Trojan.Win32.Qhosts (A)

[M4RT1NE2]

This morning while scanning the system with Emsisoft Emergency Kit a threat was detected. Of course the program removed it.
After removing the threat I scanned the system additionally with Eset Online Scanner, Norton Power Eraser, Kaspersky - everything is clean.
Bitdefender did not see it.

What could it be ?

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

What is Trojan.Win32.Qhosts?

Read about it.

Trojan.Qhost

Trojan.Qhost is Malwarebytes' generic detection name for malware that modifies the Windows system's hosts file.

blog.malwarebytes.com

Please run this scan and will see what if any some malware is present.
Also you Hosts file may have been compromised.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]
Do this for both files.
<<<>>>

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>

 

[M4RT1NE2]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

What is Trojan.Win32.Qhosts?

Read about it.

Trojan.Qhost

Trojan.Qhost is Malwarebytes' generic detection name for malware that modifies the Windows system's hosts file.

blog.malwarebytes.com

Please run this scan and will see what if any some malware is present.
Also you Hosts file may have been compromised.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]
Do this for both files.
<<<>>>

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>

 

[M4RT1NE2]

I hope I did it right

 

[M4RT1NE2]

Now I've scanned with Malwarebytes and it's clean. Nothing found

 

[M4RT1NE2]

nasdaq​

Is it clean?

 

[nasdaq]

Hi,

Before you run this fix I need you to tell me if all the restrictions listed may have been set by a program you have executed.
The fix will not remove any of the files only the restrictions will be eliminated.
If you are OK with this then proceed. If not let me know before doing anything.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

p.s.
If you run this fix I would appreciate if you could scan the computer one more time with the Farbar program and post fresh logs for my review.

 

[M4RT1NE2]

I don't know if the restriction was set by the running program.

Can I apply the fixes and run the scan again ?

 

[M4RT1NE2]

Hi,

Before you run this fix I need you to tell me if all the restrictions listed may have been set by a program you have executed.
The fix will not remove any of the files only the restrictions will be eliminated.
If you are OK with this then proceed. If not let me know before doing anything.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

p.s.
If you run this fix I would appreciate if you could scan the computer one more time with the Farbar program and post fresh logs for my review.

I am uploading the log after repair. I will perform a new scan immediately

 

[M4RT1NE2]

New logs.
Write me if everything is ok now. At my place the laptop was working normally. EEK scan showed a threat. That's how I wouldn't even know.
I don't know what to say. I thought I would never catch a trojan.
Thank you for your help. Please let me know if everything is ok now

 

[M4RT1NE2]

nasdaq Thank you for your help​

 

[nasdaq]

Hi,

The fix went very well and the new logs are clean.

What can you tell me about all the files/folders that were restricted.

Many of the restricted files were in a \Temp folders such as ...AppData\Local\Temp\Temp

Are these files still there, some are .exe files such as:

HKLM Group Policy restriction on software: %USERPROFILE%\AppData\LocalLow\*.exe <==== UWAGA

Can you write down the name of some of the files in that folder and post them in our next reply.
I suspect that these may be compromised files. Not sure.
Do not delete any of them until we have had a change to investigate further.

These seem strange:
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Temp\Temp*_*.zip\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.exe <==== UWAGA

The Temp*_*.zip\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.exe

\*\*\*... are names that you may recongnized as operating system folders.

Can you confirm this?

 

[M4RT1NE2]

Here is a screenshot of this directory

 

[nasdaq]

: %USERPROFILE%\AppData\Local\Temp\Temp*_*.zip\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.exe <

After the \Temp folder there is an other folder call Temp*_*.zip the \and other folder marked with and asterik \*\ and an other \*\ etc...
%USERPROFILE%\AppData\Local\Temp\Temp*_*.zip

Can you see the name of the folder identified with *

Keep in mind that they may be hidden.

What is in the folder called Opera?

Ths may help find out what is happening.

https://www.file-extension.info/pl/format/tmp

 

[M4RT1NE2]

Hey I have the option enabled: Show hidden files, folders and drives and I have no other files. I only have what is in the picture.
I'm about to take a screenshot of the Opera folder.
But there is nothing suspicious in that directory.

 

[M4RT1NE2]

nasdaq Is everything ok now?​

 

[nasdaq]

Hi,

On my end all is well.
I just do not understand how these \temp folders were created and populated with all the other folders/files.

Wait a week or two and use the Disk Clean-up tool.
Listed under this topic.

How to delete temporary files in Disk Clean-up​

How to Delete Temporary Files in Windows 10, 8, & 7

Temporary files taking up space? Find out how to access and delete temporary files in Windows 10, 8 & 7 via Windows Temp folder and Disk Cleanup.

www.avast.com