Avast WEBforum
Other => Viruses and worms => Topic started by: AlbertoGibert on October 21, 2013, 08:17:58 PM
-
Al descargar Java versión 7 recomendado por ustedes y redirigido desde su página web, se ha instalado un programa espía que Avast no detecta el qone.com, o bien -- start.qone8.com -- que suplanta el navegador (todos) y la página de inicio que se cambia a start.qone.com en mi caso, pero hay otros nombres circulando. Lo he desinstalado desde panel de control, eliminar programas, pero es imposible.
Ayuda por favor. Gracias.
-
Hello,
please post in english here if possible.
Follow this guide and attach the logs: http://forum.avast.com/index.php?topic=53253.0
When done malware removers will be notified and will help you to clean this up.
-
By installing java version 7 recommended from Avast. has downloaded a spyware program that supplants and replaces all browsers start page for start.qone8.com, looking so much like Google.com.
I tried manually desintalarlo but impossible. I have removed from elimination programs control panel, and is no longer, but still works to open any browser
-
Actually there is malware on this site: http://www.avgthreatlabs.com/website-safety-reports/domain/qone8.com/
Blacklisted on Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fstart.qone8.com
So this is malware.
Please follow the instructions above and a malware remover will help you to clean this up.
-
Yes, this is invasive , this is malawere. :( The solution is paying, and I am paying for Avast.
-
The solution is not paying.
NO Antivirus provides 100% protection. Not even Kaspersky or Bitdefender.
Malware removers will help you to get rid of this, for free. When logs are attached.
-
I can remove it for you .. Where did you get the update ?
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Select LOP and Purity
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
http://malwarefixes.com/remove-start-qone8-com-redirect/
-
Please follow the steps from Essexboy, he knows what he is doing.
-
That link is using a sledgehammer to crack a nut and will probably not work
-
okay, thanks :)
-
have the same problem that AlbertoGilbert got.
I have done everything that essexboy suggested (run otl.exe etc.)
I am supposed to attach here the contents of the otl.txt and the extras.txt or what else?
thanks for your help
I can remove it for you .. Where did you get the update ?
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Select LOP and Purity
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
@woland58 if you start your own thread I will pick you up there
-
Well, I ran the program OTL by old version and I have the report notes blok. Now what do I do?
-
Well, I ran the "OTL by old version" and I have the report in notepad. Now what do I do?
-
Could you attach the report please
-
"OTL by old version" and I have the report in notepad.
-
On completion of this let me know if it has gone
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2002}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=133&systemid=2&apn_uid=4555234650224002&apn_dtid=IME002&o=APN10641&apn_ptnrs=AG2&q={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1083&systemid=1&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&gct=ds&appid=133&systemid=2&apn_dtid=IME002&apn_ptnrs=AG2&apn_uid=4555234650224002&o=APN10641&q="
FF - prefs.js..browser.search.order.1: "Search Results"
[2013/07/24 17:21:18 | 000,269,092 | ---- | M] () (No name found) -- C:\Users\Alberto\AppData\Roaming\mozilla\firefox\profiles\dj1h1zez.default\extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi
[2012/04/07 16:58:54 | 000,002,353 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2013/10/13 22:57:33 | 000,000,664 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\qone8.xml
[2013/05/26 18:09:03 | 000,002,646 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Wincore Mediabar) - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Wincore Mediabar) - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-1571150509-1092675849-722137386-1000..\Run: [iLivid] C:\Users\Alberto\AppData\Local\iLivid\iLivid.exe (Bandoo Media Inc.)
O16:64bit: - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Reg Error: Key error.)
[2013/10/23 23:38:17 | 000,000,000 | ---D | C] -- C:\Users\Alberto\AppData\Local\iLivid
[2013/10/13 22:58:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup
[2013/10/13 22:58:07 | 000,000,000 | ---D | C] -- C:\ProgramData\eSafe
[2013/10/13 22:57:31 | 000,000,000 | ---D | C] -- C:\Users\Alberto\AppData\Local\Lollipop
[2013/10/23 23:40:47 | 000,001,052 | ---- | M] () -- C:\Users\Alberto\Desktop\iLivid.lnk
[2013/10/23 23:40:47 | 000,001,060 | ---- | C] () -- C:\Users\Alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
[2013/10/23 23:40:47 | 000,001,052 | ---- | C] () -- C:\Users\Alberto\Desktop\iLivid.lnk
:Files
C:\PROGRA~2\IMESHA~1\MediaBar
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
- Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
- please be patient as this can take a while to complete depending on your system's specifications
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- post the contents of JRT.txt into your next message.
-
Still appears: start.qone8.com ...
I post the contents
-
And the JRT
-
Which browser is it appearing in ?
-
Explorer.
-
And Firefox too .. :-[
-
Could you manually reset the IE and FF home page.. Does that stick ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1083&systemid=1&sr=0&q={searchTerms}
[2013/10/24 21:00:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\RegTask.job
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
yes, of course. I modified each time the page from ... Tools .. Internet options ... to google.com, and also from safety put it in restricted sites the direction start.qone8.com
This problem qone8.com, comes from the java.com website which recommends upgrading Avast Internet Security
I send you the report in a few minuts .... BTW Chome too .. :(
-
without success ... :(
-
I post the log OTL.
-
Could you download shortcut cleaner from here to your desktop
http://www.bleepingcomputer.com/download/shortcut-cleaner/
Run the programme and if Avast queries it add it to the exceptions
On completion a log will be produced on the desktop
Please post that
-
Posting sc-cleaner ..
-
This one is playing hard to get
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1083&systemid=1&sr=0&q={searchTerms}
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.useDBForOrder: true
[2013/10/22 16:24:29 | 000,002,193 | ---- | M] () -- C:\Users\Alberto\AppData\Roaming\mozilla\firefox\profiles\dj1h1zez.default\searchplugins\geotool.xml
:Files
C:\Users\Alberto\AppData\Local\Temp\_MEI38842
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Right, I send report that came out in the notebook.
But I do not know how to disable Avast Internet Security to continue.
Should I disable Windows Defender?
-
oh .. Sorry; the OTL report ..
-
Right click the Avast icon and select shield control > Disable until reboot
-
Well, continued all the same. By opening any browser opens a tab:
http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
For the rest it seems there is no other problem, but still not solve the problema :(
Sending report ...
-
When I open a new tab, I get a security alert: You are about to leave a secure connection to the Internet. It is possible that other people see the information you send.
Do you want to continue?
( ) Do not show me this warning.
-
OK we will need to reset all browsers now. I will need to see how firefox and chrome do this
For IE
Go control panel > internet options > advanced and click reset
-
Please a question before: I will lose all the links that I keep in IE "Favorites"?
Thanks ... I wait for answer ...
-
No favourites will not be affected as it just resets the workings of IE
If you want to be doubly sure you can export favourites first
This can be done via the favourites menu in IE
-
Without success .. :( ... Continuing appearing:
http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
-
Within Firefox and Chrome are you able to reset the search engine ?
-
The search engine is google in all three browsers. It was the first thing I did before consulting. However to open any browser appears as a new tab:
start.qone8.com ...
-
I just noticed that I did not get an all user OTL scan
Could you re-run the scan and ensure that all users is selected please
-
I have to paste any script ?
And how I selected all users ??
Thanks.
-
Good I ve pasted: BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
I sellect all and post the OTL
-
This is the most obstinate version that I have come across.. Normally one maybe two fixes kill this
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKU\S-1-5-21-1571150509-1092675849-722137386-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1571150509-1092675849-722137386-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" =
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.useDBForOrder: ""
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
:Files
C:\Users\Alberto\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml
C:\Users\Alberto\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Very funny to me that this is the most obstinate version that you have come across. Goddd :(
I post the log with selecting all users: Its right?
-
Are you still getting it coming as your main search engine ?
-
Yes .....
Comes opening a new tab in all browsers because keeping open the last session.
When not saved the last session appears as the first tab, though Google the search engine that II have set.
-
OK in IE could you visit here http://windows.microsoft.com/en-gb/windows-vista/change-or-choose-a-search-provider-in-internet-explorer get a new search provider (i.e. Bing) this will not be for long
Make this your main search engine
Then delete the Google search engine
Does it still appear
-
Yes, still appears it : http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
How to restore the search engine Google please?
-
To restore Google follow the same process as used to get bing
Could you check in internet options that you have only one home page set
-
Yes, I have only one home page set : http://www.google.com/
-
These type of programmes really annoy me - especially when they find new ways to hide
For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
For 64bit systems, download SystemLook from here (http://jpshortstuff.247fixes.com/SystemLook_x64.exe).
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regfind
start.qone8.com
start.qone8
qone8
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
Here you are ...
-
After this fix could you re-run system look please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:Reg
[-HKEY_USERS\S-1-5-21-1571150509-1092675849-722137386-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\qone8.com]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\qone8.com]
[HKEY_USERS\S-1-5-21-1571150509-1092675849-722137386-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=-
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Still appears: http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
Posting ...
-
And the system look
-
OK I will have to do a bit more research on where this could be generated
-
Rigth, thanks. I will wait.
-
Still searching with no real answer yet
-
Okay. In Explorer are appearing one direction without permission: http://www.javainstall.org that replacing the page I'm seeing, and warns me that I have to update Java because the computer is unsafe. Within this page displayed by surprise out another window, within small, that says "accept".
I put in security - restricted sites and it will not leave for now. It's all very strange. :(
-
That site is blocked by Avast so I am surprised you are able to go there
-
So .. I am surprised too :(
-
Metallica has posted a removal guide here .. could you run this .. Ensure that MBAM is updated http://www.geekstogo.com/forum/topic/334820-removal-instructions-for-qone8/
-
I send the registration of Malwarebytes Anti -Malware . Detects a file that should quarantine , or delete , internet does not work . No browser. I had to restore that file.
One question please. When i open google.com or google.es appears an extensión every time diferent:
https://www.google.es/?gws_rd=cr&ei=6xSBUvSCNoGXtAbgnIG4Cg
https://www.google.es/?gws_rd=cr&ei=SBWBUsnOJ8PdtAboloDYBA
https://www.google.es/?gws_rd=cr&ei=0hWBUpe1CcWatQbT4YGwBw
Etc ... Is it normal ???????
-
Second and third link are a bit different if you look in the top right corner on the GMail text.
-
So you had to restore the qone8 registry entry ?
-
Yes. I had to do it and reboot it did not work any browser. I had no internet connection. Very strange.
-
Yes as it was just the search scope that was removed so it should have no effect on the connection..
Is it still present when you try a google search ?
-
I will test again. Yes, after restoring the file, it still appears as before, as a new tab to restore the last session in all browsers. Something also strange is that Google page does not display normally shown without doodles.
And another thing to note is that once you deleted the file, start.qone8.com, trying to be opened as a new tab anyway, but went into a loop, which made the display of the error: Connection Problems, can not be show this page. That also happened with the rest of tabs opened except for the "https"
I can not make a screenshot of the antimalware program, but I can open the file location (presumably infected) and displayed:
{2C256447-3F0D-4CBB-9D12-575BB20CDA0A}
-ProgID
In Malwarebytes appears:
Distributor: PUP.Optional.qone8
Category: Registry Key
Elements: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2C256447-3F0D-4CBB-9D12-575BB20CDA0A}
-
OK I will try and craft a reg fix to replace that with a dummy
-
Ok. Thanks and good night.
-
OK lets try this :)
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:Reg
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
@="Bing"
"URL"="http://www.google.com/search?q={searchTerms}&FORM=IE8SRC"
"DisplayName"="@ieframe.dll,-12512"
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here you are ...
-
Did that remove it ?
-
No .... http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
-
OK lets now remove the clsid and then reset the network
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:Reg
[-HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
:Files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh winsock reset /c
netsh advfirewall reset /c
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Continues to appear ...there is no way ...
http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
-
Could you run MBAM one more time please
-
Yes of course, do no detect any malware now, but continues ..
http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
-
OK I will have to go back to the drawing board on this... Are you running spybot by any chance ?
-
spybot ? I Not quite understand what you mean .. I have Avast, and also Malwarebytes trial Versión.
Hummm two anti malware? Is it good?
-
OK go to control panel > internet option
Select the new tab button... What is in the box
-
Done! But nothing was sorted ....
Continues http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
-
What is in the box ? it was a question ? : about:Tabs
-
Yes as that is where the second tab opens to
Still no further on this yet.. This is curious as normally it goes fairly quietly
-
Well, now what ?
I have to reformat the hard drive? .. Or will you seek a solution?
-
A reformat in this case would be a faster solution, as none of my contacts have yet been able to see where this is originating. All are as baffled as I
-
Well, for now I will wait because I have a lot of information not stored in backup, and many photos and files. If you have any ideas in the coming days, I will be thankful.
Nor is it for now, It produces any problem apart from appearing every time I open any browser except Avast SafeZone.
-
Could you run this programme please
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
-
Copy and paste FRST:
The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (10000 characters).
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-11-2013 01
Ran by Alberto (administrator) on ALBERTO-TOSH on 25-11-2013 22:17:35
Running from C:\Users\Alberto\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: Spanish Modern Sort
Internet Explorer Version 10
Boot Mode: Normal
==================== Processes (Whitelisted) =================
I send you the attachments:
-
And the Addition ...
-
Download the attached fixlist.txt to the same location as FRST
Run FRST and press fix
On completion a log will popup please post that
-
The log :
-
And still appears: http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
-
Yep Chrome is a pain in the posterior.. The page is in the restore on start settings and according to Google they are easy to reset
Could you follow the steps here and let me know the result
https://support.google.com/chrome/answer/3296214
-
Well, I followed the instructions, but still appearing. So far I have not noticed anything worse in engine performance team, 'running well, but is a real nuisance to have to mess around with is Qone8 besides not knowing if it is sending information to sites that do not know.
Still... in all browsers
http://start.qone8.com/?type=sc&ts=1381697851&from=tugs&uid=TOSHIBAXMK6465GSXN_Z0LCS14DSXXZ0LCS14DS
I will try to uninstall Chrome ....
-
WOT blocks access to start.gone8: See picture below.
https://www.mywot.com/en/scorecard/start.qone8.com?utm_source=addon&utm_content=warn-viewsc (https://www.mywot.com/en/scorecard/start.qone8.com?utm_source=addon&utm_content=warn-viewsc)
-
AdwCleaner has been updated now to try and tackle this so it would be worth a shot
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
I have to disable Avast in the process?
Avast blocks downloading Adw
Avast:
Infección Bloqueada
URL:
http://download.bleepingcomputer.com/dl/d9cc85d596e6...
Infección:
Win32:Dropper-gen [Drp]
-
OK I will report that as an FP
-
Yessssssssss !!!!!
start.Qone8.com has disappeared I think.
Thank you very much.
Posting Attachments ..
-
Acceso directo Desinfectado : C:\Users\Public\Desktop\Mozilla Firefox.lnk
Acceso directo Desinfectado : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
Acceso directo Desinfectado : C:\Users\Alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Acceso directo Desinfectado : C:\Users\Alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
Acceso directo Desinfectado : C:\Users\Alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Acceso directo Desinfectado : C:\Users\Alberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Acceso directo Desinfectado : C:\Users\Alberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
Acceso directo Desinfectado : C:\Users\Alberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk
That is where it was hiding .. Yet I am sure we searched that area earlier
If it is still gone tomorrow let me know and I will tidy up
-
Yes I will. and thank you for everything.
By the moment to reboot, and open the browser (any), not the tab opens with start.qone8.com :)
And yes, I remember that I removed all the shortcuts on the tool bar, but I think they were duplicated on the desktop and I did not realize I did not think about that at the time ....
-
No problem just glad it is gone :)
-
I do not usually use any additional software to clean things, just read forums and remove everything manually. Qone8 is relatively easy to remove manually: http://soft2secure.com/knowledgebase/qone8-com-virus