Trojan Quosts

[Jan]

I cannot get into Google or any other search engine. I have read that
the Trojan Quosts will cause this. However, I had downloaded the IE patch
828750. An online av scan shows no trojans, viruses, etc. and one of the
popular trojan cleaners doesn't find anything. I have also had to
reconfigure my connections several times in the past couple of days. Alot of
programs are freezing up also and this should not be happening as this is a
clean new install. I ran the removal tool from Symantec, too, and this
doesn't find anything. And I as yet cannot reach Google.
I have all the symptoms of the trojan, but am at a loss here. Any
assistance is greatly appreciated.

Jan

 

[S.Sengupta]

Hi!Jan!
Please try SPYBOT:
http://www.safer-networking.org/
regards/
ssg[MS-MVP]/pronetworks.org

 

[Jim Byrd]

Hi Jan - You've apparently gotten infected with the QHosts virus. Read here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Jan]

Hi Jan - You've apparently gotten infected with the QHosts virus. Read here
for information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191


Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.remova
l.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-30-03]
Please post replies to this Newsgroup, email address is invalid"


Just to follow up on this - there may be multiple different HOSTS files on
your machine with the trojan's settings, and you'll need to find and delete
them all, per the manual directions at the Symantec site.

4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

To create a new Default version of HOSTS, run the program, click the "Read
Hosts File" button, click the button labeled "Reset Defaults" and click
"Save Changes." Now go to normal HOSTS file location (Windows XP\2000
Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: -
C:\WINDOWS) and rename the "hosts" that it created to "HOSTS" (no quotes,
all caps, no extension). If you've been using your HOSTS file for ad
blocking (see http://www.mvps.org/winhelp2002/hosts.htm Blocking Unwanted
Ads with a Hosts File), then you'll need to reset the new default you've
created up for that purpose.

Thanks for all responses. Per my post, I 'had' installed the patch plus
ran my av and an online scan; these did not find the trojan, but I 'have'
found all the hosts file and the others you speak of. And I do know about
disabling restore and had done that after running the tool. Well, won't this
be a fun day with this machine, lol.

I am prompt in keeping my AV and patches updated after dealing with a
nasty worm a couple of years ago. I have learned NOT to choose the option
"remind me later". Now I am curious as to why the trojan cleaner and my AV
and the online av did not find the trojan. I have not seen one such as this
in dealing with trojans, etc. in the past.

Thanks,

Jan

 

[Jim Byrd]

Hi Jan - You may have run your AV before it was updated for this particular
trojan. Also, as I mentioned, if you're using McAfee, then you need to add
the EXTRADAT.exe download and run it before running your AV. I'm not sure
right now whether any of the AV's is fully up-to-date, since there appear to
be at least five variants/lookalikes of this thing going around, and none of
the AV's appears to handle eliminating the worm installed HOSTS files which
can appear in several different places including the \Windows\Help folder.
Do the Manual Procedures, delete the bad HOSTS files that are in places
other than where they're supposed to be, and clean (per the Manual
Procedures) or delete the one that is where it's normally found. If you
need to restore your HOSTS file, then use the procedure I gave and be sure
that you rename it correctly to HOSTS.

 

[Jan]

Hi Jan - You may have run your AV before it was updated for this particular
trojan. Also, as I mentioned, if you're using McAfee, then you need to add
the EXTRADAT.exe download and run it before running your AV. I'm not sure
right now whether any of the AV's is fully up-to-date, since there appear to
be at least five variants/lookalikes of this thing going around, and none of
the AV's appears to handle eliminating the worm installed HOSTS files which
can appear in several different places including the \Windows\Help folder.
Do the Manual Procedures, delete the bad HOSTS files that are in places
other than where they're supposed to be, and clean (per the Manual
Procedures) or delete the one that is where it's normally found. If you
need to restore your HOSTS file, then use the procedure I gave and be sure
that you rename it correctly to HOSTS.

I don't like McAfee or Norton, instead I use Grisoft, which I have found
is better for me. I had read last night that I should rename the host file
(found in system drivers) to host.bak, which worked, I can now connect to
Google. Hopefully this clears all.

Thanks,
Jan

 

[Bern]

Go, Jim, go!
Great trojan-killing job. I have saved it for future reference.

 

[Jim Byrd]

Hi Jan - Glad you've gotten past it. One cautionary note, however; you may
just want to delete that file altogether - it's been "contaminated" by the
trojan and is useless for anything further "as is". If you ever want to
use a HOSTS file for ad blocking or the like, you can always create a new
default as I outlined or just copy a good ad blocking HOSTS file to that
location in \drivers\etc such as the one here:
http://www.mvps.org/winhelp2002/hosts.zip from Mike Burgess' site. You can
read more about this here: http://www.mvps.org/winhelp2002/hosts.htm I
would recommend it, as it also stops much "malware" from getting on your
system as well as ads.

If you want to take some additional steps to defend your machine, I would
suggest the following:

The best way to start is to get Ad-Aware 6.0, Build 162 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly
to get rid of most "spyware/hijackware" on your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan.



Next, courtesy of Mike Burgess:

--Recommended Minimum Security Settings--

Close all instances of IE and OE
Control Panel | Internet Options

Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt

Click on the "Content" tab
Click the "Publishers" button

Highlight and click "Remove" any unknowns, click Ok

Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok

Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/



Then, from me:

You might want to consider installing the SpywareBlaster and SpywareGuard
here to help prevent this kind of thing from happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running (837 parasites
as of this date) if it is already installed, and it provides information and
fixit-links for a variety of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts
to install malware) Both Very Highly Recommended.

Good luck!

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Jan <[email protected]> typed:

 

[Jim Byrd]

Hi Bern - Glad you found it useful.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Jan]

Hi Jan - Glad you've gotten past it. One cautionary note, however; you may
just want to delete that file altogether - it's been "contaminated" by the
trojan and is useless for anything further "as is". If you ever want to
use a HOSTS file for ad blocking or the like, you can always create a new
default as I outlined or just copy a good ad blocking HOSTS file to that
location in \drivers\etc such as the one here:
http://www.mvps.org/winhelp2002/hosts.zip from Mike Burgess' site. You can
read more about this here: http://www.mvps.org/winhelp2002/hosts.htm I
would recommend it, as it also stops much "malware" from getting on your
system as well as ads.

If you want to take some additional steps to defend your machine, I would
suggest the following:

The best way to start is to get Ad-Aware 6.0, Build 162 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly
to get rid of most "spyware/hijackware" on your machine.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan.



Next, courtesy of Mike Burgess:

--Recommended Minimum Security Settings--

Close all instances of IE and OE
Control Panel | Internet Options

Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt

Click on the "Content" tab
Click the "Publishers" button

Highlight and click "Remove" any unknowns, click Ok

Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok

Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/



Then, from me:

You might want to consider installing the SpywareBlaster and SpywareGuard
here to help prevent this kind of thing from happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running (837 parasites
as of this date) if it is already installed, and it provides information and
fixit-links for a variety of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts
to install malware) Both Very Highly Recommended.

Good luck!

Actually, I 'did' go and delete those files after further research.
Also, I think AdAware is wonderful, but as this is a new install simply
haven't installed yet. I haven't used Spybot, but will try it. Thanks for
info on hosts file, didn't know about this option.

Thanks,
Jan

 

[Jim Byrd]

YW, Jan

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In