1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can't Reach Google & search Engines? QHosts-1 Virus Removal

Discussion in 'Virus & Other Malware Removal' started by cniehaus, Oct 4, 2003.

Thread Status:
Not open for further replies.
  1. cniehaus

    cniehaus Thread Starter

    Oct 4, 2003
    I noticed a few days ago that I could not reach Google or many other search engines. :confused:
    This drove me nuts until I found out about the QHosts-1 virus. It was identified Sep 30th as the QHOSTS-1 Virus, (AKA Trojan.Qhosts)

    I just removed it from my computer - had me baffled for 2 days.

    For more info check: (Partial quote below)
    I used the remover, and that did not do the job. I had to turn off the system restore for XP and do the manual removal
    (quoted @ bottom), and perform the critical updates before it was wiped out.
    I did notice from the removal program that the viral file was sitting in an internet temp folder under my wife's login (on XP) - Thanks Honey!

    More info see Symantic Security Response:

    *****(Quote from Symantic Security Response)*****
    Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

    Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.

    Symantec Security Response has developed a removal tool to repair damage from infections of Trojan.Qhosts.

    Symantec Security Response has received reports that visiting a specific page on www.fortunecity.com caused a popup to be displayed that redirected the visitor to a different web page. Being redirected to the web page appears to have caused the trojan to be downloaded to a visitor's system and then executed. Reports also state that the threat exploited the Internet Explorer Object Data Remote Execution vulnerability on several victims' computers to execute itself.

    Microsoft has released a cumulative patch for this vulnerability, available here.

    ***** Removal Instructions That Worked for Me *****
    Removal Instructions

    All Windows Users :
    Use current engine and DAT files for detection and removal.

    The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).


    Manual Removal Instructions

    Apply the MS03-040 patch
    Delete the following files:

    Set the following registry key value (Information on editing registry keys ):
    Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
    Delete the following registry key value (Information on deleting registry keys ):
    Services\Tcpip\Parameters\Interfaces\windows "r0x"
    Reconfigure your DNS server settings as desired
    Reconfigure your Internet Explorer settings as desired
    Additional Windows ME/XP removal considerations
  2. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    Thanks cniehaus, I've included a link to your info in the pinned thread at the top of the forum now. The information regarding manual removal and the hijacked Hosts location configured in the XP registry is especially helpful -- I should note that the location you give is specific to WinXp home though.

    Other locations:

    Windows 95/98/Me c:\windows\hosts
    Windows NT/2000/XP Pro_ c:\winnt\system32\drivers\etc\hosts
    Windows XP Home_c:\windows\system32\drivers\etc\hosts
  3. ZipperZam


    Sep 12, 2003
    help, I can't find Services\Tcpip\Parameters\Interfaces\windows "r0x"
    the windows folder is not there. I am using xp pro
  4. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    If it isn't there don't worry, it would only have been created by the viral file and may have been removed by any fix tool you used.
  5. Dunks001


    Oct 9, 2003
    Thanks for this post! I have spent the past few days unable to figure this out. What is the deal with navexcel? That was the page I was being directed to when I entered a search page. I have removed navexcel.

    Can you CNTL+ENTER to add www and .com in the IE address bar now? I cannot? I thought that that was a defalut shortcut.
  6. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
  7. jjerneg


    Nov 14, 2003
    Search V is not my deafault homepage. When I look into the help text on the Search V to uninstall it, it directs me to hijackthis, which I find suspicious. I am hesitant to follw Search V's instructions of uninstalling since they are the ones hijacking my computer to begin with. Im new at htis any help would be appreciated
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169552

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice