Jump to content

windows defender alert


chimpy

Recommended Posts

Hi i just got my first windows defender alert after having the computer over 16 months, it states that the threat is medium and i have four choices to clean, quarentine, remove or ignore. the threat is on my c:\windows\winsxs\x86-microsoft-windows-w..nfrastructure-other file.

when i click the link to get further info it takes me to the malware protection center and the two other names for this infection are Trojan.Win32.Qhost (Kaspersky), Qhosts.apd (McAfee) and explains to recover it by following these steps

To recreate a clean HOSTS file manually:

1. Click Start, and click Run.

2. If your computer is running Windows 95, Windows 98, or Windows ME:

In the Open field, type: notepad %windir%\hosts

3. If your computer is running a Windows NT-based operating system, such as Windows 2000 or Windows XP:

In the Open field, type: notepad<system folder>\drivers\etc\hosts

-- for example, on Windows 2000:

In the Open field, type: notepad C:\WINNT\system32\drivers\etc\hosts

-- or on Windows XP:

In the Open field, type: notepad C:\Windows\system32\drivers\etc\hosts

4. Delete all text in the HOSTS file.

5. On the first line of the HOSTS file, type: 127.0.0.1 localhost

At this point the HOSTS file contains nothing but this one line of text.

6. Save the file to the same location you opened it from.

7. Close Notepad.

non of which i can seem to get to work! im running vista home basic with avg 8.0 and scanning sometimes with superanitspyware, malwarebytes,ad-aware and spybot. since last scanning ive not been on any dodgy sites and am wondering if this is a false posistive from defender or something malicious?

can anyone please help me?

thanks.

Link to post
Share on other sites

I figured out how to do the "run" thing and all that was in there where the 100's 127.0.0.1 files the spybot has put on there, I deleted it anyway and tryed to save but it wouldnt let me not even as admin. I tryed to clean the defender alert but that told me it couldnt clean the whole thing and a error ocurred, so I part cleaned it a few more times then just deleted it to be safe, now when I look in defenders historys not only is the C:\... one mentioned but theres a D:\Windows\System32\drivers\etc\hosts there too that I some how cleaned and another D called like the C driver one "D:\windows\winsxs\x86-microsoft-windows-w..nfrastructure.........." looking at the D in the notepad "run" it seems the only entry there is this "::1 localhost" so im non the wiser as to what I might still need to do if i have not done enough?.

any help?

Link to post
Share on other sites

I don't use Spybot S&D HOSTS file as it is not as well maintained as hpHosts or MVPS HOSTS files.

I do know that Windows Defender monitors the HOSTS file and alerts if there is a change and I permit the change if I am updating the HOSTS file myself.

By the way, it is recommended to use a local proxy and to disable DNS Client service with a large HOSTS file to speed up browsing.

I use HostsServer local proxy that comes with HostsMan and use HostsMan to keep the HOSTS file up to date and disables the DNS Client service:

http://www.abelhadigital.com

Link to post
Share on other sites

Thanks for that, Ive had spybot since I got the computer and this is the first time I've had a warning from defender, I notice in the history part of defender I have a alert when ever I update superantispyware but it allows that without me having to do anything to it.

(ive had notice twice about a registry change and I allowed it because frankly I know no better, but that was months ago)

Its just in defender the link taking you to the page where it tells you what the problem is states its a trojan Trojan.Win32.Qhost (Kaspersky), Qhosts.apd (McAfee) and that worrys me so I still dont know what to think about it.

As to using a proxy well lets just say im not savvy enough to use one :D

I have posted a hijack this log to check wether I am infected just incase as I notice there is something about a worm in there.

Link to post
Share on other sites

There is a known issue of a false positive with Defender and spybot immunized hosts file, the new definition will address it.

http://www.microsoft.com/security/portal/E...608427027806866

I have posted a hijack this log to check wether I am infected just incase as I notice there is something about a worm in there.

edit Don't make any changes, let your helper handle this

I see our posts crossed

Link to post
Share on other sites

:D Thanks for that! Thats a load of my mind, I just hope I didnt mess anything up with the cleaning and removing I did last night.

And I shall wait for help in the HJT place without touching anything.

Once again thanks alot!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.