This page contains detailed analysis on W32.Qakbot!html. To get rid of this Trojan, please use the removal guide below
W32.Qakbot!html is a usual detection for infected .htm, .cfm, .pl and .php files. These mentioned files were contracted by W32.Qakbot!html to perform malicious actions on the compromised computer.
Update: May 27, 2012
There are variants of W32.Qakbot!html that also contains a rootkit function. With this advanced method, the Trojan can conceal itself and avoid antivirus program detection. In order to remove rootkits, antivirus vendor’s offers standalone tool created specifically to eliminate this type of threat.
When user executes a copy of W32.Qakbot!html, it will modify system by inserting files and registry entries. The Trojan may run its process by injecting a corrupt code to iexplorer.exe and explorer.exe. Running any of these two legitimate Windows process allows the Trojan to execute while hiding its presence on the system. Thus, it can evade antivirus detection and bypass firewall settings since both processes are not restricted by on the firewall.
While W32.Qakbot!html is running, it can perform tasks that may endanger the computer and user’s sensitive information. It will execute the following:
- Trojan will Steals confidential information such as user name and passwords.
- Opens a backdoor and allow a remote attacker to control the infected computer.
- It may connect to a command and control server to receive more commands.
- It can drop a copy of the Trojan to network-shared folders.
- Trojan will download additional files and update itself.
- Upload system information and stolen data to a remote server.
W32.Qakbot!html may infect a computer through drive-by-download method. It simply means that ordinary web users may acquire the Trojan by visiting infected web sites. On local networked computers, the Trojan will spread by infecting files on shared folders and drives. It may also spread through USB drives and other unsafe external devices.
Alias: W32/Pinkslipbot, Backdoor:Win32/Qakbot.gen!A, BKDR_QAKBOT.A
Damage Level: Low
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Here is a sample screenshot how antivirus product was able to detect the Trojan. This detection is effective if a full version of antivirus is running and real-time protection is enabled.
Manual Removal of W32.Qakbot!html
1. If using Windows Me/XP, System Restore must be disabled to prevent the threat from restoring itself.[how to]
2. Database, pattern and definition files of installed antivirus programs must be updated.
3. Restart Windows in Safe Mode.
4. Run a full system scan and clean/delete all infected files.
5. Restart Windows in normal mode.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.
Alternative Removal Method for W32.Qakbot!html
Option 1 : Use Windows System Restore to return Windows to previous state
If W32.Qakbot!html enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Qakbot!html infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.