QHosts questions

I went to install a firewall today and discovered that the browser was not set to the default home page anymore, so I changed it back and when opened again it had changed again. I also noticed that there was a file named "0 ", just "0" and a "0.bat" on the desktop. My aunt hadn't remembered seeing it before so I check the properties and discovered they had been created on the 15th of last month. I know she didn't create them because she doesn't knnow how. Suspecting a virus or trojan I updated her virus scan {Norton} and ran a full system scan...nothing was detected. When I got home I started doing my "homework" and found ref to QHosts creating a "0.bat" to "clean up after itself" but found no ref to it being placed on the desktop or the file named "0 ".

Are my gut feelings correct that her system is infected by Qhosts trojan or at least was and some of it remains to be cleaned up?

I almost forgot to mention that while I had the firewall working there was a lot of outgoing traffic requests that seemed less than normal. But I decided to use GoBack anyway since I just didn't have time to troubleshoot the multiple errors it was creating today. "Live to fight another day ".

Thanks, Brenda

 

revisited

I've learned a bit about this and thought I would pass it on. o.bat comes in on an attachment probably as a macro in a .txt or is installed via weblink in an email when the link is opened. I can't really tell which since my aunt opens attachments and visits weblinks through emails. o.bat and o file are then placed on c: {in this case on the desktop} and, again in this case, a hidden file {TMJA6A34} is placed in the Windows TEMP folder. When o.bat is executed by opening IE it then redirects to a web page where the program is either downloaded and installed without user interface or knowledge or commands the hidden file to execute and also executes a "newfile.exe" command that alters an existing exe. Once it does execute the file is deleted by o.bat so it can't be detected by antivirus programs and programs such as AdAware. It then continues to hijacks the browser as well as passing itself on to others.

Since I was the one that executed the program by opening IE and suspected something was wrong I used GoBack to revert the HD to a time before the execution. This enabled me to delete o.bat, o file and all files and folders in the Windows TEMP folder. Also since GoBack restoration points for the time that the file was first created {April 15, 2004} had expired it was unable to replace itself from the restoration entries. After numerous reboots my aunt's system remains clean. So, if you haven't executed the program the removal is simple. If you have a system restore program that holds the entries for the time it showed up be sure to disable it before deleting the files.

Unfortunately I have been unable to determine exactly which trojan this is but still tend to lean toward QHosts. I've copied o.bat and o file on to a floppy and given it to a friend that is a programmer. He has promised to look at it ASAP and let me know if he finds any clues that will help identify it. If he does I'll pass that on also.

I hope this helps someone!