| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
There are anti virus News Groups specifically for this type of discussion.
microsoft.public.scripting.virus.discussion microsoft.public.security.virus alt.comp.virus alt.comp.anti-virus 1) Download the following three items... Trend Sysclean Package http://www.trendmicro.com/download/dcs.asp Latest Trend signature files. http://www.trendmicro.com/download/pattern.asp Adaware SE (free personal version v1.05) http://www.lavasoftusa.com/ Create a directory. On drive "C:\" (e.g., "c:\New Folder") or the desktop (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") Download SYSCLEAN.COM and place it in that directory. Download the Trend Pattern File by obtaining the ZIP file. For example; lpt307.zip Extract the contents of the ZIP file and place the contents in the same directory as SYSCLEAN.COM. 2) Update Adaware with the latest definitions. 3) If you are using WinME or WinXP, disable System Restore http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your platform and clean/delete any infectors/parasites found. (a few cycles may be needed) 6) Restart your PC and perform a "final" Full Scan of your platform using both the Trend Sysclean utility and Adaware 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), 8) Reboot your PC. 9) If you are using WinME or WinXP, create a new Restore point * * * Please report back your results * * * Dave "Bozar" <> wrote in message news  D25E760-270B-4137-9C48-...| I found the .exe file the Qhost is in which is csmrs.exe in | Windows/system32/. | I made a new folder and moved it from the sys32. The file is write protected | and won't let me deleat it. How do I destroy it. Also it has left a comand or | it is in that file that when I dail up it changes my network options under | Connection Tab from "Never dai"l to "Dial whenever there is no connection | present". How do I correct that? It won't dail beacuase I have it on non auto | dail. | -- | Truckin' |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Dave;
I did all that you suggested. Sysclean found nothing, also during its scan almost all checks were coming up access denied. I did both sysclean and Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts is still there. After startup, MCafee states of a virus in windows/system/32/drivers/etc and delated it. but it regenerates itself whenever the system is rebooted. Any other thoughts? "David H. Lipman" wrote: > There are anti virus News Groups specifically for this type of discussion. > > microsoft.public.scripting.virus.discussion > microsoft.public.security.virus > alt.comp.virus > alt.comp.anti-virus > > 1) Download the following three items... > > Trend Sysclean Package > http://www.trendmicro.com/download/dcs.asp > > Latest Trend signature files. > http://www.trendmicro.com/download/pattern.asp > > Adaware SE (free personal version v1.05) > http://www.lavasoftusa.com/ > > Create a directory. > On drive "C:\" > (e.g., "c:\New Folder") > or the desktop > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") > > Download SYSCLEAN.COM and place it in that directory. > Download the Trend Pattern File by obtaining the ZIP file. > For example; lpt307.zip > > Extract the contents of the ZIP file and place the contents in the same directory as > SYSCLEAN.COM. > > 2) Update Adaware with the latest definitions. > 3) If you are using WinME or WinXP, disable System Restore > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your > platform and clean/delete any infectors/parasites found. > (a few cycles may be needed) > 6) Restart your PC and perform a "final" Full Scan of your platform using both the > Trend Sysclean utility and Adaware > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), > 8) Reboot your PC. > 9) If you are using WinME or WinXP, create a new Restore point > > * * * Please report back your results * * * > > Dave > > > > > > "Bozar" <> wrote in message > news D25E760-270B-4137-9C48-...> | I found the .exe file the Qhost is in which is csmrs.exe in > | Windows/system32/. > | I made a new folder and moved it from the sys32. The file is write protected > | and won't let me deleat it. How do I destroy it. Also it has left a comand or > | it is in that file that when I dail up it changes my network options under > | Connection Tab from "Never dai"l to "Dial whenever there is no connection > | present". How do I correct that? It won't dail beacuase I have it on non auto > | dail. > | -- > | Truckin' > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Why didn't you mention you had McAfee in the first place ?
What version is the software ? What version is the DAT revision ? What is the ENGINE version ? Dave "Bozar" <> wrote in message news:2FF7CA24-ED54-4312-A8C5-... | Dave; | I did all that you suggested. Sysclean found nothing, also during its scan | almost all checks were coming up access denied. I did both sysclean and | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts | is still there. After startup, MCafee states of a virus in | windows/system/32/drivers/etc and delated it. but it regenerates itself | whenever the system is rebooted. Any other thoughts? | | "David H. Lipman" wrote: | | > There are anti virus News Groups specifically for this type of discussion. | > | > microsoft.public.scripting.virus.discussion | > microsoft.public.security.virus | > alt.comp.virus | > alt.comp.anti-virus | > | > 1) Download the following three items... | > | > Trend Sysclean Package | > http://www.trendmicro.com/download/dcs.asp | > | > Latest Trend signature files. | > http://www.trendmicro.com/download/pattern.asp | > | > Adaware SE (free personal version v1.05) | > http://www.lavasoftusa.com/ | > | > Create a directory. | > On drive "C:\" | > (e.g., "c:\New Folder") | > or the desktop | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") | > | > Download SYSCLEAN.COM and place it in that directory. | > Download the Trend Pattern File by obtaining the ZIP file. | > For example; lpt307.zip | > | > Extract the contents of the ZIP file and place the contents in the same directory as | > SYSCLEAN.COM. | > | > 2) Update Adaware with the latest definitions. | > 3) If you are using WinME or WinXP, disable System Restore | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm | > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your | > platform and clean/delete any infectors/parasites found. | > (a few cycles may be needed) | > 6) Restart your PC and perform a "final" Full Scan of your platform using both the | > Trend Sysclean utility and Adaware | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), | > 8) Reboot your PC. | > 9) If you are using WinME or WinXP, create a new Restore point | > | > * * * Please report back your results * * * | > | > Dave | > | > | > | > | > | > "Bozar" <> wrote in message | > news D25E760-270B-4137-9C48-...| > | I found the .exe file the Qhost is in which is csmrs.exe in | > | Windows/system32/. | > | I made a new folder and moved it from the sys32. The file is write protected | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or | > | it is in that file that when I dail up it changes my network options under | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection | > | present". How do I correct that? It won't dail beacuase I have it on non auto | > | dail. | > | -- | > | Truckin' | > | > | > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
I'm sorry, virusscan Build 9.0.10 Eng 4.4.00 Dat 4.0.4415 also, Mcafee
Personal firewall V 6.0.6014 . "David H. Lipman" wrote: > Why didn't you mention you had McAfee in the first place ? > > What version is the software ? > What version is the DAT revision ? > What is the ENGINE version ? > > Dave > > > > > "Bozar" <> wrote in message > news:2FF7CA24-ED54-4312-A8C5-... > | Dave; > | I did all that you suggested. Sysclean found nothing, also during its scan > | almost all checks were coming up access denied. I did both sysclean and > | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts > | is still there. After startup, MCafee states of a virus in > | windows/system/32/drivers/etc and delated it. but it regenerates itself > | whenever the system is rebooted. Any other thoughts? > | > | "David H. Lipman" wrote: > | > | > There are anti virus News Groups specifically for this type of discussion. > | > > | > microsoft.public.scripting.virus.discussion > | > microsoft.public.security.virus > | > alt.comp.virus > | > alt.comp.anti-virus > | > > | > 1) Download the following three items... > | > > | > Trend Sysclean Package > | > http://www.trendmicro.com/download/dcs.asp > | > > | > Latest Trend signature files. > | > http://www.trendmicro.com/download/pattern.asp > | > > | > Adaware SE (free personal version v1.05) > | > http://www.lavasoftusa.com/ > | > > | > Create a directory. > | > On drive "C:\" > | > (e.g., "c:\New Folder") > | > or the desktop > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") > | > > | > Download SYSCLEAN.COM and place it in that directory. > | > Download the Trend Pattern File by obtaining the ZIP file. > | > For example; lpt307.zip > | > > | > Extract the contents of the ZIP file and place the contents in the same directory as > | > SYSCLEAN.COM. > | > > | > 2) Update Adaware with the latest definitions. > | > 3) If you are using WinME or WinXP, disable System Restore > | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm > | > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. > | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your > | > platform and clean/delete any infectors/parasites found. > | > (a few cycles may be needed) > | > 6) Restart your PC and perform a "final" Full Scan of your platform using both the > | > Trend Sysclean utility and Adaware > | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any > | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), > | > 8) Reboot your PC. > | > 9) If you are using WinME or WinXP, create a new Restore point > | > > | > * * * Please report back your results * * * > | > > | > Dave > | > > | > > | > > | > > | > > | > "Bozar" <> wrote in message > | > news D25E760-270B-4137-9C48-...> | > | I found the .exe file the Qhost is in which is csmrs.exe in > | > | Windows/system32/. > | > | I made a new folder and moved it from the sys32. The file is write protected > | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or > | > | it is in that file that when I dail up it changes my network options under > | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection > | > | present". How do I correct that? It won't dail beacuase I have it on non auto > | > | dail. > | > | -- > | > | Truckin' > | > > | > > | > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Bozar:
I'm not familiar with that new retail version of McAfee. Please search the "C:\Program Files\" directory tree for SCAN.EXE. Please reply back if it exists or not. If it does NOT exist, email me and I can tell you how to download and install it. I can't post that information publicly due to licensing issues. Just remove ~nospam~. Dave "Bozar" <> wrote in message news:65FBD0D7-9DC6-4053-BF9D-... | I'm sorry, virusscan Build 9.0.10 Eng 4.4.00 Dat 4.0.4415 also, Mcafee | Personal firewall V 6.0.6014 . | | "David H. Lipman" wrote: | | > Why didn't you mention you had McAfee in the first place ? | > | > What version is the software ? | > What version is the DAT revision ? | > What is the ENGINE version ? | > | > Dave | > | > | > | > | > "Bozar" <> wrote in message | > news:2FF7CA24-ED54-4312-A8C5-... | > | Dave; | > | I did all that you suggested. Sysclean found nothing, also during its scan | > | almost all checks were coming up access denied. I did both sysclean and | > | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts | > | is still there. After startup, MCafee states of a virus in | > | windows/system/32/drivers/etc and delated it. but it regenerates itself | > | whenever the system is rebooted. Any other thoughts? | > | | > | "David H. Lipman" wrote: | > | | > | > There are anti virus News Groups specifically for this type of discussion. | > | > | > | > microsoft.public.scripting.virus.discussion | > | > microsoft.public.security.virus | > | > alt.comp.virus | > | > alt.comp.anti-virus | > | > | > | > 1) Download the following three items... | > | > | > | > Trend Sysclean Package | > | > http://www.trendmicro.com/download/dcs.asp | > | > | > | > Latest Trend signature files. | > | > http://www.trendmicro.com/download/pattern.asp | > | > | > | > Adaware SE (free personal version v1.05) | > | > http://www.lavasoftusa.com/ | > | > | > | > Create a directory. | > | > On drive "C:\" | > | > (e.g., "c:\New Folder") | > | > or the desktop | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") | > | > | > | > Download SYSCLEAN.COM and place it in that directory. | > | > Download the Trend Pattern File by obtaining the ZIP file. | > | > For example; lpt307.zip | > | > | > | > Extract the contents of the ZIP file and place the contents in the same directory as | > | > SYSCLEAN.COM. | > | > | > | > 2) Update Adaware with the latest definitions. | > | > 3) If you are using WinME or WinXP, disable System Restore | > | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm | > | > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. | > | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your | > | > platform and clean/delete any infectors/parasites found. | > | > (a few cycles may be needed) | > | > 6) Restart your PC and perform a "final" Full Scan of your platform using both the | > | > Trend Sysclean utility and Adaware | > | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any | > | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), | > | > 8) Reboot your PC. | > | > 9) If you are using WinME or WinXP, create a new Restore point | > | > | > | > * * * Please report back your results * * * | > | > | > | > Dave | > | > | > | > | > | > | > | > | > | > | > | > "Bozar" <> wrote in message | > | > news D25E760-270B-4137-9C48-...| > | > | I found the .exe file the Qhost is in which is csmrs.exe in | > | > | Windows/system32/. | > | > | I made a new folder and moved it from the sys32. The file is write protected | > | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or | > | > | it is in that file that when I dail up it changes my network options under | > | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection | > | > | present". How do I correct that? It won't dail beacuase I have it on non auto | > | > | dail. | > | > | -- | > | > | Truckin' | > | > | > | > | > | > | > | > | > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Dave;
No. It does not exist. "David H. Lipman" wrote: > Bozar: > > I'm not familiar with that new retail version of McAfee. > > Please search the "C:\Program Files\" directory tree for SCAN.EXE. > > Please reply back if it exists or not. If it does NOT exist, email me and I can tell you > how to download and install it. I can't post that information publicly due to licensing > issues. Just remove ~nospam~. > > Dave > > > > > "Bozar" <> wrote in message > news:65FBD0D7-9DC6-4053-BF9D-... > | I'm sorry, virusscan Build 9.0.10 Eng 4.4.00 Dat 4.0.4415 also, Mcafee > | Personal firewall V 6.0.6014 . > | > | "David H. Lipman" wrote: > | > | > Why didn't you mention you had McAfee in the first place ? > | > > | > What version is the software ? > | > What version is the DAT revision ? > | > What is the ENGINE version ? > | > > | > Dave > | > > | > > | > > | > > | > "Bozar" <> wrote in message > | > news:2FF7CA24-ED54-4312-A8C5-... > | > | Dave; > | > | I did all that you suggested. Sysclean found nothing, also during its scan > | > | almost all checks were coming up access denied. I did both sysclean and > | > | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts > | > | is still there. After startup, MCafee states of a virus in > | > | windows/system/32/drivers/etc and delated it. but it regenerates itself > | > | whenever the system is rebooted. Any other thoughts? > | > | > | > | "David H. Lipman" wrote: > | > | > | > | > There are anti virus News Groups specifically for this type of discussion. > | > | > > | > | > microsoft.public.scripting.virus.discussion > | > | > microsoft.public.security.virus > | > | > alt.comp.virus > | > | > alt.comp.anti-virus > | > | > > | > | > 1) Download the following three items... > | > | > > | > | > Trend Sysclean Package > | > | > http://www.trendmicro.com/download/dcs.asp > | > | > > | > | > Latest Trend signature files. > | > | > http://www.trendmicro.com/download/pattern.asp > | > | > > | > | > Adaware SE (free personal version v1.05) > | > | > http://www.lavasoftusa.com/ > | > | > > | > | > Create a directory. > | > | > On drive "C:\" > | > | > (e.g., "c:\New Folder") > | > | > or the desktop > | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") > | > | > > | > | > Download SYSCLEAN.COM and place it in that directory. > | > | > Download the Trend Pattern File by obtaining the ZIP file. > | > | > For example; lpt307.zip > | > | > > | > | > Extract the contents of the ZIP file and place the contents in the same directory as > | > | > SYSCLEAN.COM. > | > | > > | > | > 2) Update Adaware with the latest definitions. > | > | > 3) If you are using WinME or WinXP, disable System Restore > | > | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm > | > | > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. > | > | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of > your > | > | > platform and clean/delete any infectors/parasites found. > | > | > (a few cycles may be needed) > | > | > 6) Restart your PC and perform a "final" Full Scan of your platform using both > the > | > | > Trend Sysclean utility and Adaware > | > | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any > | > | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), > | > | > 8) Reboot your PC. > | > | > 9) If you are using WinME or WinXP, create a new Restore point > | > | > > | > | > * * * Please report back your results * * * > | > | > > | > | > Dave > | > | > > | > | > > | > | > > | > | > > | > | > > | > | > "Bozar" <> wrote in message > | > | > news D25E760-270B-4137-9C48-...> | > | > | I found the .exe file the Qhost is in which is csmrs.exe in > | > | > | Windows/system32/. > | > | > | I made a new folder and moved it from the sys32. The file is write protected > | > | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or > | > | > | it is in that file that when I dail up it changes my network options under > | > | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection > | > | > | present". How do I correct that? It won't dail beacuase I have it on non auto > | > | > | dail. > | > | > | -- > | > | > | Truckin' > | > | > > | > | > > | > | > > | > > | > > | > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
I too am suffering from a recurring Qhost virus.
I just upgraded my Norton AV to 2005, w/recent definitions. Downloaded and ran Sysclean in Safe mode, having Norton AntiVirus's(NAV) Auto Protect OFF. I have SP2 (well before I got this virus), so Microsoft's patch of IE6 was taken care of, yes? I've run Brown's Qhost Cleanup tool - finds nothing. I've run Symantic's stand-alone FixQuost.exe numerous times, finds nothing. Back in normal mode - only after a delay does NAV Auto-Protect auto-delete Quost. Should I manually check Registry files? How can it be fooling all these utilities? "David H. Lipman" wrote: > Bozar: > > I'm not familiar with that new retail version of McAfee. > > Please search the "C:\Program Files\" directory tree for SCAN.EXE. > > Please reply back if it exists or not. If it does NOT exist, email me and I can tell you > how to download and install it. I can't post that information publicly due to licensing > issues. Just remove ~nospam~. > > Dave > > > > > "Bozar" <> wrote in message > news:65FBD0D7-9DC6-4053-BF9D-... > | I'm sorry, virusscan Build 9.0.10 Eng 4.4.00 Dat 4.0.4415 also, Mcafee > | Personal firewall V 6.0.6014 . > | > | "David H. Lipman" wrote: > | > | > Why didn't you mention you had McAfee in the first place ? > | > > | > What version is the software ? > | > What version is the DAT revision ? > | > What is the ENGINE version ? > | > > | > Dave > | > > | > > | > > | > > | > "Bozar" <> wrote in message > | > news:2FF7CA24-ED54-4312-A8C5-... > | > | Dave; > | > | I did all that you suggested. Sysclean found nothing, also during its scan > | > | almost all checks were coming up access denied. I did both sysclean and > | > | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts > | > | is still there. After startup, MCafee states of a virus in > | > | windows/system/32/drivers/etc and delated it. but it regenerates itself > | > | whenever the system is rebooted. Any other thoughts? > | > | > | > | "David H. Lipman" wrote: > | > | > | > | > There are anti virus News Groups specifically for this type of discussion. > | > | > > | > | > microsoft.public.scripting.virus.discussion > | > | > microsoft.public.security.virus > | > | > alt.comp.virus > | > | > alt.comp.anti-virus > | > | > > | > | > 1) Download the following three items... > | > | > > | > | > Trend Sysclean Package > | > | > http://www.trendmicro.com/download/dcs.asp > | > | > > | > | > Latest Trend signature files. > | > | > http://www.trendmicro.com/download/pattern.asp > | > | > > | > | > Adaware SE (free personal version v1.05) > | > | > http://www.lavasoftusa.com/ > | > | > > | > | > Create a directory. > | > | > On drive "C:\" > | > | > (e.g., "c:\New Folder") > | > | > or the desktop > | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") > | > | > > | > | > Download SYSCLEAN.COM and place it in that directory. > | > | > Download the Trend Pattern File by obtaining the ZIP file. > | > | > For example; lpt307.zip > | > | > > | > | > Extract the contents of the ZIP file and place the contents in the same directory as > | > | > SYSCLEAN.COM. > | > | > > | > | > 2) Update Adaware with the latest definitions. > | > | > 3) If you are using WinME or WinXP, disable System Restore > | > | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm > | > | > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. > | > | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of > your > | > | > platform and clean/delete any infectors/parasites found. > | > | > (a few cycles may be needed) > | > | > 6) Restart your PC and perform a "final" Full Scan of your platform using both > the > | > | > Trend Sysclean utility and Adaware > | > | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any > | > | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), > | > | > 8) Reboot your PC. > | > | > 9) If you are using WinME or WinXP, create a new Restore point > | > | > > | > | > * * * Please report back your results * * * > | > | > > | > | > Dave > | > | > > | > | > > | > | > > | > | > > | > | > > | > | > "Bozar" <> wrote in message > | > | > news D25E760-270B-4137-9C48-...> | > | > | I found the .exe file the Qhost is in which is csmrs.exe in > | > | > | Windows/system32/. > | > | > | I made a new folder and moved it from the sys32. The file is write protected > | > | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or > | > | > | it is in that file that when I dail up it changes my network options under > | > | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection > | > | > | present". How do I correct that? It won't dail beacuase I have it on non auto > | > | > | dail. > | > | > | -- > | > | > | Truckin' > | > | > > | > | > > | > | > > | > > | > > | > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
You are going to have to very SPECIFIC.
First start off on how you were first notified. What is the EXACT name of the QHost Trojan variant and the name(s) of files found to be infected and what detected it. Then exactly what steps you have taken. And finally have you examined the hosts file ? %windir%\system32\drivers\etc\hosts Is it empty except for a line that starts with 127.0.0.1 ? -- Dave "bunyeac" <> wrote in message news EE06E32-1289-453A-881F-...| I too am suffering from a recurring Qhost virus. | I just upgraded my Norton AV to 2005, w/recent definitions. | Downloaded and ran Sysclean in Safe mode, having Norton AntiVirus's(NAV) | Auto Protect OFF. | I have SP2 (well before I got this virus), so Microsoft's patch of IE6 was | taken care of, yes? | I've run Brown's Qhost Cleanup tool - finds nothing. | I've run Symantic's stand-alone FixQuost.exe numerous times, finds nothing. | Back in normal mode - only after a delay does NAV Auto-Protect auto-delete | Quost. | Should I manually check Registry files? | How can it be fooling all these utilities? | | | | "David H. Lipman" wrote: | | > Bozar: | > | > I'm not familiar with that new retail version of McAfee. | > | > Please search the "C:\Program Files\" directory tree for SCAN.EXE. | > | > Please reply back if it exists or not. If it does NOT exist, email me and I can tell you | > how to download and install it. I can't post that information publicly due to licensing | > issues. Just remove ~nospam~. | > | > Dave | > | > | > | > | > "Bozar" <> wrote in message | > news:65FBD0D7-9DC6-4053-BF9D-... | > | I'm sorry, virusscan Build 9.0.10 Eng 4.4.00 Dat 4.0.4415 also, Mcafee | > | Personal firewall V 6.0.6014 . | > | | > | "David H. Lipman" wrote: | > | | > | > Why didn't you mention you had McAfee in the first place ? | > | > | > | > What version is the software ? | > | > What version is the DAT revision ? | > | > What is the ENGINE version ? | > | > | > | > Dave | > | > | > | > | > | > | > | > | > | > "Bozar" <> wrote in message | > | > news:2FF7CA24-ED54-4312-A8C5-... | > | > | Dave; | > | > | I did all that you suggested. Sysclean found nothing, also during its scan | > | > | almost all checks were coming up access denied. I did both sysclean and | > | > | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts | > | > | is still there. After startup, MCafee states of a virus in | > | > | windows/system/32/drivers/etc and delated it. but it regenerates itself | > | > | whenever the system is rebooted. Any other thoughts? | > | > | | > | > | "David H. Lipman" wrote: | > | > | | > | > | > There are anti virus News Groups specifically for this type of discussion. | > | > | > | > | > | > microsoft.public.scripting.virus.discussion | > | > | > microsoft.public.security.virus | > | > | > alt.comp.virus | > | > | > alt.comp.anti-virus | > | > | > | > | > | > 1) Download the following three items... | > | > | > | > | > | > Trend Sysclean Package | > | > | > http://www.trendmicro.com/download/dcs.asp | > | > | > | > | > | > Latest Trend signature files. | > | > | > http://www.trendmicro.com/download/pattern.asp | > | > | > | > | > | > Adaware SE (free personal version v1.05) | > | > | > http://www.lavasoftusa.com/ | > | > | > | > | > | > Create a directory. | > | > | > On drive "C:\" | > | > | > (e.g., "c:\New Folder") | > | > | > or the desktop | > | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") | > | > | > | > | > | > Download SYSCLEAN.COM and place it in that directory. | > | > | > Download the Trend Pattern File by obtaining the ZIP file. | > | > | > For example; lpt307.zip | > | > | > | > | > | > Extract the contents of the ZIP file and place the contents in the same directory as | > | > | > SYSCLEAN.COM. | > | > | > | > | > | > 2) Update Adaware with the latest definitions. | > | > | > 3) If you are using WinME or WinXP, disable System Restore | > | > | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm | > | > | > 4) Reboot your PC into Safe Mode and shutdown as many applications as possible. | > | > | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of | > your | > | > | > platform and clean/delete any infectors/parasites found. | > | > | > (a few cycles may be needed) | > | > | > 6) Restart your PC and perform a "final" Full Scan of your platform using both | > the | > | > | > Trend Sysclean utility and Adaware | > | > | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any | > | > | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), | > | > | > 8) Reboot your PC. | > | > | > 9) If you are using WinME or WinXP, create a new Restore point | > | > | > | > | > | > * * * Please report back your results * * * | > | > | > | > | > | > Dave | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > "Bozar" <> wrote in message | > | > | > news D25E760-270B-4137-9C48-...| > | > | > | I found the .exe file the Qhost is in which is csmrs.exe in | > | > | > | Windows/system32/. | > | > | > | I made a new folder and moved it from the sys32. The file is write protected | > | > | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or | > | > | > | it is in that file that when I dail up it changes my network options under | > | > | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection | > | > | > | present". How do I correct that? It won't dail beacuase I have it on non auto | > | > | > | dail. | > | > | > | -- | > | > | > | Truckin' | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Thanks for helping. I was first notified when Windows Update and Norton
Antivirus Auto-Protect got "turned off" and the MS Security Center popped-up that the PC could be vulnerable. No virus had pointed IE anywhere or anything, but it did change the settings for dialing up if no connection was present. In researching how to remedy the Win Update I read about having a virus. I've had SP2 for a couple months BTW. I updated the Virus definitions to my then Norton AntiVirus 2003 ed. (they had been updated back in 12/04 anyhow). I think it was then that NortonAV, after a full scan, identified a generic Trojan.Qhost and said it deleted it. I went and downloaded their custom removal tool (FixQhost.exe), ran it "just to be sure." It returned with no virus found. Almost in panic-mode I upgraded to NAV 2005, which now, thanks to its Auto-Protect, on boot up always says it has automatically deleted "Trojan.Quost" - so I don't get a variant name. And I keep checking the ../etc/hosts file and all I ever see is "127.0.0.1" I have turned off Norton's Auto Protect, unchecked System Restore, booted in Safe mode, ran Sysclean and Brown Quosts Trojan CleanUp Tool (I read it would repair REGKEY values??) Sysclean did find these: Success Clean [ TROJ_DEDLER.A] All Users\Documents\install.exe Success Clean [JAVA_BYTEVER.A-1] ..Temporary Internet Files\Content.IE5\S5URC1EJ\Counters[1].jar,(Gummy.class) Rebooted. Turned back on NAV Auto-protect. Minutes later an alert box came up saying it detected "Trojan.Qhosts" Status: Repair failed, then another Status: Access denied, then finally Status: Automatically deleted Any clue? Thanks much in advance. "David H. Lipman" wrote: > You are going to have to very SPECIFIC. > > First start off on how you were first notified. > What is the EXACT name of the QHost Trojan variant and the name(s) of files found to be > infected and what detected it. > > Then exactly what steps you have taken. > > And finally have you examined the hosts file ? > > %windir%\system32\drivers\etc\hosts > > Is it empty except for a line that starts with 127.0.0.1 ? > > -- > Dave > > > > > "bunyeac" <> wrote in message > news EE06E32-1289-453A-881F-...> | I too am suffering from a recurring Qhost virus. > | I just upgraded my Norton AV to 2005, w/recent definitions. > | Downloaded and ran Sysclean in Safe mode, having Norton AntiVirus's(NAV) > | Auto Protect OFF. > | I have SP2 (well before I got this virus), so Microsoft's patch of IE6 was > | taken care of, yes? > | I've run Brown's Qhost Cleanup tool - finds nothing. > | I've run Symantic's stand-alone FixQuost.exe numerous times, finds nothing. > | Back in normal mode - only after a delay does NAV Auto-Protect auto-delete > | Quost. > | Should I manually check Registry files? > | How can it be fooling all these utilities? > | > | > | > | "David H. Lipman" wrote: > | > | > Bozar: > | > > | > I'm not familiar with that new retail version of McAfee. > | > > | > Please search the "C:\Program Files\" directory tree for SCAN.EXE. > | > > | > Please reply back if it exists or not. If it does NOT exist, email me and I can tell > you > | > how to download and install it. I can't post that information publicly due to licensing > | > issues. Just remove ~nospam~. > | > > | > Dave > | > > | > > | > > | > > | > "Bozar" <> wrote in message > | > news:65FBD0D7-9DC6-4053-BF9D-... > | > | I'm sorry, virusscan Build 9.0.10 Eng 4.4.00 Dat 4.0.4415 also, Mcafee > | > | Personal firewall V 6.0.6014 . > | > | > | > | "David H. Lipman" wrote: > | > | > | > | > Why didn't you mention you had McAfee in the first place ? > | > | > > | > | > What version is the software ? > | > | > What version is the DAT revision ? > | > | > What is the ENGINE version ? > | > | > > | > | > Dave > | > | > > | > | > > | > | > > | > | > > | > | > "Bozar" <> wrote in message > | > | > news:2FF7CA24-ED54-4312-A8C5-... > | > | > | Dave; > | > | > | I did all that you suggested. Sysclean found nothing, also during its scan > | > | > | almost all checks were coming up access denied. I did both sysclean and > | > | > | Adware. After 3 cleanings and scans, I rebooted in normal mode and the Qhosts > | > | > | is still there. After startup, MCafee states of a virus in > | > | > | windows/system/32/drivers/etc and delated it. but it regenerates itself > | > | > | whenever the system is rebooted. Any other thoughts? > | > | > | > | > | > | "David H. Lipman" wrote: > | > | > | > | > | > | > There are anti virus News Groups specifically for this type of discussion. > | > | > | > > | > | > | > microsoft.public.scripting.virus.discussion > | > | > | > microsoft.public.security.virus > | > | > | > alt.comp.virus > | > | > | > alt.comp.anti-virus > | > | > | > > | > | > | > 1) Download the following three items... > | > | > | > > | > | > | > Trend Sysclean Package > | > | > | > http://www.trendmicro.com/download/dcs.asp > | > | > | > > | > | > | > Latest Trend signature files. > | > | > | > http://www.trendmicro.com/download/pattern.asp > | > | > | > > | > | > | > Adaware SE (free personal version v1.05) > | > | > | > http://www.lavasoftusa.com/ > | > | > | > > | > | > | > Create a directory. > | > | > | > On drive "C:\" > | > | > | > (e.g., "c:\New Folder") > | > | > | > or the desktop > | > | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") > | > | > | > > | > | > | > Download SYSCLEAN.COM and place it in that directory. > | > | > | > Download the Trend Pattern File by obtaining the ZIP file. > | > | > | > For example; lpt307.zip > | > | > | > > | > | > | > Extract the contents of the ZIP file and place the contents in the same > directory as > | > | > | > SYSCLEAN.COM. > | > | > | > > | > | > | > 2) Update Adaware with the latest definitions. > | > | > | > 3) If you are using WinME or WinXP, disable System Restore > | > | > | > http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm > | > | > | > 4) Reboot your PC into Safe Mode and shutdown as many applications as > possible. > | > | > | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of > | > your > | > | > | > platform and clean/delete any infectors/parasites found. > | > | > | > (a few cycles may be needed) > | > | > | > 6) Restart your PC and perform a "final" Full Scan of your platform using > both > | > the > | > | > | > Trend Sysclean utility and Adaware > | > | > | > 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any > | > | > | > System Restore preferences, (e.g. HD space to use suggested 400 ~ > 600MB), > | > | > | > 8) Reboot your PC. > | > | > | > 9) If you are using WinME or WinXP, create a new Restore point > | > | > | > > | > | > | > * * * Please report back your results * * * > | > | > | > > | > | > | > Dave > | > | > | > > | > | > | > > | > | > | > > | > | > | > > | > | > | > > | > | > | > "Bozar" <> wrote in message > | > | > | > news D25E760-270B-4137-9C48-...> | > | > | > | I found the .exe file the Qhost is in which is csmrs.exe in > | > | > | > | Windows/system32/. > | > | > | > | I made a new folder and moved it from the sys32. The file is write protected > | > | > | > | and won't let me deleat it. How do I destroy it. Also it has left a comand or > | > | > | > | it is in that file that when I dail up it changes my network options under > | > | > | > | Connection Tab from "Never dai"l to "Dial whenever there is no connection > | > | > | > | present". How do I correct that? It won't dail beacuase I have it on non auto > | > | > | > | dail. > | > | > | > | -- > | > | > | > | Truckin' > | > | > | > > | > | > | > > | > | > | > > | > | > > | > | > > | > | > > | > > | > > | > > > > |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Security Center: Virus Protection Not Found | MSPJeff | Windows Vista Security | 7 | 01-19-2009 03:50 PM |
| Scheduled task (run .bat file) fails every time with 0x80070002 (file not found) | Ben Dilts | Windows Vista General Discussion | 2 | 07-22-2008 01:50 PM |
| How do I delete a video file that reads no file found? | cinderella29 | Windows Media Player | 2 | 02-14-2006 08:46 PM |
| "File is corrupt" when installing KB 835732 - virus locks certain file names?? | Matt Montag | Windows Update | 2 | 05-03-2004 04:31 AM |
| patch for vulnerability exploited by QHost-1 Trojan | Flluffy | Windows Update | 1 | 12-21-2003 04:51 AM |
Linear Mode
