We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Qhost.AV
Detected by Microsoft Defender Antivirus
Aliases: Win32/Sipay.AB (CA) Trojan-Proxy.Win32.Agent.bjr (Kaspersky) Generic Downloader.x (McAfee) Troj/Agent-JFZ (Sophos) Trojan.QHosts.G (Symantec) TROJ_DLOADER.OZ (Trend Micro)
Summary
Trojan:Win32/Qhost.AV is a trojan that modifies an affected user's Windows Hosts file, in order to redirect users attempting to visit PayPal or Chase bank to sites of the attacker's choice.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
To recreate a clean HOSTS file:
- Click Start, and click Run.
- Open the Hosts file, according to operating system:
On Windows 95, Windows 98, or Windows ME systems:
In the Open field, type: notepad %windir%\hosts
On Windows NT-based operating systems, such as Windows 2000 or Windows XP:
In the Open field, type: notepad<system folder>\drivers\etc\hosts
-- for example, on Windows 2000:
In the Open field, type: notepad C:\WINNT\system32\drivers\etc\hosts
-- or on Windows XP:
In the Open field, type: notepad C:\Windows\system32\drivers\etc\hosts
On Windows Vista:
Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator
Click File, click Open, type: %windir%\system32\drivers\etc\hosts, and then click Open - On the first line of the HOSTS file, type: 127.0.0.1 localhost as in the following example after modifying a default 'hosts' file:
- Save the file to the same location you opened it from.
- Close Notepad.
Follow us
