What is Qone8?
The Malwarebytes research team has determined that Qone8 is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the infected browser visits their site or one of their choice.
How do I know if I am infected with Qone8?
This is how the start- and search-page looks:

And you may see this among your add-ons:

or this warning:

How did Qone8 get on my computer?
Browser hijackers use different methods for spreading themselves. This particular one was installed by a site promising explicit content.
How do I remove Qone8?
Our program Malwarebytes Anti-Malware can detect and remove this rogue application.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Update Malwarebytes Anti-Malware
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete , click OK, then Show Results to view the results.
- Be sure that everything is checked, some of the elements are detected as PUP and will not be checked by default, and click Remove Selected. Reboot your computer if prompted.
- When completed, a log will open in Notepad. The rogue application should now be gone.

Is there anything else I need to do to get rid of Qone8?
- The hijacker alters the shortcuts for popular browsers like Internet Explorer, Chrome and FireFox. We will show you how to create new, clean shortcuts.
- The hijacker adds itself at the top of the list of search providers in Chrome. We will show you how to choose another one and change the startpage.
- The hijacker sets itself as Homepage in Firefox. We will show you how to change that.
Look at the replies to this topic for the additional guides.
How would the full version of Malwarebytes Anti-Malware help protect me?
We hope our application and this guide have helped you eradicate this hijacker.
Since this hijacker has been classified as "potentially unwanted" the full version of Malwarebytes Anti-Malware will not protect you against the Qone8 hijacker.
Technical details for experts
Signs in a HijackThis log:
Running processes: C:\ProgramData\eSafe\eGdpSvc.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1383991132&from=amt&uid=VBOXXHARDDISK_VB5482b723-8794e823 O23 - Service: Wsys Service (WsysSvc) - Wsys Co., Ltd. - C:\ProgramData\eSafe\eGdpSvc.exe
Alterations made by the installer:
File system details --------------------------------------------- Adds the folder C:\ProgramData\eSafe Adds the file eGdpSvc.exe"="11/5/2013 11:16 AM, 1706100 bytes, A Adds the folder C:\ProgramData\eSafe\log Adds the file eGdpSvc.LOG"="11/5/2013 11:19 AM, 2468 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Alters the file Launch Internet Explorer Browser.lnk 9/4/2013 5:11 AM, 1428 bytes, A ==> 11/5/2013 11:16 AM, 1626 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Alters the file Internet Explorer.lnk 9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1638 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Alters the file Internet Explorer.lnk 9/4/2013 1:36 PM, 1434 bytes, A ==> 11/5/2013 11:16 AM, 1632 bytes, A Registry details ------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] "(Default) REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe" ==> REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] "Default_Page_URL REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" "Start Page REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope REG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}] "DisplayName"="REG_SZ, "qone8" "URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP] "0"="REG_MULTI_SZ, "Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall WsysControl C:\ProgramData\eSafe\eGdpSvc.exe -unsvc " [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eSafeSecControl] "channel"="REG_SZ, "eGdp" "pid"="REG_SZ, "eSafe" "sid"="REG_SZ, "eGdp" "ver"="REG_SZ, "10.2.1.2652" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main] "Default_Page_URL REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" "Start Page REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes] "DefaultScope REG_SZ, "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==> REG_SZ, "{33BB0A4E-99AF-4226-BDF6-49120163DE86}" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}] "DisplayName"="REG_SZ, "qone8" "URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl] "DisplayIcon"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe" "DisplayName"="REG_SZ, "Wsys Control 10.2.1.2652" "DisplayVersion"="REG_SZ, "10.2.1.2652" "publisher"="REG_SZ, "Wsys Co., Ltd." "UninstallString"="REG_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe -unsvc" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\qone8Software\qone8hp] "oem"="REG_SZ, "amt" "Time"="REG_QWORD, .... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{93CB2C86-5AF1-449C-8214-0A3CE0B81F6A}"="REG_SZ, "v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\eSafe\eGdpSvc.exe|Name=WsysSvc|EmbedCtxt=WsysSvc|" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsysSvc] "Description"="REG_SZ, "Wsys update service" "DisplayName"="REG_SZ, "Wsys Service" "ErrorControl"="REG_DWORD, 1 "Group"="REG_SZ, "SchedulerGroup" "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\eSafe\eGdpSvc.exe" "ObjectName"="REG_SZ, "LocalSystem" "Start"="REG_DWORD, 2 "Type"="REG_DWORD, 16 "WOW64"="REG_DWORD, 1 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion] "LastUpdateEtag REG_SZ, "201309PJbJk1AGkNGneHPNYrxjmzoQZT8=" ==> REG_SZ, "201311PJbJk1AGkNGneHPNYrxjmzoQZT8=" "NextUpdateDate REG_DWORD, 85032881 ==> REG_DWORD, 90420534 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Default_Page_URL"="REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" "Start Page REG_SZ, "http://go.microsoft.com/fwlink/p/?LinkId=255141" ==> REG_SZ, "http://start.qone8.com/?type=hp&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}] "DisplayName"="REG_SZ, "qone8" "URL"="REG_SZ, "http://start.qone8.com/web/?type=ds&ts=1383678975&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4&q={searchTerms}"
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware (PRO) 1.75.0.1300 www.malwarebytes.org Database version: v2013.11.06.08 Windows 8 x64 NTFS Internet Explorer 10.0.9200.16660 Pieter :: MBAM-VM [administrator] Protection: Disabled 11/6/2013 10:28:54 AM mbam-log-2013-11-06 (10-28-54).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 195991 Time elapsed: 1 minute(s), 23 second(s) Memory Processes Detected: 1 C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> 2556 -> Delete on reboot. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 6 HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully. HKLM\SOFTWARE\qone8Software (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo (PUP.Optional.Elex.A) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully. Registry Values Detected: 1 HKLM\SYSTEM\CurrentControlSet\Services\WsysSvc|ImagePath (PUP.Optional.Esafe.A) -> Data: C:\ProgramData\eSafe\eGdpSvc.exe -> Quarantined and deleted successfully. Registry Data Items Detected: 7 HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4) Good: (http://www.google.com) -> Quarantined and repaired successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4) Good: (http://www.google.com) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (PUP.Optional.Qone8) -> Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://start.qone8.com/?type=sc&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4) Good: (firefox.exe) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (PUP.Optional.Qone8) -> Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4) Good: (iexplore.exe) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4) Good: (http://www.google.com) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383762314&from=amt&uid=VBOXXHARDDISK_VB17363485-06b7a8a4) Good: (http://www.google.com) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|DefaultScope (PUP.Optional.Qone8) -> Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86}) Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 5 C:\ProgramData\eSafe\eGdpSvc.exe (PUP.Optional.Wsys.A) -> Delete on reboot. C:\Users\Pieter\Desktop\qone8installer.exe (PUP.Optional.Elex.A) -> Quarantined and deleted successfully. C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\7081c736cb.exe (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully. C:\Users\Pieter\AppData\Local\Temp\eIntaller\888C29F68EEF4c73B74479A6E2AA842A\eXQ.exe (PUP.Optional.Wilsys.A) -> Quarantined and deleted successfully. C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\qone8.xml (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully. (end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention