browser hijacked qvo6.com malware

Status
Not open for further replies.
Hi oldman960,

this is not my day I think :confused:
qvo6.com is still there. Coming up as new tab in both the IE and Firefox.
It drives me nu*s :mad:
Process went a little different to what you said. There was a reboot forced by OTL at the end of the removing job. However I think that didn't matter.

This is the log file, looking quite successful :
-----------------------
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKU\S-1-5-21-713427250-3853926042-2103360380-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\""|"C:\Program Files\Mozilla Firefox\firefox.exe" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\qvo6Software\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\\DoNotAskAgain deleted successfully.
Registry value HKEY_USERS\S-1-5-21-713427250-3853926042-2103360380-1005\Software\Microsoft\Internet Explorer\SearchScopes\\DoNotAskAgain not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\HEF01\Desktop\cmd.bat deleted successfully.
C:\Users\HEF01\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56478 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HEF01
->Temp folder emptied: 97937172 bytes
->Temporary Internet Files folder emptied: 255021982 bytes
->Java cache emptied: 63490596 bytes
->FireFox cache emptied: 206871897 bytes
->Flash cache emptied: 3194839 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 67224 bytes
Windows Temp folder emptied: 24872645 bytes
RecycleBin emptied: 18733299 bytes

Total Files Cleaned = 639,00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 07052013_101106

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\GacelaLSPService.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
...................................................

I couldn't believe the qvo6 is still there and checked the reg file with SystemLook.exe and the search string we had above for qvo6
Result. It's nothing in there any more.
...................................................
SystemLook 30.07.11 by jpshortstuff
Log created at 10:44 on 05/07/2013 by HEF01
Administrator - Elevation successful

========== regfind ==========

Searching for "qvo6"
No data found.

Searching for "qvo6*"
No data found.

-= EOF =-
.............................................

And now ? Hope you have another idea ... :coffee:
 
Hi Today, 02:05 AMBenutzer ,

The reboot was normal. I just wanted a second reboot afterwards.

Please download ShortCut Cleaner
  • Right click on sc-cleaner.exe and click "Run as Adminstrator"
  • If prompted allow the tool to run
  • If any hijacked shortcuts are found they will be cleaned
Please post the log.
 
Shortcut Cleaner 1.2.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
http://www.bleepingcomputer.com/download/shortcut-cleaner/

Windows Version: Windows 7 Professional Service Pack 1
Program started at: 07/05/2013 12:30:46 PM.

Scanning for registry hijacks:

* No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\HEF01\AppData\Roaming\Microsoft\Windows\Start Menu\

* Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

* Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

* Shortcut Cleaned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

Searching C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

* Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

* Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

* Shortcut Cleaned: C:\Users\HEF01\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

Searching C:\Users\Public\Desktop\

* Shortcut Cleaned: C:\Users\Public\Desktop\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&u...KT-80PK4T0_WD-WX11AA2N2946N2946&ts=1369336665

Searching C:\Users\HEF01\Desktop


7 bad shortcuts found.

Program finished at: 07/05/2013 12:30:56 PM
Execution time: 0 hours(s), 0 minute(s), and 10 seconds(s)
 
Hi oldman960,

it's fine !!
I've done another reboot and IE and aswell Firefox are clean .

Many, many thanks !!

Where should I send the :present:
Or if you get to Germany, drop me a line I owe you a "Bratwurst" and some "Bier"

Keep up your great work.
:bow:
 
Hi Benutzer,

Good. We'll restore that file for you then clean up the tools we used.


We will be using Combofix again but will run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the all of the text in the code box below into the Notepad, Do Not [/b]copy the word CODE

Code: 
DeQuarantine:: 
C:\Qoobox\Quarantine\C\users\HEF01\AppData\Roaming\convert\convert.exe.vir
Quit::

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

CFScriptB-4.gif


**Note**

When CF finishes running, a notepad named DeQuarantine.txt will open.


Please post back with the DeQuarantine.txt log.

Thanks
 
Hi oldman960,

Thank you. Done that. Computer is still fine.

C:\Qoobox\Quarantine\C\users\HEF01\AppData\Roaming\convert\convert.exe.vir -> C:\users\HEF01\AppData\Roaming\convert\convert.exe ( 12697088 bytes )
 
Hi Benutzer ,

We can clean up the tools now.

From your desktop, please delete, if present
  • any notepads/logs that we created
  • SystemLook.exe
  • sc-cleaner.exe
  • TDSSKiller.exe
  • aswMBR.exe
  • mbr.dat
  • DDS

You can delete TDSSKiller.[Version]_[Date]_[Time]_log.txt , TDSSKiller_Quarantine from C:\

Next

Disable your security programs for this first step. you can re-enable them afterwards.

Press the Windows key and the R key. A run box should open'. Copy and paste the following line into the box and click OK


Combofix /uninstall



Next

Open ADWcleaner and click the uninstall button.



Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have both Avira antiSpyware and Spybot. These 2 programs do essentially the same thing. Since Spybot is outdated I suggest you uninstall it. Use MBAM as an on demand scanner and use it on a regular basis. Windows7 firewall is pretty good so you have the basics.

You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

- Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System and Security. under Windows Updates click turn automatic updating on or off. Select the option you want.

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Take care
 
qvo.com problem solved

Dear oldman960,

many thanks again. All went fine.
I learned a lot and will follow your instructions.

Cheers !:thanks:
 
Status
Not open for further replies.
Back
Top