QHost trojan
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: QHost trojan

  1. #1
    Junior Member
    Join Date
    Nov 2003

    QHost trojan

    Hi everyone,

    Everytime try to do a search (on any search engine) I recieve one or to errors. I recieve a page cannot be displayed, when I try to go to the website www.google.com I get a cPanel page (which I have no idea of what cPanel is)

    This has been reported as a trojan QHost on Symantec.net but when I download the removal tool it says no trojan detected...so I follow Symantec self (manaual) removal steps and I still have the same error

    Also, I have tried using several trojan removal tools as well which do not detect the problem!

    I have also used ad-aware and remove what I can from that as well, but the problem continues!!

    Can someone please help me....I NEED MY GOOGLE!!!

    Thank You for your time.

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    Are you sure you did everything and reversed everything done to the registry. If you did you should be in good shape. You may want to run through it again just to make sure you did everything required for removal:
    Other than that, I don't know.

  3. #3
    heres a link that specifically addresses the problem~


    Did a little reading on it, and it seems you must of been behind on your updates? Hopefully a quick update will help.

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Go to tools, internet options....on the first line at the top, it will tell you what your default homepage is....change it to Google.

    Or am I completely misunderstanding the issue?

  5. #5
    Got a little bit more on it here-http://vil.nai.com/vil/content/v_100719.htm
    Here it is if you want to know about-
    The purpose of this trojan is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.
    System changes include:

    * A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
    o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
    * Configuring DNS servers to use different IP addresses, such as:
    * The creation of the following registry key:
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
    * A marker file is created in the Windows directory named winlog
    * A temp directory is created and left behind by the trojan:
    o c:\bdtmp\tmp
    Theres more on removing it, I didn't feel like taking up the room

  6. #6
    Join Date
    Feb 2003

    Restore point

    If your using XP.. then You can just remove the trojan and then go and use the "Last best known configuration" for windows(Restore Point).. I hope this helps

  7. #7
    Developer Extraordinar
    Join Date
    Jul 2002
    Also check your C:\WINDOWS\system32\drivers\etc\hosts and see what it says about google.com www.google.com and whatever other sites you are having trouble with. Make sure your Virus scanner, trojan scanner, and firewall are up to date.

    Come to UnError.com

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    It sometimes helps if you run your countermeasures in "safe" mode.

    http://www.webattack.com/get/hostadmin.html A useful Host administration tool

    http://www.wilderssecurity.com Browser Hijack Blaster.............other useful free tools as well

    http://www.spywareinfo.com/~merijn/index.html Hijack This...........look at the entries at the beginning of the report. Be careful, though, as it shows you everything, not just bad stuff.

    Good Luck

  9. #9
    I recently removed this virus from a load of MSN client computers. Apperently what happened was, QHost was created about 5/6 months ago; the trojans main purpose was to resolve Domain names to psuedo IP's and thus preventing you from getting to select websites. The machines I removed the virus from ran Win 98. There is a file that the trojan loads into the ~/system/ directory called 'hosts'. If you open this file in notepad, you'll see the fake DNS resolves. Delete the file for god sake.

    The wierd this about this virus is that it resolves you to a website that actually explains to you how to remove this virus. Unfortunetly, the patch that microsoft put out didn't work on my PC's. After the virus was written, the IP's that were initially in the virus, were recently acquired by some company that has to deal with every single hit.


    If the scatman can do it so can you.

  10. #10
    Join Date
    Jun 2002
    A lot of good info has been provided already but the main thing that needs to be done after clearing out the trojan itself is to clear out all the entries that it put into the hosts file as MicroBurn and catman had pointed out.. once those entries are deleted, you'll be able to see google once again.

    I surely would die without my google too..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts