Metallica

Removal instructions for Qone8

4 posts in this topic

What is Qone8?

The Malwarebytes research team has determined that Qone8 is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the infected browser visits their site or one of their choice.

How do I know if I am infected with Qone8?

This is how the start- and search-page looks:

main.png

And you may see this among your add-ons:

warning1.png

or this warning:

warning2.png

How did Qone8 get on my computer?

Browser hijackers use different methods for spreading themselves. This particular one was installed by a site promising explicit content.

How do I remove Qone8?

Our program Malwarebytes Anti-Malware can detect and remove this rogue application.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:

    • Update Malwarebytes Anti-Malware
    • Launch Malwarebytes Anti-Malware


    [*]Then click Finish. [*]If an update is found, it will download and install the latest version. [*]Once the program has loaded, select Perform quick scan, then click Scan. [*]When the scan is complete , click OK, then Show Results to view the results. [*]Be sure that everything is checked, some of the elements are detected as PUP and will not be checked by default, and click Remove Selected. Reboot your computer if prompted. [*]When completed, a log will open in Notepad. The rogue application should now be gone.




pups.png

Is there anything else I need to do to get rid of Qone8?

  • The hijacker alters the shortcuts for popular browsers like Internet Explorer, Chrome and FireFox. We will show you how to create new, clean shortcuts.
  • The hijacker adds itself at the top of the list of search providers in Chrome. We will show you how to choose another one and change the startpage.
  • The hijacker sets itself as Homepage in Firefox. We will show you how to change that.


Look at the replies to this topic for the additional guides.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.
Since this hijacker has been classified as "potentially unwanted" the full version of Malwarebytes Anti-Malware will not protect you against the Qone8 hijacker.

Technical details for experts

Signs in a HijackThis log:
Running processes:C:\ProgramData\eSafe\eGdpSvc.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823O23 - Service: Wsys Service (WsysSvc) - Wsys Co., Ltd. - C:\ProgramData\eSafe\eGdpSvc.exe

Alterations made by the installer:
File system details---------------------------------------------Adds the folder C:\ProgramData\eSafeAdds the file eGdpSvc.exe"="11/5/2013 11:16 AM, 1706100 bytes, AAdds the folder C:\ProgramData\eSafe\logAdds the file eGdpSvc.LOG"="11/5/2013 11:19 AM, 2468 bytes, AIn the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchAlters the file Launch Internet Explorer Browser.lnk9/4/2013 5:11 AM, 1428 bytes, A ==> 11/5/2013 11:16 AM, 1626 bytes, AIn the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBarAlters the file Internet Explorer.lnk9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1638 bytes, AIn the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\ProgramsAlters the file Internet Explorer.lnk9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1632 bytes, ARegistry details------------------------------------------[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]"(Default)REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe" ==> REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]"Default_Page_URLREG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4""Start PageREG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]"DefaultScopeREG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]"DisplayName"="REG_SZ, "qone8""URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP]"0"="REG_MULTI_SZ, "Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall WsysControl C:\ProgramData\eSafe\eGdpSvc.exe -unsvc "[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eSafeSecControl]"channel"="REG_SZ, "eGdp""pid"="REG_SZ, "eSafe""sid"="REG_SZ, "eGdp""ver"="REG_SZ, "10.2.1.2652"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main]"Default_Page_URLREG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4""Start PageREG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]"DefaultScopeREG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]"DisplayName"="REG_SZ, "qone8""URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl]"DisplayIcon"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe""DisplayName"="REG_SZ, "Wsys Control 10.2.1.2652""DisplayVersion"="REG_SZ, "10.2.1.2652""publisher"="REG_SZ, "Wsys Co., Ltd.""UninstallString"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe -unsvc"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\qone8Software\qone8hp]"oem"="REG_SZ, "amt""Time"="REG_QWORD, ....[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]"{93CB2C86-5AF1-449C-8214-0A3CE0B81F6A}"="REG_SZ, "v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\eSafe\eGdpSvc.exe|Name=WsysSvc|EmbedCtxt=WsysSvc|"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsysSvc]"Description"="REG_SZ, "Wsys update service""DisplayName"="REG_SZ, "Wsys Service""ErrorControl"="REG_DWORD, 1"Group"="REG_SZ, "SchedulerGroup""ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe""ObjectName"="REG_SZ, "LocalSystem""Start"="REG_DWORD, 2"Type"="REG_DWORD, 16"WOW64"="REG_DWORD, 1[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion]"LastUpdateEtagREG_SZ, "201309PJbJk1AGkNGneHPNYrxjmzoQZT8=" ==> REG_SZ, "201311PJbJk1AGkNGneHPNYrxjmzoQZT8=""NextUpdateDateREG_DWORD, 85032881 ==> REG_DWORD, 90420534[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Default_Page_URL"="REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4""Start PageREG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]"DisplayName"="REG_SZ, "qone8""URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"

Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.11.06.08Windows 8 x64 NTFSInternet Explorer 10.0.9200.16660Pieter :: MBAM-VM [administrator]Protection: Disabled11/6/2013 10:28:54 AMmbam-log-2013-11-06 (10-28-54).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 195991Time elapsed: 1 minute(s), 23 second(s)Memory Processes Detected: 1C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> 2556 -> Delete on reboot.Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 6HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.HKLM\SOFTWARE\qone8Software (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.Registry Values Detected: 1HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc|ImagePath (PUP.Optional.Esafe.A) -> Data: C:\ProgramData\eSafe\eGdpSvc.exe -> Quarantined and deleted successfully.Registry Data Items Detected: 7HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)Good: (http://www.google.com) -> Quarantined and repaired successfully.HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) ->Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)Good: (http://www.google.com) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (PUP.Optional.Qone8) ->Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://start.qone8.com/?type=sc&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)Good: (firefox.exe) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (PUP.Optional.Qone8) ->Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)Good: (iexplore.exe) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)Good: (http://www.google.com) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)Good: (http://www.google.com) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|DefaultScope (PUP.Optional.Qone8) -> Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86})Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}) -> Quarantined and repaired successfully.Folders Detected: 0(No malicious items detected)Files Detected: 5C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> Delete on reboot.C:\Users\Pieter\Desktop\qone8installer.exe (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\7081c736cb.exe (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\eXQ.exe (PUP.Optional.Wilsys.A) -> Quarantined and deleted successfully.C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\qone8.xml (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention


Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites

How to create new, clean shortcuts

If the infected shortcuts are pinned at the taskbar, right-click the icon and choose "Unpin this program from taskbar"

IEunpin.png

Then rightclick your desktop and choose "New" -> "Shortcut"

IEMS.png

Then browse to the location of the executable you want to start.
In these cases:
- "C:\Program Files\Internet Explorer\iexplore.exe"
- "C:\Program Files\Google\Chrome\Application\chrome.exe"
- "C:\Program Files\Mozilla Firefox\firefox.exe"
Please note that the quotes are necessary for these shortcuts to work. "Program Files" may be "Program Files (x86)" if you are running a 64 bit OS.

IEMS2.png

Then click "Next" and "Finish".
Check if the shortcut is working properly and drag it to the taskbar, which will offer you the option to pin it .

IEpin.png

You can use the same procedure and pin the shortcut to the Startmenu by dragging the icon to the start button, which will offer you to pin it to the start menu.

IEpinSTART.png

Existing Shortcuts on the desktop can also be cleaned by rightclicking them, then choose "Properties" and in the "Target" field, remove everything after the path to the executable. Remember to leave the quotes.

ChromeSC.png

Share this post


Link to post
Share on other sites

How to change the startpage and organize the search providers in Chrome

Click the button that opens the customize and control menus in Chrome.

ChromeSettings.png

Click "Settings" and the "Set pages" link in the "On Start-up" section.
Add a new page that you want to see first and delete the Qone8 entry (rightclick > "Delete")

ChromeSettings1.png

Then click OK and scroll down in the Settings menu to "Appearance" and "Search"

ChromeSettings2.png

Click the "Change" link behind "Show Home button" to alter the URL that button will produce.
Then click the "Manage Search Engines" button in the "Search" section.
Select a search engine and click the "Default" Button that will show up;

ChromeMD.png

Rightclick and "Delete" the Qone8 entry.

ChromeSE.png

For some reason the delete does not always work, but make sure to delete al least the URL from that line.
Then click "Done" and close the "Settings" tab.

Share this post


Link to post
Share on other sites

How to change the Homepage and organize the search providers in Firefox

Click the Firefox button and choose "Options" > "Options"

FirefoxSettings.png

On the "General" tab under "Startup" use one of the buttons or manually change the URL in the "HomePage" field. Click OK.

FirefoxSP.png

The next bit is a bit tricky, so follow the instructions carefully.
In Firefox type "about:config" in the addres bar. Ignore the warning for this time. In the resulting page do a search for "qone8"

FirefoxSE.png

Change the URL for "browser.newtab.url" by rightlicking it and choose "Modify"

FirefoxSE2.png

Change the "browser.search.defaultenginename" and "browser.search.selectedEngine" in the same way to match your preference.
Open a new tab to check if the procedure worked. And close the about:config tab if it worked out.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.