Can't Reach Google & search Engines? QHosts-1 Virus Removal

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cniehaus

Thread Starter
Joined
Oct 4, 2003
Messages
4
I noticed a few days ago that I could not reach Google or many other search engines. :confused:
This drove me nuts until I found out about the QHosts-1 virus. It was identified Sep 30th as the QHOSTS-1 Virus, (AKA Trojan.Qhosts)

I just removed it from my computer - had me baffled for 2 days.

For more info check: (Partial quote below)
I used the remover, and that did not do the job. I had to turn off the system restore for XP and do the manual removal
http://us.mcafee.com/virusInfo/defa...;virus_k=100719
(quoted @ bottom), and perform the critical updates before it was wiped out.
I did notice from the removal program that the viral file was sitting in an internet temp folder under my wife's login (on XP) - Thanks Honey!

More info see Symantic Security Response:
http://securityresponse.symantec.co...jan.qhosts.html

*****(Quote from Symantic Security Response)*****
Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.

Symantec Security Response has developed a removal tool to repair damage from infections of Trojan.Qhosts.

Symantec Security Response has received reports that visiting a specific page on www.fortunecity.com caused a popup to be displayed that redirected the visitor to a different web page. Being redirected to the web page appears to have caused the trojan to be downloaded to a visitor's system and then executed. Reports also state that the threat exploited the Internet Explorer Object Data Remote Execution vulnerability on several victims' computers to execute itself.

Microsoft has released a cumulative patch for this vulnerability, available here.

***** Removal Instructions That Worked for Me *****
Removal Instructions

All Windows Users :
Use current engine and DAT files for detection and removal.

The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).

EXTRA.DAT
SUPER EXTRA.DAT

Manual Removal Instructions

Apply the MS03-040 patch
Delete the following files:

%WinDir%\Help\hosts
%WinDir%\winlog
Set the following registry key value (Information on editing registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
Delete the following registry key value (Information on deleting registry keys ):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\windows "r0x"
Reconfigure your DNS server settings as desired
Reconfigure your Internet Explorer settings as desired
Additional Windows ME/XP removal considerations
 
Joined
Dec 9, 2000
Messages
45,855
Thanks cniehaus, I've included a link to your info in the pinned thread at the top of the forum now. The information regarding manual removal and the hijacked Hosts location configured in the XP registry is especially helpful -- I should note that the location you give is specific to WinXp home though.

Other locations:

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro_ c:\winnt\system32\drivers\etc\hosts
Windows XP Home_c:\windows\system32\drivers\etc\hosts
 
Joined
Sep 12, 2003
Messages
21
help, I can't find Services\Tcpip\Parameters\Interfaces\windows "r0x"
the windows folder is not there. I am using xp pro
 
Joined
Dec 9, 2000
Messages
45,855
If it isn't there don't worry, it would only have been created by the viral file and may have been removed by any fix tool you used.
 
Joined
Oct 9, 2003
Messages
2
Thanks for this post! I have spent the past few days unable to figure this out. What is the deal with navexcel? That was the page I was being directed to when I entered a search page. I have removed navexcel.

Can you CNTL+ENTER to add www and .com in the IE address bar now? I cannot? I thought that that was a defalut shortcut.
 
Joined
Nov 14, 2003
Messages
3
Search V is not my deafault homepage. When I look into the help text on the Search V to uninstall it, it directs me to hijackthis, which I find suspicious. I am hesitant to follw Search V's instructions of uninstalling since they are the ones hijacking my computer to begin with. Im new at htis any help would be appreciated
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top