Jump to content
Compatible Support Forums
Sign in to follow this  
Ace

Qhosts virus variation removal technique

Recommended Posts

Wow, this is some great advise that could pretty much help me. But yesterday night, I shut down my computer and turned it back on today. Everything started up normally, except that msconfig message, but besides that, McAfee came up saying the Qhosts.apd has been detected in the HOSTS file. Instead of just ignoring it, I press deleted and it was a success but the same message popped up 3 more times but I just pressed Stop. For some reason, now I can surf the internet including the Symantec and McAfee websites.

 

I went to the HOSTS file, but it wasn't called hosts, it was called lmhosts.sam. So I didn't try to edit it yet. I also looked in my registry about if the computer was actually looking for the HOSTS file in the right place and everything was correct. Also, I think my DNAPriorty had 2000 while LocalProirity was at 499 and HostsProirity was set at a value 500.

 

And, in order to fry those fake .exe's I would go into the Recovery Console. Is that the option when you boot Windows off the Windows XP CD? Couldn't I just manually delete them all myself? I've gone to Symantec but how can I be sure when they would release a patch to remove the variations of this Trojan?

 

Thanks again for your help.

Share this post


Link to post

Hey Alecstar and others,

 

Well, I believe the Trojan is still there but all his "little buddies" are another problem. Remember all those .exe's. Those are actually viruses that are called W32/Gabot.worm.gen. I haven't seen this virus before.

 

Anyways, I noticed this when I went into my C drive. Each time I openned it, I believe it would run because each time McAfee would stop me. So then I did a virus scan and it found Microsoft.exe as the big file containing W32/Gaobot.worm.gen. Then all of the random name .exe came after it. All of them were deleted except for about 20 of them. Would you happen to know why? It's strange though. I don't know why McAfee detects them as a virus now when it had a lot of time to detect it before.

 

I also used Ad-aware and it detected a registry value. In the results, it said it would be a way of hackers to take control of my computer. So I made sure it was deleted, but then my SpywareGuard came up saying that a registry change in IE was going to happen. It was changing the homepage, about:blank, to a Microsoft site which ended up to be MSN. I said to keep the new value and I made sure IE ran and it did. I changed back the homepage to about:blank, and the same message popped up and I said to keep the new value. What could this be all about?

 

I hope the virus is completely gone now but I have no absolute way of checking. As for the Trojan, I haven't really done anything to make sure that it's gone. I mean all my registry stuff is correct and I can goto Symantec and those websites. Also, I don't think that it infects IE in anyway. It's mainly the HOSTS file.

 

I will probably restart my computer now as well just to see what bad things pop up when it comes back and hopefully the computer will be ok.

 

 

Share this post


Link to post

Hey,

 

Well I got some good news and bad news. First, after my restart, my computer seems pretty ok. No error messages and no McAfee message saying it detected the Qhosts.apd. Also, remember the msconfig message that disappears itself, it now actually stays there until I press "OK" then it goes away. With all that my computer is running fine.

 

But, now something else is strange. Well, the 20 random named .exe's are still there doing nothing and hopefully they stay doing nothing. Also, for some reason each time I change the Homepage for IE, SpywareGuard will always come up warning me that I'm changing the IE Homepage the registry is going to change. Also, if the IE homepage is about:blank, I scan with Ad-aware and the file that "Allows hackers to control my IE" will ALWAYS come up. Each time I delete it, SpywareGuard will come up again saying the Homepage is going to change. So really, I can't keep my Homepage as about:blank anymore. If the Homepage is a website such as Google, then no file is found by Ad-aware.

 

I don't know what's happening there, but hopefully everything is going to be fine.

 

Share this post


Link to post

Where might the submission section be? I went to Symantec Security Responce, but I can't seem to find where to go in order for me to submit files or even ask them questions. Could you give me a direct link?

 

 

Share this post


Link to post

Hi, I also got this virus.

It disable my norton live update, and it won't let me goto norton's download page to download the virus definition or the qhost removal tools. I used a non-infected computer to download them and tried to run them on my infected computer. The removal tool simply just doesn't work (variation maybe?) and after I update my virus definition, and enable the auto protect manually, it said right the way that I got the qhost virus in my host file located in c:\windows\system32\drivers\etc\host

and it automatically deleted it. After that I will be able to browse norton's page. However, after I restart my system, the problem comes again, NAV auto protect won't start and cannot browse norton's page.

I check the registry with the info Alecstaar given, it's all fine, the path of host file is right, the dns delay are in default setting. I also use msconfig.exe and tried to look up any bs.exe in the startup section and I find nothing.

Now I just change the values of the dns delay in registry, change the attribute of host to read only, going to restart my system and see how will it go...

 

p.s. man, this virus is annoying :P

 

kmkwok

Share this post


Link to post

ahhh damn it lol

 

it doesn't work

for manually delete the bs.exe in RC, may I ask which path are they or just randomly search??

 

kmkwok

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×