3 replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is Qone8?

The Malwarebytes research team has determined that Qone8 is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the infected browser visits their site or one of their choice.

How do I know if I am infected with Qone8?

This is how the start- and search-page looks:



And you may see this among your add-ons:



or this warning:



How did Qone8 get on my computer?

Browser hijackers use different methods for spreading themselves. This particular one was installed by a site promising explicit content.

How do I remove Qone8?

Our program Malwarebytes Anti-Malware can detect and remove this rogue application.

• Please download Malwarebytes Anti-Malware to your desktop.
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a check-mark is placed next to the following:
  
  
  • Update Malwarebytes Anti-Malware
  • Launch Malwarebytes Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete , click OK, then Show Results to view the results.
• Be sure that everything is checked, some of the elements are detected as PUP and will not be checked by default, and click Remove Selected. Reboot your computer if prompted.
• When completed, a log will open in Notepad. The rogue application should now be gone.

Is there anything else I need to do to get rid of Qone8?

• The hijacker alters the shortcuts for popular browsers like Internet Explorer, Chrome and FireFox. We will show you how to create new, clean shortcuts.
• The hijacker adds itself at the top of the list of search providers in Chrome. We will show you how to choose another one and change the startpage.
• The hijacker sets itself as Homepage in Firefox. We will show you how to change that.

Look at the replies to this topic for the additional guides.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.
Since this hijacker has been classified as "potentially unwanted" the full version of Malwarebytes Anti-Malware will not protect you against the Qone8 hijacker.

Technical details for experts

Signs in a HijackThis log:

Running processes:
C:\ProgramData\eSafe\eGdpSvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823
O23 - Service: Wsys Service (WsysSvc) - Wsys Co., Ltd. - C:\ProgramData\eSafe\eGdpSvc.exe

Alterations made by the installer:

File system details
---------------------------------------------
    Adds the folder C:\ProgramData\eSafe
       Adds the file eGdpSvc.exe"="11/5/2013 11:16 AM, 1706100 bytes, A
    Adds the folder C:\ProgramData\eSafe\log
       Adds the file eGdpSvc.LOG"="11/5/2013 11:19 AM, 2468 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
       Alters the file Launch Internet Explorer Browser.lnk
        9/4/2013 5:11 AM, 1428 bytes, A ==> 11/5/2013 11:16 AM, 1626 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
       Alters the file Internet Explorer.lnk
        9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1638 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
       Alters the file Internet Explorer.lnk
        9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1632 bytes, A

Registry details 
------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
       "(Default)
        REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe" ==> REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
       "Default_Page_URL
        REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
       "Start Page
        REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
       "DefaultScope
        REG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
       "DisplayName"="REG_SZ, "qone8"
       "URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP]
       "0"="REG_MULTI_SZ, "Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall WsysControl C:\ProgramData\eSafe\eGdpSvc.exe -unsvc "
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eSafeSecControl]
       "channel"="REG_SZ, "eGdp"
       "pid"="REG_SZ, "eSafe"
       "sid"="REG_SZ, "eGdp"
       "ver"="REG_SZ, "10.2.1.2652"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main]
       "Default_Page_URL
        REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
       "Start Page
        REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
       "DefaultScope
        REG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
       "DisplayName"="REG_SZ, "qone8"
       "URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl]
       "DisplayIcon"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe"
       "DisplayName"="REG_SZ, "Wsys Control 10.2.1.2652"
       "DisplayVersion"="REG_SZ, "10.2.1.2652"
       "publisher"="REG_SZ, "Wsys Co., Ltd."
       "UninstallString"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe -unsvc"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\qone8Software\qone8hp]
       "oem"="REG_SZ, "amt"
       "Time"="REG_QWORD, ....
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
       "{93CB2C86-5AF1-449C-8214-0A3CE0B81F6A}"="REG_SZ, "v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\eSafe\eGdpSvc.exe|Name=WsysSvc|EmbedCtxt=WsysSvc|"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsysSvc]
       "Description"="REG_SZ, "Wsys update service"
       "DisplayName"="REG_SZ, "Wsys Service"
       "ErrorControl"="REG_DWORD, 1
       "Group"="REG_SZ, "SchedulerGroup"
       "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe"
       "ObjectName"="REG_SZ, "LocalSystem"
       "Start"="REG_DWORD, 2
       "Type"="REG_DWORD, 16
       "WOW64"="REG_DWORD, 1
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion]
       "LastUpdateEtag
        REG_SZ, "201309PJbJk1AGkNGneHPNYrxjmzoQZT8=" ==> REG_SZ, "201311PJbJk1AGkNGneHPNYrxjmzoQZT8="
       "NextUpdateDate
        REG_DWORD, 85032881 ==> REG_DWORD, 90420534
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
       "Default_Page_URL"="REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
       "Start Page
        REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
       "DisplayName"="REG_SZ, "qone8"
       "URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.06.08

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16660
Pieter :: MBAM-VM [administrator]

Protection: Disabled

11/6/2013 10:28:54 AM
mbam-log-2013-11-06 (10-28-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195991
Time elapsed: 1 minute(s), 23 second(s)

Memory Processes Detected: 1
C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> 2556 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\qone8Software (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc|ImagePath (PUP.Optional.Esafe.A) -> Data: C:\ProgramData\eSafe\eGdpSvc.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)
 Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) ->
 Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)
 Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (PUP.Optional.Qone8) ->
 Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://start.qone8.com/?type=sc&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)
 Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (PUP.Optional.Qone8) ->
 Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)
 Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)
 Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4)
 Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|DefaultScope (PUP.Optional.Qone8) -> Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86})
 Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> Delete on reboot.
C:\Users\Pieter\Desktop\qone8installer.exe (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.
C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\7081c736cb.exe (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.
C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\eXQ.exe (PUP.Optional.Wilsys.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\qone8.xml (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.

(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.

[Metallica]

How to create new, clean shortcuts

If the infected shortcuts are pinned at the taskbar, right-click the icon and choose "Unpin this program from taskbar"



Then rightclick your desktop and choose "New" -> "Shortcut"



Then browse to the location of the executable you want to start.
In these cases:
- "C:\Program Files\Internet Explorer\iexplore.exe"
- "C:\Program Files\Google\Chrome\Application\chrome.exe"
- "C:\Program Files\Mozilla Firefox\firefox.exe"
Please note that the quotes are necessary for these shortcuts to work. "Program Files" may be "Program Files (x86)" if you are running a 64 bit OS.



Then click "Next" and "Finish".
Check if the shortcut is working properly and drag it to the taskbar, which will offer you the option to pin it .



You can use the same procedure and pin the shortcut to the Startmenu by dragging the icon to the start button, which will offer you to pin it to the start menu.



Existing Shortcuts on the desktop can also be cleaned by rightclicking them, then choose "Properties" and in the "Target" field, remove everything after the path to the executable. Remember to leave the quotes.

[Metallica]

How to change the startpage and organize the search providers in Chrome

Click the button that opens the customize and control menus in Chrome.



Click "Settings" and the "Set pages" link in the "On Start-up" section.
Add a new page that you want to see first and delete the Qone8 entry (rightclick > "Delete")



Then click OK and scroll down in the Settings menu to "Appearance" and "Search"



Click the "Change" link behind "Show Home button" to alter the URL that button will produce.
Then click the "Manage Search Engines" button in the "Search" section.
Select a search engine and click the "Default" Button that will show up;



Rightclick and "Delete" the Qone8 entry.



For some reason the delete does not always work, but make sure to delete al least the URL from that line.
Then click "Done" and close the "Settings" tab.

[Metallica]

How to change the Homepage and organize the search providers in Firefox

Click the Firefox button and choose "Options" > "Options"



On the "General" tab under "Startup" use one of the buttons or manually change the URL in the "HomePage" field. Click OK.



The next bit is a bit tricky, so follow the instructions carefully.
In Firefox type "about:config" in the addres bar. Ignore the warning for this time. In the resulting page do a search for "qone8"



Change the URL for "browser.newtab.url" by rightlicking it and choose "Modify"



Change the "browser.search.defaultenginename" and "browser.search.selectedEngine" in the same way to match your preference.
Open a new tab to check if the procedure worked. And close the about:config tab if it worked out.