Generic Qhosts.c Trojan

  Hangus 11:38 05 May 2007

Help. When I start my PC i get a message from my av software that a suspicious script has been detected c:\windows\system32\anbnppxkkh\winlogon.exe.
I can either stop it, allow it, or continue what I was doing. Whatever I choose I then get a message that a trojan has been found and cleaned and that c:\windows32\system32\drivers\etc\hosts was infected by the Generic QHosts.c trojan but has been automatically cleaned by virus scan (which is McAfee). my os is xp.
At shut down I get the same message and a box to end program xcbmsndzrx and end now or cancel. Either shuts down the pc. At start up I get it all again. I cannot do a system restore as that has been disabled and even if I enable it, when I reboot it is disabled again. A symptom of the trojan probably. I have tried scanning in safe mode and in dos but it still cannot be found. i have been advised that I will need to restore to factory settings, but I do not want to do that unless absolutely necessary. Any ideas on how I can find and delete this trojan manually?

  VoG II 11:41 05 May 2007

Try running a-squared click here

  birdface 11:57 05 May 2007

Have you updated your host file lately,I updated mine about a week ago,And started getting Trojan Host problems when running Xoftspy,WinPatrol kept informing me of a new Host file wanting to be accepted,I had already let WinPatrol accept the new up-date,So did not allow the new one,Ran all my other Anti-virus And Spyware programs and they could not find anything,Eventually it would not let me run xoftspy,I put it down to a Xoftspy problem and Deleted it in add remove,Now the problem is,Do I have a good Host File installed or a bad one ,Time will tell I suppose,How would it go if you up-dated your Host file,Would that get rid of your problem.

  Hangus 12:03 05 May 2007

I havent updated my hosts file as I did not know I had to, and I dont know how to do it. I have tried A-Squared but that didnt help.

  VoG II 12:07 05 May 2007

I would locate the file c:\windows\system32\anbnppxkkh\winlogon.exe and delete it. winlogon.exe is the name of a legitimate Windows file but it should not be in that folder. If it won't delete use click here

Then update your hosts file click here

  Hangus 12:14 05 May 2007

My av software deletes it at each start up. But at each start up it reappears to be deleted again. Something else is causing it not to be cleaned properly and reappear at every start up to be cleaned out again by my av software but I cannot trace it.

  Hangus 12:20 05 May 2007

just a thought, can I run a squared as well as my av software, or should it be instead of it.

  VoG II 12:36 05 May 2007

You can run a-squared as well as McAfee.

I suggest that you run HJT click here and post your log on the MWR forum click here

  Hangus 09:42 07 May 2007

the trojan is being detected in c:\windows\system32\drivers\etc.
When I look here there are two hosts files. Hosts.msn, and Imhosts.sam. in the Hosts.msn file there is a line localhost. Is this ok, or should I delete it. I am thinking it might be my trojan, or was planted by the trojan.

  birdface 09:50 07 May 2007

No I would not delete it ,Wait for someone with a bit more knowledge,I don,t recognize your 2nd host file,I don't know if its safe to delete them and download another,Better to wait and see what others come up with.

  birdface 09:58 07 May 2007

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

The Evil Within 2 review-in-progress

Adobe shows still-in-development tools, including automatically colourising black-and-white photos

iPhone X news: Release date, price, new features & specs

Comment transformer un iPhone en borne Wi-Fi ?