Arrival Details
This worm arrives via removable drives.
It may arrive via network shares.
It may be downloaded by other malware/grayware/spyware from remote sites.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\Default.scr
- %System%\config\cache\Dasktop.ini
- %System%\config\lsass.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.
It terminates itself if it finds the following processes in the affected system's memory:
- OLLYDBG
- SICE
- SIWVID
- NTICE
- REGSYS
- REGVXG
- FILEVXG
- FILEM
- TRW
- ICEEXT
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Intel Audio Driver = %System%\config\lsass.exe
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = %System%\Default.scr
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
15 = guardgui.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\systemrestore
DisableSR = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = .exe;.bat;.reg;.scr;
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
DisallowRun = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
0 = avp.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
1 = avz.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
2 = autoruns.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
3 = outpost.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
4 = spidernt.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
5 = SpyDerAgent.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
6 = dwengine.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
7 = spiderui.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
8 = acs.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
9 = op_mon.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
10 = klnagent.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
11 = egui.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
12 = sched.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
13 = avgnt.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
14 = avguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
explorer
NoFolderoptions = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StardardProfile
DisableNotifications = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StardardProfile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StardardProfile
enableFirewall = 0
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveTimeOut = 100
(Note: The default value data of the said registry entry is {user-defined}.)
HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveActive = 1
(Note: The default value data of the said registry entry is {user-defined}.)
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
It modifies the following registry entries to hide file extensions:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1
(Note: The default value data of the said registry entry is 0.)
Propagation
This worm searches for folders in all physical and removable drives then drops copies of itself inside the folder as {folder name}.EXE.
It drops the following copy of itself in all physical and removable drives:
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
;{garbage codes}
[AutoRun]
;{garbage codes}
open={malware file name}.scr
;{garbage codes}
shell\Open\command={malware file name}.scr
;{garbage codes}
Process Termination
This worm terminates processes or services that contain any of the following strings if found running in the affected system's memory:
- acs.exe
- autoruns.exe
- avgnt.exe
- avguard.exe
- avp.exe
- avz.exe
- dwengine.exe
- egui.exe
- ESET NOD32 Antivirus
- ESET Smart Security
- filemon.exe
- guardgui.exe
- HiJackThis.exe
- Kaspersky Internet Security
- KillProcess.exe
- klnagent.exe
- msconfig.exe
- op_mon.exe
- OS.exe
- outpost.exe
- phunter.exe
- PrcInfo.exe
- Prcview.exe
- Process Viewer
- procexp.exe
- procmon.exe
- Reg Organizer
- regedit.exe
- regmon.exe
- sched.exe
- Security Task Manager
- servise.exe
- spidernt.exe
- spiderui.exe
- SpyDerAgent.exe
- Symantec AntiVirus
- sysinspector.exe
- TaskInfo.exe
- Unlocker.exe
- UnlockerAssistant.exe
HOSTS File Modification
This worm adds the following strings to the Windows HOSTS file:
- {BLOCKED}.{BLOCKED}.168.212 www.viruslist.com
- {BLOCKED}.{BLOCKED}.168.212 www.kaspersky.ru
- {BLOCKED}.{BLOCKED}.168.212 www.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 www.securelist.com
- {BLOCKED}.{BLOCKED}.168.212 z-oleg.com
- {BLOCKED}.{BLOCKED}.168.212 www.trendsecure.com
- {BLOCKED}.{BLOCKED}.168.212 ftp.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 virusinfo.info
- {BLOCKED}.{BLOCKED}.168.212 www.viruslab.ru
- {BLOCKED}.{BLOCKED}.168.212 www.novirus.ru
- {BLOCKED}.{BLOCKED}.168.212 online.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 www.informyx.ru
- {BLOCKED}.{BLOCKED}.168.212 vms.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 stopvirus.ru
- {BLOCKED}.{BLOCKED}.168.212 www.esetnod32.ru
- {BLOCKED}.{BLOCKED}.168.212 devbuilds.kaspersky-labs.com
- {BLOCKED}.{BLOCKED}.168.212 www.agnitum.ru
- {BLOCKED}.{BLOCKED}.168.212 www.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 www.avirus.ru
- {BLOCKED}.{BLOCKED}.168.212 dnl-00.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-00.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-01.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-02.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-03.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-04.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-05.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-06.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-07.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-08.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-09.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-10.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-11.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-12.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-13.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-14.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-15.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-15.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-16.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-17.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-18.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-19.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 dnl-20.geo.kaspersky.com
- {BLOCKED}.{BLOCKED}.168.212 downloads1.kaspersky-labs.com
- {BLOCKED}.{BLOCKED}.168.212 downloads2.kaspersky-labs.com
- {BLOCKED}.{BLOCKED}.168.212 downloads3.kaspersky-labs.com
- {BLOCKED}.{BLOCKED}.168.212 downloads4.kaspersky-labs.com
- {BLOCKED}.{BLOCKED}.168.212 downloads5.kaspersky-labs.com
- {BLOCKED}.{BLOCKED}.168.212 msk1.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 msk2.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 msk3.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 msk4.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 msk5.drweb.com
- {BLOCKED}.{BLOCKED}.168.212 download.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u40.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u41.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u42.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u43.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u44.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u45.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u46.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u47.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u48.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u49.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u50.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u51.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u52.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u53.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u54.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u55.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u56.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u57.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u58.eset.com
- {BLOCKED}.{BLOCKED}.168.212 u59.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um10.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um11.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um12.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um13.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um14.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um15.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um16.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um17.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um18.eset.com
- {BLOCKED}.{BLOCKED}.168.212 um19.eset.com
Other Details
This worm does the following:
- It searches for .EXE files in all drives then renames the found file to zw{original filename}.exe. The malware then drops a copy of itself in the same folder using the original filename of the found file. It also drops an .LNK file that points to the malware copy.
- It does not modify files in the following directories:
- c:\windows
- %Windows%
- %Windows%\Favorites
- %Windows%\Desktop
- %Windows%\Start Menu
- %Favorites%
- %Windows%\Profiles\All Users\Favorites
- %Windows%\Profiles\All Users\Desktop
- %Windows%\Profiles\All Users\Start Menu
- %Windows%\Profiles\%User Profile%\Favorites
- %Windows%\Profiles\%User Profile%\Desktop
- %Windows%\Profiles\%User Profile%\Start Menu
- It also does not modify the following files:
- %Program Files%\Accessories\wordpad.exe
- %Windows%\wordpad.exe
- %Windows%\dxdiag.exe
- %SystemDir%\dxdiag.exe
- %Windows%\write.exe
- %SystemDir%\write.exe
- %Windows%\rundll.exe
- %Windows%\rundll32.exe
- %SystemDir%\rundll32.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product to delete files detected as WORM_QHOST.TX . If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 3
Delete this registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Intel Audio Driver = %System%\config\lsass.exe
HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = %System%\Default.scr
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes = .exe;.bat;.reg;.scr;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
SaveZoneInformation = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
0 = avp.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
1 = avz.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
2 = autoruns.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
3 = outpost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
4 = spidernt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
5 = SpyDerAgent.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
6 = dwengine.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
7 = spiderui.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
8 = acs.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
9 = op_mon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
10 = klnagent.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
11 = egui.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
12 = sched.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
13 = avgnt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
14 = avguard.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
15 = guardgui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoFolderoptions = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile
DisableNotifications = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile
enableFirewall = 0
To delete the registry value this malware/grayware created:
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run - In the right panel, locate and delete the entry:
Intel Audio Driver = %System%\config>lsass.exe - In the left panel, double-click the following:
HKEY_CURRENT_USER>Control Panel>Desktop - In the right panel, locate and delete the entry:
SCRNSAVE.EXE = %System%\Default.scr - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows NT>CurrentVersion>systemrestore - In the right panel, locate and delete the entry:
DisableSR = 1 - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Associations - In the right panel, locate and delete the entry:
LowRiskFileTypes = .exe;.bat;.reg;.scr; - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Attachments - In the right panel, locate and delete the entry:
SaveZoneInformation = 1 - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer - In the right panel, locate and delete the entry:
DisallowRun = 1 - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer>Disallowrun - In the right panel, locate and delete the entry:
0 = avp.exe - Again In the right panel, locate and delete the entry:
1 = avz.exe - Again In the right panel, locate and delete the entry:
2 = autoruns.exe - Again In the right panel, locate and delete the entry:
3 = outpost.exe - Again In the right panel, locate and delete the entry:
4 = spidernt.exe - Again In the right panel, locate and delete the entry:
5 = SpyDerAgent.exe - Again In the right panel, locate and delete the entry:
6 = dwengine.exe - Again In the right panel, locate and delete the entry:
7 = spiderui.exe - Again In the right panel, locate and delete the entry:
8 = acs.exe - Again In the right panel, locate and delete the entry:
9 = op_mon.exe - Again In the right panel, locate and delete the entry:
10 = klnagent.exe - Again In the right panel, locate and delete the entry:
11 = egui.exe - Again In the right panel, locate and delete the entry:
12 = sched.exe - Again In the right panel, locate and delete the entry:
13 = avgnt.exe - Again In the right panel, locate and delete the entry:
14 = avguard.exe - Again In the right panel, locate and delete the entry:
15 = guardgui.exe - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>explorer - In the right panel, locate and delete the entry:
NoFolderoptions = 1 - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center - In the right panel, locate and delete the entry:
FirewallOverride = 1 - Again In the right panel, locate and delete the entry:
FirewallDisableNotify = 1 - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>StardardProfile - In the right panel, locate and delete the entry:
DisableNotifications = 1 - Again In the right panel, locate and delete the entry:
DoNotAllowExceptions = 0 - Again In the right panel, locate and delete the entry:
enableFirewall = 0 - Close Registry Editor.
Step 4
Remove these strings added by the malware/grayware/spyware in the HOSTS file
[ Learn More ]
[ back ]
174.133.168.212 www.viruslist.com174.133.168.212 www.kaspersky.ru
174.133.168.212 www.kaspersky.com
174.133.168.212 www.securelist.com
174.133.168.212 z-oleg.com
174.133.168.212 www.trendsecure.com
174.133.168.212 ftp.drweb.com
174.133.168.212 virusinfo.info
174.133.168.212 www.viruslab.ru
174.133.168.212 www.novirus.ru
174.133.168.212 online.drweb.com
174.133.168.212 www.informyx.ru
174.133.168.212 vms.drweb.com
174.133.168.212 stopvirus.ru
174.133.168.212 www.esetnod32.ru
174.133.168.212 devbuilds.kaspersky-labs.com
174.133.168.212 www.agnitum.ru
174.133.168.212 www.drweb.com
174.133.168.212 www.avirus.ru
174.133.168.212 dnl-00.geo.kaspersky.com
174.133.168.212 dnl-00.geo.kaspersky.com
174.133.168.212 dnl-01.geo.kaspersky.com
174.133.168.212 dnl-02.geo.kaspersky.com
174.133.168.212 dnl-03.geo.kaspersky.com
174.133.168.212 dnl-04.geo.kaspersky.com
174.133.168.212 dnl-05.geo.kaspersky.com
174.133.168.212 dnl-06.geo.kaspersky.com
174.133.168.212 dnl-07.geo.kaspersky.com
174.133.168.212 dnl-08.geo.kaspersky.com
174.133.168.212 dnl-09.geo.kaspersky.com
174.133.168.212 dnl-10.geo.kaspersky.com
174.133.168.212 dnl-11.geo.kaspersky.com
174.133.168.212 dnl-12.geo.kaspersky.com
174.133.168.212 dnl-13.geo.kaspersky.com
174.133.168.212 dnl-14.geo.kaspersky.com
174.133.168.212 dnl-15.geo.kaspersky.com
174.133.168.212 dnl-15.geo.kaspersky.com
174.133.168.212 dnl-16.geo.kaspersky.com
174.133.168.212 dnl-17.geo.kaspersky.com
174.133.168.212 dnl-18.geo.kaspersky.com
174.133.168.212 dnl-19.geo.kaspersky.com
174.133.168.212 dnl-20.geo.kaspersky.com
174.133.168.212 downloads1.kaspersky-labs.com
174.133.168.212 downloads2.kaspersky-labs.com
174.133.168.212 downloads3.kaspersky-labs.com
174.133.168.212 downloads4.kaspersky-labs.com
174.133.168.212 downloads5.kaspersky-labs.com
174.133.168.212 msk1.drweb.com
174.133.168.212 msk2.drweb.com
174.133.168.212 msk3.drweb.com
174.133.168.212 msk4.drweb.com
174.133.168.212 msk5.drweb.com
174.133.168.212 download.eset.com
174.133.168.212 u40.eset.com
174.133.168.212 u41.eset.com
174.133.168.212 u42.eset.com
174.133.168.212 u43.eset.com
174.133.168.212 u44.eset.com
174.133.168.212 u45.eset.com
174.133.168.212 u46.eset.com
174.133.168.212 u47.eset.com
174.133.168.212 u48.eset.com
174.133.168.212 u49.eset.com
174.133.168.212 u50.eset.com
174.133.168.212 u51.eset.com
174.133.168.212 u52.eset.com
174.133.168.212 u53.eset.com
174.133.168.212 u54.eset.com
174.133.168.212 u55.eset.com
174.133.168.212 u56.eset.com
174.133.168.212 u57.eset.com
174.133.168.212 u58.eset.com
174.133.168.212 u59.eset.com
174.133.168.212 um10.eset.com
174.133.168.212 um11.eset.com
174.133.168.212 um12.eset.com
174.133.168.212 um13.eset.com
174.133.168.212 um14.eset.com
174.133.168.212 um15.eset.com
174.133.168.212 um16.eset.com
174.133.168.212 um17.eset.com
174.133.168.212 um18.eset.com
174.133.168.212 um19.eset.com
"
To edit the HOSTS file:
- Open the following file using a text editor such as Notepad:
%System%\drivers\etc\HOSTS
(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows 2000, and C:\Windows\System32 on Windows XP and Windows Server 2003.) - Delete the following entry/ies:
174.133.168.212 www.viruslist.com174.133.168.212 www.kaspersky.ru
174.133.168.212 www.kaspersky.com
174.133.168.212 www.securelist.com
174.133.168.212 z-oleg.com
174.133.168.212 www.trendsecure.com
174.133.168.212 ftp.drweb.com
174.133.168.212 virusinfo.info
174.133.168.212 www.viruslab.ru
174.133.168.212 www.novirus.ru
174.133.168.212 online.drweb.com
174.133.168.212 www.informyx.ru
174.133.168.212 vms.drweb.com
174.133.168.212 stopvirus.ru
174.133.168.212 www.esetnod32.ru
174.133.168.212 devbuilds.kaspersky-labs.com
174.133.168.212 www.agnitum.ru
174.133.168.212 www.drweb.com
174.133.168.212 www.avirus.ru
174.133.168.212 dnl-00.geo.kaspersky.com
174.133.168.212 dnl-00.geo.kaspersky.com
174.133.168.212 dnl-01.geo.kaspersky.com
174.133.168.212 dnl-02.geo.kaspersky.com
174.133.168.212 dnl-03.geo.kaspersky.com
174.133.168.212 dnl-04.geo.kaspersky.com
174.133.168.212 dnl-05.geo.kaspersky.com
174.133.168.212 dnl-06.geo.kaspersky.com
174.133.168.212 dnl-07.geo.kaspersky.com
174.133.168.212 dnl-08.geo.kaspersky.com
174.133.168.212 dnl-09.geo.kaspersky.com
174.133.168.212 dnl-10.geo.kaspersky.com
174.133.168.212 dnl-11.geo.kaspersky.com
174.133.168.212 dnl-12.geo.kaspersky.com
174.133.168.212 dnl-13.geo.kaspersky.com
174.133.168.212 dnl-14.geo.kaspersky.com
174.133.168.212 dnl-15.geo.kaspersky.com
174.133.168.212 dnl-15.geo.kaspersky.com
174.133.168.212 dnl-16.geo.kaspersky.com
174.133.168.212 dnl-17.geo.kaspersky.com
174.133.168.212 dnl-18.geo.kaspersky.com
174.133.168.212 dnl-19.geo.kaspersky.com
174.133.168.212 dnl-20.geo.kaspersky.com
174.133.168.212 downloads1.kaspersky-labs.com
174.133.168.212 downloads2.kaspersky-labs.com
174.133.168.212 downloads3.kaspersky-labs.com
174.133.168.212 downloads4.kaspersky-labs.com
174.133.168.212 downloads5.kaspersky-labs.com
174.133.168.212 msk1.drweb.com
174.133.168.212 msk2.drweb.com
174.133.168.212 msk3.drweb.com
174.133.168.212 msk4.drweb.com
174.133.168.212 msk5.drweb.com
174.133.168.212 download.eset.com
174.133.168.212 u40.eset.com
174.133.168.212 u41.eset.com
174.133.168.212 u42.eset.com
174.133.168.212 u43.eset.com
174.133.168.212 u44.eset.com
174.133.168.212 u45.eset.com
174.133.168.212 u46.eset.com
174.133.168.212 u47.eset.com
174.133.168.212 u48.eset.com
174.133.168.212 u49.eset.com
174.133.168.212 u50.eset.com
174.133.168.212 u51.eset.com
174.133.168.212 u52.eset.com
174.133.168.212 u53.eset.com
174.133.168.212 u54.eset.com
174.133.168.212 u55.eset.com
174.133.168.212 u56.eset.com
174.133.168.212 u57.eset.com
174.133.168.212 u58.eset.com
174.133.168.212 u59.eset.com
174.133.168.212 um10.eset.com
174.133.168.212 um11.eset.com
174.133.168.212 um12.eset.com
174.133.168.212 um13.eset.com
174.133.168.212 um14.eset.com
174.133.168.212 um15.eset.com
174.133.168.212 um16.eset.com
174.133.168.212 um17.eset.com
174.133.168.212 um18.eset.com
174.133.168.212 um19.eset.com
- Save the file and close the text editor.
Step 5
Restore this modified registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveTimeOut = 100
{user-defined}
HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveActive = 1
{user-defined}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR = 1
0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = 1
0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 0
1
To restore the registry value this malware/grayware/spyware modified:
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
- In the right panel, locate the registry value:
= - In the left panel, double-click the following:
HKEY_CURRENT_USER>Control Panel>Desktop - In the right panel, locate the registry value:
ScreenSaveTimeOut = 100 - Right-click on the value name and choose Modify. Change the value data of this entry to:
ScreenSaveTimeOut = {user-defined} - Again In the right panel, locate the registry value:
ScreenSaveActive = 1 - Right-click on the value name and choose Modify. Change the value data of this entry to:
ScreenSaveActive = {user-defined} - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>SystemRestore - In the right panel, locate the registry value:
DisableSR = 1 - Right-click on the value name and choose Modify. Change the value data of this entry to:
DisableSR = 0 - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>Advanced - In the right panel, locate the registry value:
HideFileExt = 1 - Right-click on the value name and choose Modify. Change the value data of this entry to:
HideFileExt = 0 - Again In the right panel, locate the registry value:
Hidden = 0 - Right-click on the value name and choose Modify. Change the value data of this entry to:
Hidden = 1 - Again In the right panel, locate the registry value:
ShowSuperHidden = 0 - Right-click on the value name and choose Modify. Change the value data of this entry to:
ShowSuperHidden = 1 - Close Registry Editor.
Step 6
Search and delete these files
[ Learn More ]
[ back ]
There may be some component files that are hidden. Please make sure you check the
Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. {malware file name}.lnk
To delete malware/grayware component files:
- Search for the following files:
Note: To do a search for the following files, right-click Start then click Search... or Find..., depending on the version of Windows you are running. For each file to be deleted, type its file name in the Named input box. In the Look In drop-down list, select My Computer, then press Enter. - Once located, select the file then press SHIFT+DELETE to permanently delete the file.
- Repeat the said steps for all files listed.
Step 7
Search and delete AUTORUN.INF files created by WORM_QHOST.TX that contain these strings
[ Learn More ]
[ back ]
;{garbage codes}
[AutoRun]
;{garbage codes}
open={malware file name}.scr
;{garbage codes}
shell\Open\command={malware file name}.scr
;{garbage codes}
To identify and delete AUTORUN.INF files created:
- Right-click the Start button then choose Search... or Find..., depending on the version of Windows you are running.
- In the Named input box, type:
AUTORUN.INF - In the Look in: drop-down list, select a drive, then press Enter.
- Select the file, then open using Notepad.
- Check if the following lines are present in the file:
;{garbage codes}
[AutoRun]
;{garbage codes}
open={malware file name}.scr
;{garbage codes}
shell\Open\command={malware file name}.scr
;{garbage codes}
- If the lines are present, delete the file.
- Repeat steps 3 to 6 for the remaining AUTORUN.INF files in other remaining removable drives.
- Close Search Results.
Step 8
Restore files from backup Only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on your computer again.
Did this description help? Tell us how we did.