large part due to "Windows problems." In regards to this specific vulnerability/exploit, the first MS patch did not work, according to MS all windows users are vulnerable as long as they have IE on their systems even if they don't use IE, and reportedly even disabling ActiveX is not enough to prevent exploitation of this vulnerability. MS has now issued another patch but I imagine no one now believes that all Windows users have installed the patch, which one hopes actually works this time.

    AV's and even some AT's are now increasingly including what might have previously been regarded as "nuisanceware" in their databases due to the consequences for this crud to mess up one's PC and/or the potential additional security risks which also could be exploited with more serious consequences.

    Furthermore, perhaps most "viruses" in the wild now are not actually viruses but worms and varieties of trojans and bots. The concept of a "pure" AV that limits itself solely to viruses has been an outmoded concept for years now. In reality and in the marketplace as well. A look at NOD's own updates page confirms that.

    As for standalone "fixes," kudos to Paolo for his work, but unfortunately they are not available on all ESET sites. I imagine that the individual local ESET sites are separately managed by local affiliates so it's up to them what they put on their sites. Some are better than others; Paolo's and Rod's sites come to mind. But if fixes are available they should at minimum also be available at/through ESET's own home site(s).

    No one imagines that ESET's available resources are comparable to Symantec's when Symantec takes over and absorbs entire companies like a snack. ;) But still where relatively simple improvements can be made they should be as ESET is undoubtedly aware that the marketplace is extremely competitive and VB results alone are not enough to not only initially sell a product but also retain customers.
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Are you gents stating an antivirus should in fact cover for example the databases from Adaware and Spybot S&D, and Javacool's SpywareBlaster as well?

    IMHO an antivirus is an antivirus, an antitrojan is an antitrojan etc. Layered defense is the way to go.

    regards.

    paul
     
  23. rflum

    rflum Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Location:
    Rochester, New York, United States
    Again, from the customer point of view, do I have to buy 15 different products to protect myself from the same kind of problem? I think viruses, trojans, and worms are close enough to be the same thing in a customer's mind. Even this kind of thing, that strictly speaking, isn't in the same league with the above, cripples the functionality of the PC and is therefore probably lumped in with the others.
    Realistically, it's going to be way more expensive the more products you layer on.
    Spyware is different; it's annoying, but it doesn't keep the customer from doing what they want to do until it reaches epic levels, and it doesn't cause damage to the PC's software. It's different enough to be separate to the customer.
    I think (MHO) that like everything else, the breakout of functionality into different products has to be reasonable, not religious. I also think that in this case, the audience is sufficiently non-technical (Ever try to explain how to copy and paste to somebody who doesn't know how to bring a second window to the foreground?) to be unable to appreciate the nuances, and to be annoyed if the product doesn't cover what they think it "ought to".
    Rob
    ....this thread is getting out of hand....
    Somebody stop us before we break something!
     
  24. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Not at all. Suggesting that ESET include something notably in the wild that exploits a potentially dangerous known Windows vulnerability is not the same as suggesting NOD duplicate all anti-adware/spyware databases. QHosts and the exploit it uses isn't a doubleclick cookie.

    AV's vendors, including NOD, do make choices on what to include in their databases and these choices appear not to be based on an adherence to some strict guideline between types of exploits and malware. For example, NOD's latest update includes Win32/AdClicker.C which I'd not heard of before. Since ESET's online db encyclopedia is still severely limited here is the description from Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.adclicker.c.trojan.html Note the threat metrics regarding this "trojan."

    In contrast, here's Symantec's write up for QHosts (an exploit that has received public attention given the means of exploit and its apparent frequency ITW). Note the threat metrics for this "trojan" and compare to adclicker: http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

    Consequently, suggesting that ESET include QHosts in its database, given what else it already has there, is far from an outlandish suggestion. I don't believe it is the equivalent to suggesting that NOD incorporate the complete databases of antispyware apps and neither does it merit such a comparison.
     
Thread Status:
Not open for further replies.