WORM_QHOST.TX

 Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via network shares, Propagates via removable drives

This worm arrives via removable drives. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It modifies certain registry entries to hide file extensions.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

191,675 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

17 Dec 2010

Payload:

Modifies HOSTS file, Terminates processes

Arrival Details

This worm arrives via removable drives.

It may arrive via network shares.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\Default.scr
  • %System%\config\cache\Dasktop.ini
  • %System%\config\lsass.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It terminates itself if it finds the following processes in the affected system's memory:

  • OLLYDBG
  • SICE
  • SIWVID
  • NTICE
  • REGSYS
  • REGVXG
  • FILEVXG
  • FILEM
  • TRW
  • ICEEXT

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Intel Audio Driver = %System%\config\lsass.exe

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = %System%\Default.scr

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
15 = guardgui.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\systemrestore
DisableSR = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = .exe;.bat;.reg;.scr;

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
DisallowRun = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
0 = avp.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
1 = avz.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
2 = autoruns.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
3 = outpost.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
4 = spidernt.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
5 = SpyDerAgent.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
6 = dwengine.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
7 = spiderui.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
8 = acs.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
9 = op_mon.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
10 = klnagent.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
11 = egui.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
12 = sched.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
13 = avgnt.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Disallowrun
14 = avguard.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
explorer
NoFolderoptions = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StardardProfile
DisableNotifications = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StardardProfile
DoNotAllowExceptions = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StardardProfile
enableFirewall = 0

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveTimeOut = 100

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveActive = 1

(Note: The default value data of the said registry entry is {user-defined}.)

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

It modifies the following registry entries to hide file extensions:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1

(Note: The default value data of the said registry entry is 0.)

Propagation

This worm searches for folders in all physical and removable drives then drops copies of itself inside the folder as {folder name}.EXE.

It drops the following copy of itself in all physical and removable drives:

  • {random characters}.scr

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage codes}
[AutoRun]
;{garbage codes}
open={malware file name}.scr
;{garbage codes}
shell\Open\command={malware file name}.scr
;{garbage codes}

Process Termination

This worm terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • acs.exe
  • autoruns.exe
  • avgnt.exe
  • avguard.exe
  • avp.exe
  • avz.exe
  • dwengine.exe
  • egui.exe
  • ESET NOD32 Antivirus
  • ESET Smart Security
  • filemon.exe
  • guardgui.exe
  • HiJackThis.exe
  • Kaspersky Internet Security
  • KillProcess.exe
  • klnagent.exe
  • msconfig.exe
  • op_mon.exe
  • OS.exe
  • outpost.exe
  • phunter.exe
  • PrcInfo.exe
  • Prcview.exe
  • Process Viewer
  • procexp.exe
  • procmon.exe
  • Reg Organizer
  • regedit.exe
  • regmon.exe
  • sched.exe
  • Security Task Manager
  • servise.exe
  • spidernt.exe
  • spiderui.exe
  • SpyDerAgent.exe
  • Symantec AntiVirus
  • sysinspector.exe
  • TaskInfo.exe
  • Unlocker.exe
  • UnlockerAssistant.exe

HOSTS File Modification

This worm adds the following strings to the Windows HOSTS file:

  • {BLOCKED}.{BLOCKED}.168.212 www.viruslist.com
  • {BLOCKED}.{BLOCKED}.168.212 www.kaspersky.ru
  • {BLOCKED}.{BLOCKED}.168.212 www.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 www.securelist.com
  • {BLOCKED}.{BLOCKED}.168.212 z-oleg.com
  • {BLOCKED}.{BLOCKED}.168.212 www.trendsecure.com
  • {BLOCKED}.{BLOCKED}.168.212 ftp.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 virusinfo.info
  • {BLOCKED}.{BLOCKED}.168.212 www.viruslab.ru
  • {BLOCKED}.{BLOCKED}.168.212 www.novirus.ru
  • {BLOCKED}.{BLOCKED}.168.212 online.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 www.informyx.ru
  • {BLOCKED}.{BLOCKED}.168.212 vms.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 stopvirus.ru
  • {BLOCKED}.{BLOCKED}.168.212 www.esetnod32.ru
  • {BLOCKED}.{BLOCKED}.168.212 devbuilds.kaspersky-labs.com
  • {BLOCKED}.{BLOCKED}.168.212 www.agnitum.ru
  • {BLOCKED}.{BLOCKED}.168.212 www.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 www.avirus.ru
  • {BLOCKED}.{BLOCKED}.168.212 dnl-00.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-00.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-01.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-02.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-03.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-04.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-05.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-06.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-07.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-08.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-09.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-10.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-11.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-12.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-13.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-14.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-15.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-15.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-16.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-17.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-18.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-19.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 dnl-20.geo.kaspersky.com
  • {BLOCKED}.{BLOCKED}.168.212 downloads1.kaspersky-labs.com
  • {BLOCKED}.{BLOCKED}.168.212 downloads2.kaspersky-labs.com
  • {BLOCKED}.{BLOCKED}.168.212 downloads3.kaspersky-labs.com
  • {BLOCKED}.{BLOCKED}.168.212 downloads4.kaspersky-labs.com
  • {BLOCKED}.{BLOCKED}.168.212 downloads5.kaspersky-labs.com
  • {BLOCKED}.{BLOCKED}.168.212 msk1.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 msk2.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 msk3.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 msk4.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 msk5.drweb.com
  • {BLOCKED}.{BLOCKED}.168.212 download.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u40.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u41.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u42.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u43.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u44.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u45.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u46.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u47.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u48.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u49.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u50.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u51.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u52.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u53.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u54.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u55.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u56.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u57.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u58.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 u59.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um10.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um11.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um12.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um13.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um14.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um15.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um16.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um17.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um18.eset.com
  • {BLOCKED}.{BLOCKED}.168.212 um19.eset.com

Other Details

This worm does the following:

  • It searches for .EXE files in all drives then renames the found file to zw{original filename}.exe. The malware then drops a copy of itself in the same folder using the original filename of the found file. It also drops an .LNK file that points to the malware copy.
  • It does not modify files in the following directories:
    • c:\windows
    • %Windows%
    • %Windows%\Favorites
    • %Windows%\Desktop
    • %Windows%\Start Menu
    • %Favorites%
    • %Windows%\Profiles\All Users\Favorites
    • %Windows%\Profiles\All Users\Desktop
    • %Windows%\Profiles\All Users\Start Menu
    • %Windows%\Profiles\%User Profile%\Favorites
    • %Windows%\Profiles\%User Profile%\Desktop
    • %Windows%\Profiles\%User Profile%\Start Menu
  • It also does not modify the following files:
    • %Program Files%\Accessories\wordpad.exe
    • %Windows%\wordpad.exe
    • %Windows%\dxdiag.exe
    • %SystemDir%\dxdiag.exe
    • %Windows%\write.exe
    • %SystemDir%\write.exe
    • %Windows%\rundll.exe
    • %Windows%\rundll32.exe
    • %SystemDir%\rundll32.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI PATTERN File:

7.706.01

VSAPI PATTERN Date:

17 Dec 2010

VSAPI PATTERN Date:

12/17/2010 12:00:00 AM

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as WORM_QHOST.TX . If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Intel Audio Driver = %System%\config\lsass.exe

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = %System%\Default.scr

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes = .exe;.bat;.reg;.scr;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
SaveZoneInformation = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
0 = avp.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
1 = avz.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
2 = autoruns.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
3 = outpost.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
4 = spidernt.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
5 = SpyDerAgent.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
6 = dwengine.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
7 = spiderui.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
8 = acs.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
9 = op_mon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
10 = klnagent.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
11 = egui.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
12 = sched.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
13 = avgnt.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
14 = avguard.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun
15 = guardgui.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoFolderoptions = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile
DisableNotifications = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile
DoNotAllowExceptions = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile
enableFirewall = 0

Step 4

Remove these strings added by the malware/grayware/spyware in the HOSTS file

[ Learn More ]
     174.133.168.212 www.viruslist.com
    174.133.168.212 www.kaspersky.ru
    174.133.168.212 www.kaspersky.com
    174.133.168.212 www.securelist.com
    174.133.168.212 z-oleg.com
    174.133.168.212 www.trendsecure.com
    174.133.168.212 ftp.drweb.com
    174.133.168.212 virusinfo.info
    174.133.168.212 www.viruslab.ru
    174.133.168.212 www.novirus.ru
    174.133.168.212 online.drweb.com
    174.133.168.212 www.informyx.ru
    174.133.168.212 vms.drweb.com
    174.133.168.212 stopvirus.ru
    174.133.168.212 www.esetnod32.ru
    174.133.168.212 devbuilds.kaspersky-labs.com
    174.133.168.212 www.agnitum.ru
    174.133.168.212 www.drweb.com
    174.133.168.212 www.avirus.ru
    174.133.168.212 dnl-00.geo.kaspersky.com
    174.133.168.212 dnl-00.geo.kaspersky.com
    174.133.168.212 dnl-01.geo.kaspersky.com
    174.133.168.212 dnl-02.geo.kaspersky.com
    174.133.168.212 dnl-03.geo.kaspersky.com
    174.133.168.212 dnl-04.geo.kaspersky.com
    174.133.168.212 dnl-05.geo.kaspersky.com
    174.133.168.212 dnl-06.geo.kaspersky.com
    174.133.168.212 dnl-07.geo.kaspersky.com
    174.133.168.212 dnl-08.geo.kaspersky.com
    174.133.168.212 dnl-09.geo.kaspersky.com
    174.133.168.212 dnl-10.geo.kaspersky.com
    174.133.168.212 dnl-11.geo.kaspersky.com
    174.133.168.212 dnl-12.geo.kaspersky.com
    174.133.168.212 dnl-13.geo.kaspersky.com
    174.133.168.212 dnl-14.geo.kaspersky.com
    174.133.168.212 dnl-15.geo.kaspersky.com
    174.133.168.212 dnl-15.geo.kaspersky.com
    174.133.168.212 dnl-16.geo.kaspersky.com
    174.133.168.212 dnl-17.geo.kaspersky.com
    174.133.168.212 dnl-18.geo.kaspersky.com
    174.133.168.212 dnl-19.geo.kaspersky.com
    174.133.168.212 dnl-20.geo.kaspersky.com
    174.133.168.212 downloads1.kaspersky-labs.com
    174.133.168.212 downloads2.kaspersky-labs.com
    174.133.168.212 downloads3.kaspersky-labs.com
    174.133.168.212 downloads4.kaspersky-labs.com
    174.133.168.212 downloads5.kaspersky-labs.com
    174.133.168.212 msk1.drweb.com
    174.133.168.212 msk2.drweb.com
    174.133.168.212 msk3.drweb.com
    174.133.168.212 msk4.drweb.com
    174.133.168.212 msk5.drweb.com
    174.133.168.212 download.eset.com
    174.133.168.212 u40.eset.com
    174.133.168.212 u41.eset.com
    174.133.168.212 u42.eset.com
    174.133.168.212 u43.eset.com
    174.133.168.212 u44.eset.com
    174.133.168.212 u45.eset.com
    174.133.168.212 u46.eset.com
    174.133.168.212 u47.eset.com
    174.133.168.212 u48.eset.com
    174.133.168.212 u49.eset.com
    174.133.168.212 u50.eset.com
    174.133.168.212 u51.eset.com
    174.133.168.212 u52.eset.com
    174.133.168.212 u53.eset.com
    174.133.168.212 u54.eset.com
    174.133.168.212 u55.eset.com
    174.133.168.212 u56.eset.com
    174.133.168.212 u57.eset.com
    174.133.168.212 u58.eset.com
    174.133.168.212 u59.eset.com
    174.133.168.212 um10.eset.com
    174.133.168.212 um11.eset.com
    174.133.168.212 um12.eset.com
    174.133.168.212 um13.eset.com
    174.133.168.212 um14.eset.com
    174.133.168.212 um15.eset.com
    174.133.168.212 um16.eset.com
    174.133.168.212 um17.eset.com
    174.133.168.212 um18.eset.com
    174.133.168.212 um19.eset.com
"

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveTimeOut = 100
{user-defined}

HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveActive = 1
{user-defined}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR = 1
0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = 1
0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 0
1

Step 6

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. {malware file name}.lnk

Step 7

Search and delete AUTORUN.INF files created by WORM_QHOST.TX that contain these strings

[ Learn More ]
;{garbage codes}
[AutoRun]
;{garbage codes}
open={malware file name}.scr
;{garbage codes}
shell\Open\command={malware file name}.scr
;{garbage codes}

Step 8

Restore files from backup Only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on your computer again.


Did this description help? Tell us how we did.