Trojan.Qhost.AKR

( Trojan.Win32.Qhost.tk, Win32:Qhost-BXO, Adware.SearchTwo.36 )

SYMPTOMS:

You are infected with Trojan.Qhost.AKR if:
- If you have BitDefender products installed on your computer and you cannot update them
- the %WINDIR%\System32\Drivers\etc\hosts file contains the line:
        127.0.0.1       update.bitdefender.com

TECHNICAL DESCRIPTION:

      Trojan.Qhost.AKR comes as a patcher for BitDefender products 2008 (Internet Security 2008, Total Security 2008 and Antivirus Plus 2008) with a user interface and instructions on how to use it. At some point, you are requested to push a button that will modify the %WINDIR%\System32\Drivers\etc\hosts file, adding as entry the Bitdefender antivirus update site pointing to localhost. This will impede the antivirus to update.

     Also, the attributes of the %WINDIR%\System32\Drivers\etc\hosts file will be set to hidden, system and readonly, making it more difficult to be seen and changed by an unexperienced user.

Removal instructions:

Please let BitDefender delete the infected file.
Go to the %WINDIR%\System32\Drivers\etc directory and check if the hosts file contains the line:
       127.0.0.1 update.bitdefender.com
If so, change the hosts files attributes: remove the hidden, system and readonly attributes by typing to the command line:
       attrib -h -s -r hosts
     and afterwards, open the hosts file with an editor (ex: notepad) and delete the line mentioned above (the line containing: 127.0.0.1 update.bitdefender.com)

ANALYZED BY:

Boeriu Laura, virus researcher