# Can't Reach Google & search Engines? QHosts-1 Virus Removal



## cniehaus (Oct 4, 2003)

I noticed a few days ago that I could not reach Google or many other search engines.  
This drove me nuts until I found out about the QHosts-1 virus. It was identified Sep 30th as the QHOSTS-1 Virus, (AKA Trojan.Qhosts)

I just removed it from my computer - had me baffled for 2 days.

For more info check: (Partial quote below)
I used the remover, and that did not do the job. I had to turn off the system restore for XP and do the manual removal 
http://us.mcafee.com/virusInfo/defa...;virus_k=100719
(quoted @ bottom), and perform the critical updates before it was wiped out. 
I did notice from the removal program that the viral file was sitting in an internet temp folder under my wife's login (on XP) - Thanks Honey!

More info see Symantic Security Response:
http://securityresponse.symantec.co...jan.qhosts.html

*****(Quote from Symantic Security Response)*****
Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.

Symantec Security Response has developed a removal tool to repair damage from infections of Trojan.Qhosts.

Symantec Security Response has received reports that visiting a specific page on www.fortunecity.com caused a popup to be displayed that redirected the visitor to a different web page. Being redirected to the web page appears to have caused the trojan to be downloaded to a visitor's system and then executed. Reports also state that the threat exploited the Internet Explorer Object Data Remote Execution vulnerability on several victims' computers to execute itself.

Microsoft has released a cumulative patch for this vulnerability, available here.

***** Removal Instructions That Worked for Me *****
Removal Instructions

All Windows Users :
Use current engine and DAT files for detection and removal.

The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).

EXTRA.DAT 
SUPER EXTRA.DAT

Manual Removal Instructions

Apply the MS03-040 patch 
Delete the following files:

%WinDir%\Help\hosts 
%WinDir%\winlog 
Set the following registry key value (Information on editing registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc 
Delete the following registry key value (Information on deleting registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x" 
Reconfigure your DNS server settings as desired 
Reconfigure your Internet Explorer settings as desired 
Additional Windows ME/XP removal considerations


----------



## Rollin' Rog (Dec 9, 2000)

Thanks cniehaus, I've included a link to your info in the pinned thread at the top of the forum now. The information regarding manual removal and the hijacked Hosts location configured in the XP registry is especially helpful -- I should note that the location you give is specific to WinXp home though.

Other locations:

Windows 95/98/Me c:\windows\hosts 
Windows NT/2000/XP Pro_ c:\winnt\system32\drivers\etc\hosts 
Windows XP Home_c:\windows\system32\drivers\etc\hosts


----------



## ZipperZam (Sep 13, 2003)

help, I can't find Services\Tcpip\Parameters\Interfaces\windows "r0x" 
the windows folder is not there. I am using xp pro


----------



## Rollin' Rog (Dec 9, 2000)

If it isn't there don't worry, it would only have been created by the viral file and may have been removed by any fix tool you used.


----------



## Dunks001 (Oct 9, 2003)

Thanks for this post! I have spent the past few days unable to figure this out. What is the deal with navexcel? That was the page I was being directed to when I entered a search page. I have removed navexcel. 

Can you CNTL+ENTER to add www and .com in the IE address bar now? I cannot? I thought that that was a defalut shortcut.


----------



## Rollin' Rog (Dec 9, 2000)

About Navexcell:

http://www.doxdesk.com/parasite/NavExcel.html

I'd suggest you open a New Thread and post a HijackThis Scanlog for review

http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip


----------



## jjerneg (Nov 14, 2003)

Search V is not my deafault homepage. When I look into the help text on the Search V to uninstall it, it directs me to hijackthis, which I find suspicious. I am hesitant to follw Search V's instructions of uninstalling since they are the ones hijacking my computer to begin with. Im new at htis any help would be appreciated


----------

