McAfee on Qhosts.apd
Sophos on one of the W32/Agobot variants
This is a detection for a modified HOSTS file.
This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.
Many worms and their variants, such as W32/Polybot.gen!irc and W32/Gaobot.worm are overwriting the HOSTS file with a modified version. The HOSTS file contains a list of URLs and redirects them to 127.0.0.1, which is the LocalHost.
By redirecting all network traffic for these URLs to Localhost, the user is unable to browse to the webpage of his or her AV or security software vendor. Additionally many AV products are unable to update themselves.
Is your system patched with all the latest MS Windows updates? If not you need to update as soon as you have removed the infection.
If you think you are infected submit a hijackthis log to the HJT Forum.How to submit a hijackthis logDownload Hijackthis
Try running the following from safe mode (Getting to safe-mode) Sysclean
you'll also need the virus template file from here lpt***.zip
remember to extract the contents of the zip file into the same folder as Sysclean.com
which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.
If your good with the command line also try Sophos Command Line scanner
this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.Also try installing and running A2 Free and Ewido
I'd also run Spybot(Spybot Tutorial)
and AdawareIf your using Win2K/XP run adaware/spybot from "safe mode with command prompt"
If your using Win9x just run it from safe mode the command line options aren't needed..At the C:\ prompt type the following:-
C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix
Edited by stidyup, 24 November 2005 - 03:51 AM.