What is QHosts and how can I remove this malware?

What is QHosts malware?

QHosts has been going around since as far back as 2003. It is one of several viruses that made Adobe Flash so unsafe and unreliable that on many operating systems, including macOS, it is no longer included, and very few websites and apps use Flash for the same reason.

QHosts is a trojan virus that is distributed through fake versions of the Flash Player installer. It is also distributed through email attachments in numerous formats, appearing to be a legitimate download, such as a PDF, JPG or a Word Document.

QHosts - also known as HostMod, VBS.QHOSTS, Troj/Qhosts-1, TROJ_QHOSTS.A, Trojan.BAT.Delude.c - has been an active trojan problem for several years. Although many antivirus scanners can now detect and find it more easily than when it was first launched.


What threat does QHosts pose to Macs?

Trojan viruses will modify the TCP/IP settings to point web browsers to a different DNS server. When you go online, every device is pointed to a default DNS server, which depends on your Internet Service Provider (ISP). Trojan will hijack this, pointing it to a hacked DNS server. Once redirected, adverts are usually served that generate revenue for criminal gangs. It is also another way for computers to become infected with other viruses, spyware, and ransomware.

One of the worst examples of this was DNSChanger, which was believed to have infected over 4 million Mac and Window’s devices, until the FBI shut it down in 2012, arresting an Estonian criminal gang that had generated $11 million through advertising and popups.  

At the time this trojan was detected, it was believed that a hacked page on this website - www.fortunecity.com - was the source of the infection. When web visitors clicked on the page, it redirected them to another website, causing the executable to be downloaded, usually in the form of a fake or modified Flash Player installer. It looked legitimate, therefore anyone who noticed the download wouldn't necessarily be concerned.

However, it would require the user to click accept for the download to go ahead. In order to take control of a browser, a Mac user would also need to input their login/admin password, thereby giving this virus root/user control of the Mac. With that unfortunately implemented, the trojan is capable of taking control of a Mac, recording video, audio, keystrokes and passwords. Although many viruses such as this focus on redirecting web traffic, they do present a significant risk if they're not removed early on.

Trojan and other malware viruses also create an unwanted and unsafe backdoor that can let other viruses in. Creating a long-term threat that is best dealt with as soon as possible.

How to remove QHosts manually?

You may try to remove QHosts manually, using the steps below.

Although this isn’t guaranteed to work as trojan viruses are known to bury themselves deep. It also means running the risk of leaving parts of the virus within your Mac, or accidentally removing something your Mac needs to operate.

To attempt a manual removal, you need to start with your web browser, which is how this virus is redirecting web visits.

Here is how to manually delete QHosts from Safari, Firefox and Chrome:

#1: Uninstall QHosts from Safari

  1. Go to Safari > Preferences.
  2. Click on Extensions.
  3. Pick the Extension that you don't recognize to delete.
  4. Click Uninstall.
  5. Confirm that you want to Uninstall the extension.

#2: Remove QHosts from Chrome

  1. Open Chrome.
  2. Go to the Menu in your browser.
  3. Click on More Tools > Extensions.
  4. Pick the Extension that you don't recognize to delete.
  5. Click Remove.
  6. Confirm that you want to Remove the extension.

#3: Delete QHosts from Firefox

  1. Open Firefox.
  2. Go to the Menu in your browser.
  3. Click on the Add-ons manager tab.
  4. Select the Extension you want to remove.
  5. Click Remove.
  6. Confirm that you want to delete it.

#4: Remove files in your system

Once you’ve removed the extension from your browser, you need to search through several files - including in Libraries - to make sure QHosts can’t cause any more problems for your Mac.

#5: Restore DNS settings

It is also worth restoring your DNS settings:

  1. Go to System Preferences > Network.
  2. Within Network, set your DNS settings to what they should be (your Internet Service Provider should have that information, or it will be on a router in your home or office).
  3. Click on Advanced to make sure the settings are correct after inputting this change.

Remove QHosts easily with CleanMyMac X

This method is quicker and safer. 

CleanMyMac X is an invaluable tool for improving the overall performance of your Mac. It has a Malware Removal tool that can identify and neutralize thousands of threats, including adware, spyware, worms, viruses, including QHosts. 

To remove a trojan virus this way, all you need to do is:

  1. Download CleanMyMac X (a trial version is free to download and try).
  2. Open the app.
  3. Click Malware Removal tab.
  4. Click Scan to search for infections.
  5. Click Remove to approve the deletion and your Mac will be working perfectly again.

QHosts is a malicious trojan that is best avoided. Safe browsing and not clicking on anything that will implement a download is one of the best ways to dodge viruses such as this. However, we know how clever cybercriminals are at convincing people that a download is legitimate. So if in doubt, scan your Mac and remove any infections and anything else that you don't want or need anymore.

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.