How to remove QHosts malware from your Mac

What is QHosts malware?

QHosts has been going around since as far back as 2003. It is one of several viruses that made Adobe Flash so unsafe and unreliable that on many operating systems, including macOS, it is no longer included.

QHosts is a Trojan virus that is distributed through fake versions of the Flash Player installer. It is also distributed through email attachments in numerous formats, appearing to be a legitimate download, such as a PDF, JPG, or Word Document.

QHosts — also known as HostMod, VBS.QHOSTS, TROJ_QHOSTS.A, Trojan.BAT.Delude.c, and Troj/Qhosts-1 — has been an active Trojan problem for several years. However, many antivirus scanners can now detect and find it more easily than when it was first launched.


What threat does QHosts pose to Macs?

Trojan viruses will modify the TCP/IP settings to point web browsers to a different DNS server. When you go online, every device is pointed to a default DNS server, which depends on your Internet Service Provider (ISP). Trojan will hijack this, pointing it to a hacked DNS server. Once redirected, adverts that generate revenue for criminal gangs are usually served. It is also another way for computers to become infected with other viruses, spyware, and ransomware.

One of the worst examples of this was DNSChanger, which was believed to have infected over 4 million Mac and Windows devices until the FBI shut it down in 2012, arresting an Estonian criminal gang that had generated $11 million through advertising and pop-ups.  

When this Trojan was detected, it was believed that a hacked page on this website — www.fortunecity.com — was the source of the infection. When web visitors clicked on the page, it redirected them to another website, causing the executable to be downloaded, usually in the form of a fake or modified Flash Player installer. It looked legitimate. Therefore, anyone who noticed the download wouldn’t necessarily be concerned.

However, it would require the user to click accept for the download to go ahead. To take control of a browser, a Mac user needs to input their login/admin password, thereby giving this virus root/user control of the Mac. With that unfortunately implemented, the Trojan is capable of taking control of a Mac, recording video, audio, keystrokes, and passwords. Although many viruses like this focus on redirecting web traffic, they present a significant risk if they’re not removed early on.

Trojan and other malware viruses also create an unwanted and unsafe backdoor that can let other viruses in, thus creating a long-term threat that is best dealt with as soon as possible.

How to remove QHosts manually?

You may try to remove QHosts manually, using the steps below.

Although this isn’t guaranteed to work, as Trojan viruses are known to bury themselves deep. It also means running the risk of leaving parts of the virus within your Mac or accidentally removing something your Mac needs to operate.

To attempt a manual removal, you need to start with your web browser, which is how this virus is redirecting web visits.

Here is how to manually delete QHosts from Safari, Firefox, and Chrome:

#1: Uninstall QHosts from Safari

  1. Go to Safari > Settings.
  2. Click on Extensions.
  3. Pick the extension that you don’t recognize to delete.
  4. Click Uninstall.
  5. Confirm that you want to uninstall the extension.

#2: Remove QHosts from Chrome

  1. Open Chrome.
  2. Go to the Menu in your browser.
  3. Click on More Tools > Extensions.
  4. Pick the extension that you don’t recognize to delete.
  5. Click Remove.
  6. Confirm that you want to remove the extension.

#3: Delete QHosts from Firefox

  1. Open Firefox.
  2. Go to the Menu in your browser.
  3. Click Add-ons and themes.
  4. Select the extension you want to remove.
  5. Click Remove.
  6. Confirm that you want to delete it.

#4: Remove files in your system

Once you’ve removed the extension from your browser, you need to search through several files — including in Libraries — to make sure QHosts can’t cause any more problems for your Mac.

#5: Restore DNS settings

It is also worth restoring your DNS settings:

  1. Go to System Settings > Wi-Fi.
  2. Next to the Wi-Fi network you are connected to, click Details. 
  3. Navigate to DNS and set your DNS settings to what they should be (your Internet Service Provider should have that information, or it will be on a router in your home or office).
  4. Click OK. Now, repeat the first two steps to make sure the settings are correct after inputting this change.

Remove QHosts easily with CleanMyMac X

This method is quicker and safer. 

CleanMyMac X is an invaluable tool for improving the overall performance of your Mac. It has a Malware Removal tool that can identify and neutralize thousands of threats, including adware, spyware, worms, and viruses, including QHosts. 

CleanMyMac X - Smart Scan complete

To remove a Trojan virus this way, all you need to do is:

  1. Download CleanMyMac X (a trial version is free to download and try).
  2. Open the app.
  3. Click the Malware Removal tab.
  4. Click Scan to search for infections.
  5. Click Remove to approve the deletion, and your Mac will work perfectly again.
Removing malware files

QHosts is a malicious Trojan that is best avoided. Safe browsing and not clicking on anything that will implement a download is one of the best ways to dodge viruses such as this. However, we know how clever cybercriminals are at convincing people that a download is legitimate. So if in doubt, scan your Mac and remove any infections and anything else you don’t want or need anymore.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.