Qhosts Fix

[Steph]

Hello again,

A couple of weeks ago, the wonderful people of this
newsgroup helped me in determining that my computer is
infected by the Trojan.Qhost. The automatic "fixes"
offered by Symantec, McAffe, and Trendmicro were
ineffective and I returned here. This time I was told
that I would need to use the manual removal instructions.

So I am back with yet another question. Since I have
Norton Antivirus installed on my computer, I am using
their instructions for removal...located at

http://securityresponse.symantec.com/avcenter/venc/data/pf
/trojan.qhosts.html

I have read and understand everything up to step 4.r
where it says

r. For each subkey, Restore the value:
"NameServer"="<IP address specified in the batch file>"


My question is where do I find this IP address and/or the
batch file? Because it appears to me that the part
between the <> symbols is something I am supposed to fill
in myself.

I looked for, but didn't find, a forum at Symantec so I
am back here in the Microsoft Newsgroups, where I always
find an answer to any problems I may be having. I can't
express how valuable you guys are to me.

Thank you in advance,
Steph

..

 

[Lem]

Hello again,

A couple of weeks ago, the wonderful people of this
newsgroup helped me in determining that my computer is
infected by the Trojan.Qhost. The automatic "fixes"
offered by Symantec, McAffe, and Trendmicro were
ineffective and I returned here. This time I was told
that I would need to use the manual removal instructions.

So I am back with yet another question. Since I have
Norton Antivirus installed on my computer, I am using
their instructions for removal...located at

http://securityresponse.symantec.com/avcenter/venc/data/pf
/trojan.qhosts.html

I have read and understand everything up to step 4.r
where it says

r. For each subkey, Restore the value:
"NameServer"="<IP address specified in the batch file>"


My question is where do I find this IP address and/or the
batch file? Because it appears to me that the part
between the <> symbols is something I am supposed to fill
in myself.

I looked for, but didn't find, a forum at Symantec so I
am back here in the Microsoft Newsgroups, where I always
find an answer to any problems I may be having. I can't
express how valuable you guys are to me.

Thank you in advance,
Steph

.

It's a little surprising that the removal tool(s) didn't work. What do
you mean by "ineffective"? I've always assumed that these removal tools
simply automate the steps given for "manual removal," so if the
automatic tool didn't work, doing the same thing by hand may not either.

That said, I think "step 4.r" is just badly written. As I understand
that article, the trojan creates a batch file that includes one or more
IP addresses, and then adds to certain registry keys the value
NameServer and sets the data for that value to the IP address specified
in the batch file created by the trojan. When the trojan is finished,
it deletes the batch file.

First of all, you need to learn how to back up the registry and then do
it. Incorrectly editing the registry can be very hazardous to the
health of your system.

Second, start up regedit and navigate to the keys mentioned in Step 4.q,
for example
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces

In the left pane of regedit, you will see a number of subkeys below that
one. In my system, there are 6, with names like:
{577B8046-9EDF-49A4-8004-F3F2BC33A77D}

Click on each of those subkeys in turn. In the right pane of regedit
you should see three columns: Name, Type, and Data. In the Name column
there may be an entry called NameServer. In my system, there is that
entry in the 1st, 3rd, and 5th subkeys; your mileage may vary. The Type
entry across from NameServer should be REG_SZ (this just means "fixed
length text string"). If the trojan has done its thing, the Data entry
across from NameServer will be some IP address. An IP address is a
32-bit numeric address written as four numbers separated by periods.
Each number can be zero to 255. For example, 1.160.10.240 could be an IP
address.

What step 4.r is trying to tell you to do is to REMOVE the IP address
inserted by the trojan and RESTORE the data to what it's supposed to be.
What the directions don't tell you, however, is what to restore to.
The "Note" in step 4.r is the only hint. "The default for many
configurations is an empty string." In fact, for all of the entries in
my system, there is nothing in the Data column across from NameServer.

More than likely, what you want to do is just to delete whatever IP
address appears across from each instance of the value NameServer. You
may find more information in the "manual" removal instructions from one
of the other vendors. Be sure you've backed up the registry first.

In any event, I suspect that if you have run the Symantec qHosts removal
tool, there will be no IP addresses in these registry keys anyway.

 

[Jim Byrd]

Hi Steph - Use the Brown University Removal Tool, here:
http://software.brown.edu/dist/w-cleanqhosts.html

It works.

Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings some of which cannot not be removed
by the Removal Tools, and you'll need to do a search to find and just delete
them all, or clean them per the manual directions at the Symantec site. A
very useful tool for this purpose is HostFileReader, available here courtesy
of Option^Explicit:
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.zip This will
locate all of the HOSTS files on your designated partition and allow you to
remove them individually. Recommended, especially for the qHosts worm
problem.

You probably will then need to restore your HOSTS file if you plan to use it
for DNS speedup and/or ad blocking. Download the Hosts File Reader as above.
Then:

To create a new Default version of HOSTS, run the program, click the "Reset
Default" button. Note that this is NOT a recreation of your original HOSTS
file, but a brand new "initialized" one correctly named HOSTS in the
appropriate folder for your OS (Windows XP\2000 Location: -
C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: - C:\WINDOWS). If
you've been using your HOSTS file for ad blocking (see
http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted Ads with a Hosts
File) and/or DNS speedup, then you'll need to reset the new default you've
created for that purpose. (Using this HOSTS file for Ad blockikng is
recommended, BTW, since it also blocks a lot of "malware" as well as
offensive advertising.)



--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Steph]

Thank you, Jim!!

Finally I am rid of this bug. I don't understand why
Symantec's and TrendMicro's fixes didn't work and I must
admit I was skeptical about this one from Brown. It did
work, though, and I am grateful. All of you folks
helping out in these newsgroups are incredible.

Thanks again, Steph

 

[Steph]

-----Original Message-----


It's a little surprising that the removal tool(s) didn't work. What do
you mean by "ineffective"? I've always assumed that these removal tools
simply automate the steps given for "manual removal," so if the
automatic tool didn't work, doing the same thing by hand may not either.

That said, I think "step 4.r" is just badly written. As I understand
that article, the trojan creates a batch file that includes one or more
IP addresses, and then adds to certain registry keys the value
NameServer and sets the data for that value to the IP address specified
in the batch file created by the trojan. When the trojan is finished,
it deletes the batch file.

First of all, you need to learn how to back up the registry and then do
it. Incorrectly editing the registry can be very hazardous to the
health of your system.

Second, start up regedit and navigate to the keys mentioned in Step 4.q,
for example
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\Tcpip\Parameters\Interfaces

In the left pane of regedit, you will see a number of subkeys below that
one. In my system, there are 6, with names like:
{577B8046-9EDF-49A4-8004-F3F2BC33A77D}

Click on each of those subkeys in turn. In the right pane of regedit
you should see three columns: Name, Type, and Data. In the Name column
there may be an entry called NameServer. In my system, there is that
entry in the 1st, 3rd, and 5th subkeys; your mileage may vary. The Type
entry across from NameServer should be REG_SZ (this just means "fixed
length text string"). If the trojan has done its thing, the Data entry
across from NameServer will be some IP address. An IP address is a
32-bit numeric address written as four numbers separated by periods.
Each number can be zero to 255. For example, 1.160.10.240 could be an IP
address.

What step 4.r is trying to tell you to do is to REMOVE the IP address
inserted by the trojan and RESTORE the data to what it's supposed to be.
What the directions don't tell you, however, is what to restore to.
The "Note" in step 4.r is the only hint. "The default for many
configurations is an empty string." In fact, for all of the entries in
my system, there is nothing in the Data column across from NameServer.

More than likely, what you want to do is just to delete whatever IP
address appears across from each instance of the value NameServer. You
may find more information in the "manual" removal instructions from one
of the other vendors. Be sure you've backed up the registry first.

In any event, I suspect that if you have run the Symantec qHosts removal
tool, there will be no IP addresses in these registry keys anyway.



.

Hello Lem,

Just wanted to follow up with you. I still don't
understand why Symantec's and TrendMicro's fixes didn't
work. I ran a full system scan with my installed Norton
AV and also scanned with HouseCall. Both said my system
was clean. I then ran the fixes by each of those
companies and they said the Trojan.Qhosts was not present
on my computer. I know that I DID have it because all of
the search engines in my favorites folder were
inaccessible to me and when I tried to surf to any search
engine, I was redirected to a page that told me my
computer was trying to take me to a false Google page.
Also I snooped around in my registry (without changing
anything) and found many of values present that Symantec
says to delete in its removal instructions. When the
automatic fixes didn't work, I came back here to this ng
and was told by a couple of people that the only way they
could get rid of it was to use the manual instructions.
(I am curious too...my theory was that once qHosts makes
the changes to the registry and the hosts file, it
deletes its own batch file...therefore, there is nothing
left behind to detect???)

For whatever reason the fix from Brown University that
was offered by Jim Byrd in this thread did the trick and
I am now clean.

Before running that, though, I checked out what you said
in my registry and you were correct. I was very nervous
about going into the registry when this all started and
looked everywhere for detailed yet simplified
instructions. Everything I found was either so simple
that it didn't give me enough info, or so technical that
it was completely over my head. You hit a perfect
balance, and explained it in exactly the way I needed.
Thank you so very much.

Steph

 

[Jim Byrd]

YW, Steph - Glad you got it straightened out.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Lem]

You're welcome. I'm glad it worked out.