Removal instructions for Qone8

4 posts in this topic

What is Qone8?

The Malwarebytes research team has determined that Qone8 is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the infected browser visits their site or one of their choice.

How do I know if I am infected with Qone8?

This is how the start- and search-page looks:


And you may see this among your add-ons:


or this warning:


How did Qone8 get on my computer?

Browser hijackers use different methods for spreading themselves. This particular one was installed by a site promising explicit content.

How do I remove Qone8?

Our program Malwarebytes Anti-Malware can detect and remove this rogue application.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:

    • Update Malwarebytes Anti-Malware
    • Launch Malwarebytes Anti-Malware

    [*]Then click Finish. [*]If an update is found, it will download and install the latest version. [*]Once the program has loaded, select Perform quick scan, then click Scan. [*]When the scan is complete , click OK, then Show Results to view the results. [*]Be sure that everything is checked, some of the elements are detected as PUP and will not be checked by default, and click Remove Selected. Reboot your computer if prompted. [*]When completed, a log will open in Notepad. The rogue application should now be gone.


Is there anything else I need to do to get rid of Qone8?

  • The hijacker alters the shortcuts for popular browsers like Internet Explorer, Chrome and FireFox. We will show you how to create new, clean shortcuts.
  • The hijacker adds itself at the top of the list of search providers in Chrome. We will show you how to choose another one and change the startpage.
  • The hijacker sets itself as Homepage in Firefox. We will show you how to change that.

Look at the replies to this topic for the additional guides.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.
Since this hijacker has been classified as "potentially unwanted" the full version of Malwarebytes Anti-Malware will not protect you against the Qone8 hijacker.

Technical details for experts

Signs in a HijackThis log:
Running processes:C:\ProgramData\eSafe\eGdpSvc.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = - Service: Wsys Service (WsysSvc) - Wsys Co., Ltd. - C:\ProgramData\eSafe\eGdpSvc.exe

Alterations made by the installer:
File system details---------------------------------------------Adds the folder C:\ProgramData\eSafeAdds the file eGdpSvc.exe"="11/5/2013 11:16 AM, 1706100 bytes, AAdds the folder C:\ProgramData\eSafe\logAdds the file eGdpSvc.LOG"="11/5/2013 11:19 AM, 2468 bytes, AIn the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchAlters the file Launch Internet Explorer Browser.lnk9/4/2013 5:11 AM, 1428 bytes, A ==> 11/5/2013 11:16 AM, 1626 bytes, AIn the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBarAlters the file Internet Explorer.lnk9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1638 bytes, AIn the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\ProgramsAlters the file Internet Explorer.lnk9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1632 bytes, ARegistry details------------------------------------------[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]"(Default)REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe" ==> REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]"Default_Page_URLREG_SZ, "" ==> REG_SZ, """Start PageREG_SZ, "" ==> REG_SZ, ""[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]"DefaultScopeREG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]"DisplayName"="REG_SZ, "qone8""URL"="REG_SZ, "{searchTerms}"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP]"0"="REG_MULTI_SZ, "Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall WsysControl C:\ProgramData\eSafe\eGdpSvc.exe -unsvc "[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eSafeSecControl]"channel"="REG_SZ, "eGdp""pid"="REG_SZ, "eSafe""sid"="REG_SZ, "eGdp""ver"="REG_SZ, ""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main]"Default_Page_URLREG_SZ, "" ==> REG_SZ, """Start PageREG_SZ, "" ==> REG_SZ, ""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]"DefaultScopeREG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]"DisplayName"="REG_SZ, "qone8""URL"="REG_SZ, "{searchTerms}"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl]"DisplayIcon"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe""DisplayName"="REG_SZ, "Wsys Control""DisplayVersion"="REG_SZ, """publisher"="REG_SZ, "Wsys Co., Ltd.""UninstallString"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe -unsvc"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\qone8Software\qone8hp]"oem"="REG_SZ, "amt""Time"="REG_QWORD, ....[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]"{93CB2C86-5AF1-449C-8214-0A3CE0B81F6A}"="REG_SZ, "v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\eSafe\eGdpSvc.exe|Name=WsysSvc|EmbedCtxt=WsysSvc|"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsysSvc]"Description"="REG_SZ, "Wsys update service""DisplayName"="REG_SZ, "Wsys Service""ErrorControl"="REG_DWORD, 1"Group"="REG_SZ, "SchedulerGroup""ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe""ObjectName"="REG_SZ, "LocalSystem""Start"="REG_DWORD, 2"Type"="REG_DWORD, 16"WOW64"="REG_DWORD, 1[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion]"LastUpdateEtagREG_SZ, "201309PJbJk1AGkNGneHPNYrxjmzoQZT8=" ==> REG_SZ, "201311PJbJk1AGkNGneHPNYrxjmzoQZT8=""NextUpdateDateREG_DWORD, 85032881 ==> REG_DWORD, 90420534[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Default_Page_URL"="REG_SZ, """Start PageREG_SZ, "" ==> REG_SZ, ""[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]"DisplayName"="REG_SZ, "qone8""URL"="REG_SZ, "{searchTerms}"

Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware (PRO) version: v2013.11.06.08Windows 8 x64 NTFSInternet Explorer 10.0.9200.16660Pieter :: MBAM-VM [administrator]Protection: Disabled11/6/2013 10:28:54 AMmbam-log-2013-11-06 (10-28-54).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 195991Time elapsed: 1 minute(s), 23 second(s)Memory Processes Detected: 1C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> 2556 -> Delete on reboot.Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 6HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.HKLM\SOFTWARE\qone8Software (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.Registry Values Detected: 1HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc|ImagePath (PUP.Optional.Esafe.A) -> Data: C:\ProgramData\eSafe\eGdpSvc.exe -> Quarantined and deleted successfully.Registry Data Items Detected: 7HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: ( ( -> Quarantined and repaired successfully.HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) ->Bad: ( ( -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (PUP.Optional.Qone8) ->Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" (firefox.exe) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (PUP.Optional.Qone8) ->Bad: (C:\Program Files\Internet Explorer\iexplore.exe (iexplore.exe) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) -> Bad: ( ( -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: ( ( -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|DefaultScope (PUP.Optional.Qone8) -> Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86})Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}) -> Quarantined and repaired successfully.Folders Detected: 0(No malicious items detected)Files Detected: 5C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> Delete on reboot.C:\Users\Pieter\Desktop\qone8installer.exe (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\7081c736cb.exe (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\eXQ.exe (PUP.Optional.Wilsys.A) -> Quarantined and deleted successfully.C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\qone8.xml (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Share this post

Link to post
Share on other sites

How to create new, clean shortcuts

If the infected shortcuts are pinned at the taskbar, right-click the icon and choose "Unpin this program from taskbar"


Then rightclick your desktop and choose "New" -> "Shortcut"


Then browse to the location of the executable you want to start.
In these cases:
- "C:\Program Files\Internet Explorer\iexplore.exe"
- "C:\Program Files\Google\Chrome\Application\chrome.exe"
- "C:\Program Files\Mozilla Firefox\firefox.exe"
Please note that the quotes are necessary for these shortcuts to work. "Program Files" may be "Program Files (x86)" if you are running a 64 bit OS.


Then click "Next" and "Finish".
Check if the shortcut is working properly and drag it to the taskbar, which will offer you the option to pin it .


You can use the same procedure and pin the shortcut to the Startmenu by dragging the icon to the start button, which will offer you to pin it to the start menu.


Existing Shortcuts on the desktop can also be cleaned by rightclicking them, then choose "Properties" and in the "Target" field, remove everything after the path to the executable. Remember to leave the quotes.


Share this post

Link to post
Share on other sites

How to change the startpage and organize the search providers in Chrome

Click the button that opens the customize and control menus in Chrome.


Click "Settings" and the "Set pages" link in the "On Start-up" section.
Add a new page that you want to see first and delete the Qone8 entry (rightclick > "Delete")


Then click OK and scroll down in the Settings menu to "Appearance" and "Search"


Click the "Change" link behind "Show Home button" to alter the URL that button will produce.
Then click the "Manage Search Engines" button in the "Search" section.
Select a search engine and click the "Default" Button that will show up;


Rightclick and "Delete" the Qone8 entry.


For some reason the delete does not always work, but make sure to delete al least the URL from that line.
Then click "Done" and close the "Settings" tab.

Share this post

Link to post
Share on other sites

How to change the Homepage and organize the search providers in Firefox

Click the Firefox button and choose "Options" > "Options"


On the "General" tab under "Startup" use one of the buttons or manually change the URL in the "HomePage" field. Click OK.


The next bit is a bit tricky, so follow the instructions carefully.
In Firefox type "about:config" in the addres bar. Ignore the warning for this time. In the resulting page do a search for "qone8"


Change the URL for "browser.newtab.url" by rightlicking it and choose "Modify"


Change the "" and "" in the same way to match your preference.
Open a new tab to check if the procedure worked. And close the about:config tab if it worked out.

Share this post

Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.