LONG READ, read closely, some ideas for manual removal & how this all works (and, I am done editing it for the 10th time, it has alot of MANUAL measures you can take below which are very comprehensive):
FIRST - The HOSTS file has some unique benefits which are (so you understand HOW it works):
1.) Speedup of access to sites (especially IF you change the dns vs. local HOSTS file priority, this IS doable in the registry in an area I won't get into, but it is EASY to do... heck, I will show you that below in "manual methods" I would try later/below):
Anyhow, simply by adding their REAL IP<single space>URL into your HOSTS file you can speedup access to a site (especially, again, if you alter the local db (your hosts file) vs. looking to your ISP's DNS servers order)!
e.g. ->
66.98.158.201 www.ntcompatible.com
Speeds up access to this site!
OR
2.) Blocking sites whose content you find questionable (like pornograffy), or just do not want to see & adbanners too, using the localhost 127.0.0.1 loopback entry being assigned to other sites e.g.->
127.0.0.1 ntcompatible.com
or
0.0.0.0 ntcompatible.com
would block THIS site from you ordinarily!
(& unlike IE restricted zones, this works for ALL sites in ALL browsers).
IP Security Policies can behave in this manner as well & function as a sort of 'firewall' as well (I use this latter measure to block off adbanners IF they are served via IP address, rather than URLs here).
This virus?
Reverses those benefits, by just BLOCKING you out via the HOSTS file (which has priority by default, over looking to your ISP/BSP dns servers for IP to URL resolutions)... and, unlike poisoning the "IE restricted zones" it works on ALL browsers & all IP oriented apps!
That, or poisoning IPSec by creating bogus ip security policies, would work against you!
(I hope you are not the person writing this, because lol, if you are, I am clueing you into HOW TO REALLY make that virus powerful, with multiple layers of pain possible being caused from multiple areas of your system by crippling it not only in the HOSTS file, but also via IPSecurity Policies (and making them active on next reboot), but also thru IE Restriction zones rewrites to cause harm!)
Originally posted by Ace:"Hey, I've been reading more about this Trojan, Qhosts.apd. Ignore that text file I pasted up in my last post."
Yea, I was going to say that particular virus redirects your hosts file & adds entries to the "bogus" one (which is NOT typical location for it of %WinDir%\system32\drivers\etc mimic of the FreeBSD Unix TcpIp stack etc location ported to Win32 Os').
The "QHosts" I read about earlier this year "dns poisons" your HOSTS file by filling it with entries to cripple you...
NOT the stuff you posted above... but, you never know what they will do in a 'variant' of a virus either!
Originally posted by Ace:"For some reason now, I cannot access websites such as Symantec or McAfee."
Ok, this is part of what I meant here & other posts that virus programs get "blocked" against update (or operations) by these malware/worms/virii, etc. (either from running, OR from getting to their update sites).
Originally posted by Ace:"I have the Trojan Qhosts.apd that I believe causes these things. The trojan insterts more things into a HOSTS file like 127.0.0.1: www.symantec.com. I guess this causes the website to redirect back to a page where it cannot be displayed."
It redirects it BACK TO YOURSELF... that is the localhost entry in your HOSTS file (yourself, default loopback adapter address for tcpip, & non-outward broadcasteable afaik outward/online).
Originally posted by Ace:"Also, a bunch of strange .exe appeared in my C drive such as aaaxwszx.exe and agasbxgj.exe and there's like 200 of them."
Those are probably files either being infected by it since it is resident in memory, OR files it creates to bushwhack you if you start trying to manually destroy them.
Either way, it's watching & making sure you get "CHOCK FULL" infected... I don't remember EXACTLY its mechanics, but I know that is how she works pretty much (one way or other).
If i built this thing? That is what I would do... make sure you could NOT clean it, & make sure that it has PLENTY of 'little buddies' to back it up & 'reincarnate it' should you manage to pick it off somehow manually!
Originally posted by Ace:"The Symantec Removal Tool doesn't help me remove the Trojan either since I ran the tool like 5 times."
That's what I mean by variations of virii being like Aspirin & LSD... here, or in another post where I am trying to help folks infected with this & other madness and lunacy!
Close, but NOT the same...
Remember: Your computer & programs? They're NOT smart, no true/real "intelligent AI"... they only know what they're told from 'mugshots' of who is a malicious offender, & only know how to clean that particular one should they find it... they cannot really destroy a 'stronger cousin'...
Think of these variations like penicillin resistant STD's... old stuff won't work on them fully!
Originally posted by Ace:"So could someone help me so that I can completely remove the trojan, tell me what to do about those .exe's and fix the HOSTS file so I can get to websites such as McAfee."
What I said above about the HOSTS file & it being redirected #1, & #2 trying to "nuke" those bogus infected apps!
To remove it manually? Here is what I would try, IN THIS ORDER:
You first want to look here in your registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
To make sure your HOSTS file is still %WinDir%\system32\drivers\etc pathway, the default...
If not, change it to that in the "DataBasePath" entry!
Plus, you can always download updates to your virus scanner manually if need be & most times? They can clean this up... if not, then you need the removal tools (this you can nab from the download sites like
http://securityresponse.symantec.com
manually also... IF you can reach them that is! The correction of the databasepath entry in the registry SHOULD fix this, provided the original HOSTS file there in %WinDir%\system32\drivers\etc is not 'dns poisoned' as well...).
Then, I would recommend using regedit.exe to check that DataBasePath first, then boot to Recovery Console & attempt to "fry" those bogus appfapoihgpoasg.exe files you are seeing, & HOPEFULLY?
You catch them all!
(It's a possible way).
Also, in ANY HOSTS FILE YOU HAVE? Leave only this entry:
127.0.0.1 localhost
And then, try applying a "read only" attribute to it. Hopefully, this variation does not remove the readonly & won't be able to write to it (I doubt it, if I built that sucker, it'd pull readonly attribs/properties on a file).
(Or, just fry the HOSTS file... you CAN do this, but it can harm a networked (LAN) connected system in some capacities as far as home networking, etc.)
&
IIRC from here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider
LocalPriority = cache of DNS entries you already got from either HOSTS or DNS
HostsPriority = HOSTS file on disk
DNSPriority = DNS Server from your ISP/BSP lookups remotely (slowest, but last resort & sure thing)
EDIT PART (IMPORTANT): Heck, this last one? Might override this dumb virus! Blow RIGHT past it, provided it is not altering those as well giving HostsPriority the lowest number (thus, highest priority & first look vs. the others, always).
You assign it the LOWEST number (499, vs. 2000 it usually has? You will ask your ISP/BSP FIRST for dns entries url to IP resolutions (which is what this virus affects) the lower the number assigned to a particular one? The more priority it gets... to beat this virus, you want to ask IP to URL resolution from your DNS servers from your BSP/ISP, FIRST!!!
This might be another MANUAL measure you can take... the lowest number, 499, means that THAT entry gets first lookup priority! It would probably knock that virus dead or render it powerless simply by changing this... provided it does not alter that, that is, also!
(Check this online to be sure on those 3 entries! However, I am NEARLY certain this alters the priority of DNS lookup to ISP/BSP dns servers vs. local HOSTS file first & those are correct above from my end!)
Originally posted by Ace:"Lastly, would using Ad-Aware and customizing it to search and fix HOSTS file fix the the Trojan?"
It might warn you, but the one for this is "Spybot"... it does clean that mess up for sure & warns of a 'redirected HOSTS file' (meaning the registry databasepath entry I told you about & also the HOSTS file contents as well being cleared up).
Originally posted by Ace:"Very last question. In the msconfig, I changed it a bit so that a particular program won't startup at startup. After I got the Trojan, the message that used to pop up saying that I have changed things inside the msconfig and told me that I could change it back to normal, now pops up and goes away right away. Now it pops up and disappers. So how could that have happened?
Thanks a bunch."
Don't know, maybe this is a NEW mechanism in this variant of this virus...
Can you give me an EXACT message on this question? It helps...
APK
P.S.=> A few weeks ago, I wrote a program for folks to try out that removes duplicates from HOSTS files, making them more efficient & also alphabetizing their entries for easier mgt. plus, letting you add new entries (for blocking sites or adbanners you DON'T want to see) if they are NOT already present in the HOSTS file... making it more efficient w/out repeats (from pasting in entries from other adbanner hosts files blocking ones online etc.) so it is faster, & thus your internet is faster because the file is ordered, normalized, & in most efficient form with entries structured thus:
IP<singlespace>URL<cr+lf>
In each line.
This talk & you are giving me an idea for a feature for that program, the "APK HOSTS FILE OPTIMIZATION ENGINE":
CONSTANT OPTIONAL WRITE PROTECTION ATTRIBUTES APPLICATION on the HOSTS File & also checking to see if it has been redirected from the std. location I show above in the registry!
A good idea. Would stop this virus, cold most likely... or slow it up enough for you to manually cure it using the recovery console!
(Why Recovery Console use? Well, that is where std. virus & win32 portable executeable will NOT run, which is why I mention using it to clean up the .exe's you are seeing popup which probably back it up, or infect your regular programs replacing them with these from some list it keeps)
I don't have time to add this feature, but my program WILL enable/disable the HOSTS file on-the-fly now... but, that might not help w/out a 'hi-res/hi-speed' timer in it watching & applying READONLY attribs to the HOSTS file to stop this virus from 'dns poisoning' it again & again (at least, not as fast)... apk
[Edited by AlecStaar on 2004-05-04 01:13:36]
2004-05-02 21:30:56
View profile
Mark this post as solution (topic starter only)
Reply with quote to post
Edit post
Delete post (admin only)