Read here for information:
Try the following:
1. Be sure that you install hotfix 828750 which fixes the exploit that this virus uses:
2. Update and run a complete Anti-Virus software check of your system. Most of the major AV companies have updated their latest signatures to detect this virus (for Network Associates (McAfee), be sure to get the EXTRADAT.exe update from the above page as well as your regular update).
3a. If running your AV doesn't clean it up, go to this page, read the directions CAREFULLY (particularly about the Restore option) and download and run the removal tool:
3b. An alternative that by report may work better than the Symantec tool is the Brown University Removal Tool, here:
If that still doesn't clean it up (and a number of people are reporting that it did not with the Symantec tool), then follow the Manual Removal instructions at the link in 3a.
The following is courtesy of Mike Burgess:
"Does a HOSTS file still exist in Windows\Help?
Trojan Qhosts hijacks the HOSTS file, however unlike normal redirectors, this one hides the HOSTS file in the "Windows\Help" folder. It then creates entries that redirects all major search engines to a website. Note: this website has now been removed, thus the DNS errors.
[mvps.org...] (bottom of page)
Run the beta version of HijackThis
If you need to report a problem:
Unzip, double-click "HijackThis.exe" and Press "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")
Next, go to the below location:
Sign in, go to the "Spyware and Hijackware Removal" section.
Press "New Topic", copy and paste hijackthis.log into your new message.
Mike Burgess [mvps.org...]
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
[mvps.org...] [updated 9-30-03]
Just to follow up on this - there may be multiple different HOSTS files on your machine with the trojan's settings some of which cannot not be removed by the Removal Tools, and you'll need to do a search to find and just delete them all, or clean them per the manual directions at the Symantec site.
4. You probably will then need to restore your HOSTS file if you plan to use
it for DNS speedup and/or ad blocking. Download the Hosts File Reader:
To create a new Default version of HOSTS, run the program, click the "Read Hosts File" button, click the button labeled "Reset Defaults" and click "Save Changes." Note that this is NOT a recreation of your original HOSTS file, but a brand new "initialized" one. Now go to normal HOSTS file location (Windows XP\2000 Location: - C:\WINDOWS\SYSTEM32\DRIVERS\ETC or Windows 98\ME Location: - C:\WINDOWS) and rename the "hosts" file that it created to "HOSTS" (no quotes, all caps, no extension). If you've been using your HOSTS file for ad blocking (see [mvps.org...] Blocking Unwanted Ads with a Hosts File), then you'll need to reset the new default you've created up for that purpose. (Recommended, BTW - it also blocks a lot of "malware" as well as offensive advertising.)