I am seeing a few reports of this malware coming into ePO and talked to one of the support techs. On one of the systems it was connected to the network but did not have a browser window open or connected to anything such as an external drive. The user received the pop up while working on data that they typically work on day to day and contacted support.
According to the logs it shows that the infection was cleaned from the hosts file but the hosts file has a last modification date of 3 years ago.
Detected via OAS
False positive being reported? Anyone else experiencing the same?
Solved! Go to Solution.
Support confirm false positive:
"If the customer was using or has used Spybot searchand destroy or other anti-malware tools that added entries within the hostsfile it was detected incorrectly with the 6874 dat. This has already been fixedand should not occur in the next dat onwards."
Apologies for any inconvenience caused by this detectionin the 6874 DAT release.
Yes we saw it across a number of machines as well. No real understanding of what might be common between the systems where the detections occurred. As with others I'll be watching this to see what develops.
I've seen a couple today, including my pc, with VSE patch1, DAT 6874.
The QHosts.c detections are coming from C:\WINDOWS\system32\drivers\etc\host.
Anyone running spybot 1.6.2 on the same pc as mcafee? In my case,
it appears that mcafee isn't liking the host file after spybot appends its blacklist.
If I try to manually update spybot and immunize the global host file, mcafee will
quarantine it as a QHosts.c detection every time.
My friend has been having it pop up as well, however the source for hers is...
She checked, it was modified recently, and it continues to pop up in spams, and then is calm for a long time, and then pops up in waves again. (Mainly this happens while she's using Malware Bytes/SuperAntiSpyware/Spybot Search and Destroy/Stinger)
Her message is this...
It just started popping up about 2-3 hours again. Did she actually get a virus/trojan or is it just a false report that McAfee is constantly catching and "Fixing"?Message was edited by: whippoorwillheretic on 10/24/12 1:19:49 AM CDT
We are also seeing what looks like false positives with the 6874 DAT on some old VSE 8.7 machines, but we have no access to the endpoints to check.
At least 1 was on a mothballed server thats been out of use for 2 years though.
So the issue my friend is having, and these other gentlemen above are having is more than likely a false positive that may be fixed in the next update, or will have a user-fix soon?