Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: browser hijacked qvo6.com malware

  1. #21
    Junior Member
    Join Date
    May 2013
    Posts
    18

    Default

    Hi oldman960,

    this is not my day I think
    qvo6.com is still there. Coming up as new tab in both the IE and Firefox.
    It drives me nu*s

    Process went a little different to what you said. There was a reboot forced by OTL at the end of the removing job. However I think that didn't matter.

    This is the log file, looking quite successful :
    -----------------------
    All processes killed
    ========== SERVICES/DRIVERS ==========
    ========== OTL ==========
    HKU\S-1-5-21-713427250-3853926042-2103360380-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    ========== REGISTRY ==========
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\""|"C:\Program Files\Mozilla Firefox\firefox.exe" /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\qvo6Software\ deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\\DoNotAskAgain deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-713427250-3853926042-2103360380-1005\Software\Microsoft\Internet Explorer\SearchScopes\\DoNotAskAgain not found.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows-IP-Konfiguration
    Der DNS-Aufl”sungscache wurde geleert.
    C:\Users\HEF01\Desktop\cmd.bat deleted successfully.
    C:\Users\HEF01\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56478 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: HEF01
    ->Temp folder emptied: 97937172 bytes
    ->Temporary Internet Files folder emptied: 255021982 bytes
    ->Java cache emptied: 63490596 bytes
    ->FireFox cache emptied: 206871897 bytes
    ->Flash cache emptied: 3194839 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 67224 bytes
    Windows Temp folder emptied: 24872645 bytes
    RecycleBin emptied: 18733299 bytes

    Total Files Cleaned = 639,00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 07052013_101106

    Files\Folders moved on Reboot...
    File move failed. C:\Windows\temp\GacelaLSPService.log scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    ...................................................

    I couldn't believe the qvo6 is still there and checked the reg file with SystemLook.exe and the search string we had above for qvo6
    Result. It's nothing in there any more.
    ...................................................
    SystemLook 30.07.11 by jpshortstuff
    Log created at 10:44 on 05/07/2013 by HEF01
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "qvo6"
    No data found.

    Searching for "qvo6*"
    No data found.

    -= EOF =-
    .............................................

    And now ? Hope you have another idea ...

  2. #22
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Today, 02:05 AMBenutzer ,

    The reboot was normal. I just wanted a second reboot afterwards.

    Please download ShortCut Cleaner
    • Right click on sc-cleaner.exe and click "Run as Adminstrator"
    • If prompted allow the tool to run
    • If any hijacked shortcuts are found they will be cleaned
    Please post the log.
    Member of UNITE and ASAP

  3. #23
    Junior Member
    Join Date
    May 2013
    Posts
    18

    Default

    Shortcut Cleaner 1.2.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Shortcut Cleaner can be found at this link:
    http://www.bleepingcomputer.com/down...rtcut-cleaner/

    Windows Version: Windows 7 Professional Service Pack 1
    Program started at: 07/05/2013 12:30:46 PM.

    Scanning for registry hijacks:

    * No issues found in the Registry.

    Searching for Hijacked Shortcuts:

    Searching C:\Users\HEF01\AppData\Roaming\Microsoft\Windows\Start Menu\

    * Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    * Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    Searching C:\ProgramData\Microsoft\Windows\Start Menu\

    * Shortcut Cleaned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    Searching C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

    * Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    * Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    * Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    Searching C:\Users\Public\Desktop\

    * Shortcut Cleaned: C:\Users\Public\Desktop\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&ut...&ts=1369336665

    Searching C:\Users\HEF01\Desktop


    7 bad shortcuts found.

    Program finished at: 07/05/2013 12:30:56 PM
    Execution time: 0 hours(s), 0 minute(s), and 10 seconds(s)

  4. #24
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Benutzer,

    How's the computer now?
    Member of UNITE and ASAP

  5. #25
    Junior Member
    Join Date
    May 2013
    Posts
    18

    Smile

    Hi oldman960,

    it's fine !!
    I've done another reboot and IE and aswell Firefox are clean .

    Many, many thanks !!

    Where should I send the
    Or if you get to Germany, drop me a line I owe you a "Bratwurst" and some "Bier"

    Keep up your great work.

  6. #26
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Benutzer,

    Good. We'll restore that file for you then clean up the tools we used.


    We will be using Combofix again but will run it differently.

    Please follow all previous instructions regarding security programs.

    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the all of the text in the code box below into the Notepad, Do Not [/b]copy the word CODE


    Code:
    DeQuarantine:: 
    C:\Qoobox\Quarantine\C\users\HEF01\AppData\Roaming\convert\convert.exe.vir
    Quit::
    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save

    Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

    This will start ComboFix again.Close all browser/windows first.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



    **Note**

    When CF finishes running, a notepad named DeQuarantine.txt will open.


    Please post back with the DeQuarantine.txt log.

    Thanks
    Member of UNITE and ASAP

  7. #27
    Junior Member
    Join Date
    May 2013
    Posts
    18

    Default

    Hi oldman960,

    Thank you. Done that. Computer is still fine.

    C:\Qoobox\Quarantine\C\users\HEF01\AppData\Roaming\convert\convert.exe.vir -> C:\users\HEF01\AppData\Roaming\convert\convert.exe ( 12697088 bytes )

  8. #28
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Benutzer ,

    We can clean up the tools now.

    From your desktop, please delete, if present
    • any notepads/logs that we created
    • SystemLook.exe
    • sc-cleaner.exe
    • TDSSKiller.exe
    • aswMBR.exe
    • mbr.dat
    • DDS


    You can delete TDSSKiller.[Version]_[Date]_[Time]_log.txt , TDSSKiller_Quarantine from C:\

    Next

    Disable your security programs for this first step. you can re-enable them afterwards.

    Press the Windows key and the R key. A run box should open'. Copy and paste the following line into the box and click OK


    Combofix /uninstall




    Next

    Open ADWcleaner and click the uninstall button.



    Next

    Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

    I suggest you keep MBAM. Keep it updated and use it regularly.

    Some Recommendations and prevention tips

    Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have both Avira antiSpyware and Spybot. These 2 programs do essentially the same thing. Since Spybot is outdated I suggest you uninstall it. Use MBAM as an on demand scanner and use it on a regular basis. Windows7 firewall is pretty good so you have the basics.

    You should also use Spyware Blaster to help immunize your computer.

    - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    OR

    A guide to understanding and using the hosts file.

    Learn how your Hosts file can protect you and how you can protect it.
    Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
    HOSTS

    Please read the info on disabling the DNS Client before installing a custom hosts file.

    -Secure your Internet Explorer

    From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

    - Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System and Security. under Windows Updates click turn automatic updating on or off. Select the option you want.

    - Keep your antivirus program updated, as well as any other security programs you have.

    -More tips and programs can be found HERE

    Please post back if you have any problems.

    Take care
    Member of UNITE and ASAP

  9. #29
    Junior Member
    Join Date
    May 2013
    Posts
    18

    Default qvo.com problem solved

    Dear oldman960,

    many thanks again. All went fine.
    I learned a lot and will follow your instructions.

    Cheers !

  10. #30
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Benutzer ,

    You are very welcome.

    Take care, keep safe.
    Member of UNITE and ASAP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •