The AntiMalware on this computer has detected the Qhost trojan. It tells me to click on to the icon onscreen to restart the computer for this to be repaired. I do this, the computer closes down and restarts but a new scan still shows the trojan there. I'm trapped in a loop of restarts but no removal.

AntiMalware identifies the trojan by :

C:\Documents and Settings\Fred Puli\ local settings\temp\IXP000.TMP

Is there any way of removing it manually, given that? Or by some other method?

And anyway, is this Qhost trojan dangerous to security or in any other way?

Fred its quite an Old Pest from 2003

Thee Long winded removal instructions are Here from a Reputable source
www.symantec.com/security_resp...=2003-100312-1206-99

It may be easier to remove/isolate Via a HiJackThis Log?

But before that, tell us what Antivirus Program you are using, so we can eliminate the Chance it was a "False Positive" There may be something else showing this "signature"

There is a tiny chance that a Misloaded update to your A/V Program. Has started this off?

A System Restore May clear this Issue too If you can recall how long ago this started
Followed by a full scan with your antivirus Program (which will have to be reupdated)

A good Place to start?

Further Info Fred

quote:

Brief Description
Qhost is a trojan that prevents access to certain web sites and reroutes traffic to certain ip addresses. It also modifies the DNS setting so the unsuspecting user might be redirected to sites other than those intended.

It uses an exploit in IE to upload the trojan to the user's machine and execute it

Technical Description
It is copied onto the system as aolfix.exe. When aolfix.exe is automatically executed it drops a BAT file in this directory c:\bdtmp\tmp

In the Latter part of the Quote I see Aolfix .exe mentioned which give us hope that Windows System Restore can save the day
by winding the clock back


Further Question, are you still Connecting using the AOL Browser? I've news for you, AOL have distanced themselves from that software (belongs in the Dial-up age)
The clue was the File Marked "AOL" could only have been delivered to the AOL Browser
I am still with AOL but now I connect up directly (No Password) The connectivity software does the Donkey work and Any AOL Business is done on the AOL Webpage and the AOL Mail toolbar Only CON Is AOL Favourites cannot Be used Best Method is Transferring (exporting) them to Internet Explorer
There is No charge for this Upgrade.
If you have in your IE Browser and LAN connectivity Program an option marked DialBB You will be able to Upgrade.
Phone the AOL support Helpline and be sitting in front of your Computer Connected Up. Use the Phone socket on the micro filter

The Operator will call out what to do, and you change about 2 or 3 settings,Perhaps call out a Number setting and They will switch you Over in a Minute.
The next time you start, Click Internet Explorer and if all is in order, your Homepage appears. NOT AOL 9.0
AOL 9 can be retained for emergency But It has been replaced as the Default Dialler by Dial BB
Since I installed DialBB I've only Visited The AOL Browser twice .
Only 1 thing Niggles me about The Old vs the New and that is the Online AOL Mail Spam filters are not Very good
I can either set them at the AOL 9 Browser or route My Mail through Gmail /Google Mail Via POP (Easier than it sounds) and Its Double filtered Note. There is NO Block address list @ Gmail nor AOL Mail unless they are set as a Filter or Inserted on the Blocked Site list on " semi defunct?" AOL 9 ( (They work? That's to be seen)
I have 2 Spanish Sites appearing every other day which I "report" Nothing happens! The old AOL Spam Monitoring Dept has closed a few years ago So its everybody for themselves as Setting up any defence against Spam

Thanks, Bedstor. I've run the Symantec removal tool. It says that the Qhost trojan was not found on the computer.The notice from AntiMalware must be a false positive.

Fred,
Have you navigated to that location in your computer and tried to delete it manually since it gives you the exact location? When all else fails, I usually try to do that. Since its in this location:

C:\Documents and Settings\Fred Puli\ local settings\temp\IXP000.TMP

Just open the C drive, then follow the path and see if the file is still there, if so, right click on it and delete it. Also, if you run Ccleaner , it will clean out your temp files for you, and quite likely delete the infected file. Good luck!


chris

vansrme, how do I open the C drive ? This seems easiest. Puzzling but AntiMalware finds this trojan and gives the details (but doesn't remove it) yet Bedstor's recommended Symantec tool claimed that Qhost wasn't there, 'no trojans found', when I ran that.

Right, I've now set a search of the C drive, using the details given, and it returned 'no results found'. I hope that means that the trojan is indeed not there.

Fred, if I were you I would purchase "Spyware Doctor". It'll cost a one time $29.95 ( on line), and you can install it on up to 3 computers and is good for a few years.

You can download and scan your computer for free with this program, and see what it found. Then to get rid of the malware it will be up to you to purchase the program if you want to. If Qhost is hiding it will find it and will be on the list .


An other alternative would be to get rid of it by downloading "fixQhost" it's free and can be found on a French web site called "www.secuser.com" This site is only in French though. Pretty sure you could manage.

http://www.secuser.com/telecha...infection.htm#Qhosts

Will try the second, Mozart.

Fred,
If Mozart's fix doesnt work , post back, and we'll give you instructions on manual removal.


chris

Ta, vansrme. I think it's gone but your information on how to remove such a pest manually and correctly would be useful for future reference.