Hosts & Index.dat, Is it ok to delete these?

[Bruce F. Leavitt]

I posteed earlier this wk and someone suggested that my friend has the qhost
viurs. I have downloaded the fix and will be trying it later. I noticed a
few places in the newsgroups people suggested deleting these files or
folders?
The computer is online and after going to a few sites it won't go anyplace,
and you can try other sites. In other messages some suggested that hosts or
the index.dat is corrupted? Will they reconstitute themselves if deleted?

thanks

 

[YoKenny]

I posteed earlier this wk and someone suggested that my friend has
the qhost viurs. I have downloaded the fix and will be trying it
later. I noticed a few places in the newsgroups people suggested
deleting these files or folders?
The computer is online and after going to a few sites it won't go
anyplace, and you can try other sites. In other messages some
suggested that hosts or the index.dat is corrupted? Will they
reconstitute themselves if deleted?

HOSTS file will not regenerate unless you get the trojan again.

Index.dat will regenerate. If your friend is using WinXP then deleting
the index.dat will prove a chalenge to remove as it is locked by the
opperating system.

Borrowed from Jim (MVP)

You've apparently gotten infected with the QHosts trojan. Read here for
information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)

 

[Bruce F. Leavitt]

When I read about this virus it talks more about search engines?
I take it from the messages I have received even if you type something in
teh address box, then click on links, this virus also applies?
thanks

Bruce

I posteed earlier this wk and someone suggested that my friend has
the qhost viurs. I have downloaded the fix and will be trying it
later. I noticed a few places in the newsgroups people suggested
deleting these files or folders?
The computer is online and after going to a few sites it won't go
anyplace, and you can try other sites. In other messages some
suggested that hosts or the index.dat is corrupted? Will they
reconstitute themselves if deleted?

HOSTS file will not regenerate unless you get the trojan again.

Index.dat will regenerate. If your friend is using WinXP then deleting
the index.dat will prove a chalenge to remove as it is locked by the
opperating system.

Borrowed from Jim (MVP)

You've apparently gotten infected with the QHosts trojan. Read here for
information:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191

Try the following:

1. Be sure that you install hotfix 828750 which fixes the exploit that this
virus uses:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

2. Update and run a complete Anti-Virus software check of your system. Most
of the major AV companies have updated their latest signatures to detect
this virus (for Network Associates, be sure to get the EXTRADAT.exe update
from the above page as well as your regular update).

3. If running your AV doesn't clean it up, go to this page, read the
directions CAREFULLY (particularly about the Restore option) and download
and run the removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

If that still doesn't clean it up (and a number of people are reporting that
it did not), then follow the Manual Removal instructions there. The
following is courtesy of Mike Burgess:

"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors,
this one hides the HOSTS file in the "Windows\Help" folder. It then
creates entries that redirects all major search engines to a website.
Note: this website has now been removed, thus the DNS errors.
[more info]
http://www.mvps.org/winhelp2002/hosts.htm (bottom of page)
Run the beta version of HijackThis (link on Hosts page)