Another infection with Qone8

Viruses and worms
1

Hi, there.

Following your last hints about how to solve the Qone8 malware infection (http://forum.avast.com/index.php?topic=137641.0), I attach my own OTL.txt and Extras.txt.

Please, let us know what should it be our next step.

Thank you in advance.

Fernando Eguilaz

2

Sorry, I forgot the Extras.txt

3

hey and welcome to the forum.

please also attach the other logs from this guide adwclener, mbam, aswmbr.

http://forum.avast.com/index.php?topic=53253.0

from there a malware expert will help you when one is online.

4

Monitoring…

5

Hello,

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

Then…

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

Then…

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

6

First of all, thank you for your kind support.

After launching (I guess) every program you suggest, I attach the results (AdwCleaner, Mbam, and Gmer).

With the aswmbr I couldn’t finish properly the results due some odd errors, but I’m not sure if finally you will need it or not.

And, last, with the Frst we had many problems: it runs… until some strange files/folders unexistent on our system! so I can’t attach such file.

Best regards

Fernando Eguilaz

7
With the aswmbr I couldn't finish properly the results due some odd errors, but I'm not sure if finally you will need it or not.
since you attached GMER log i guess it is not needed ;)

and your computer seems to be a Adware city … you have a ton of crap files

TwinHeadedEagle will fix it when he is back :wink:

8

Thank your for your feedback, Pondus.

Actually, I agree with you. It has been a big (and bad) surprise to detect hundreds of such rubbish in our computers… having Avast installed (enterprise edition with SOA).

I know there is not any antivirus program good enough to detect 100% of cases but, anyway, it seem to be Avast detection could be improved very much. Actually, we pass complete checks every day for all our network and, as you can see, without success.

So, we will wait for TwinHeaderEagle’s solutions.

9

FRST logs are missing, so we can start…

10

Be sure to choose Clean within Adwcleaner, post me that log, and after that run FRST and attach it’s two logs…

11
I know there is not any antivirus program good enough to detect 100% of cases but, anyway, it seem to be Avast detection could be improved very much. Actually, we pass complete checks every day for all our network and, as you can see, without success.
a quick look in Malwarebytes log show that most of this is PUP detections... PUP = not a virus / [b]P[/b]ossible [b]U[/b]nwanted [b]P[/b]rogram avast PUP scan is default off ..... and only default on in bootscan

unless you know what you do i recomend you keep it that way and let Malwarebytes handle the PUPs as what it targets are just crap
avast however also class some factory installed programs as PUP bc of what they can do…
so if you are going to use avast PUP scan in the future, be sure you know what is detected before you take any action :wink:

12

I attach two new log files from AdwCleaner (R1 just after clean the system, and S0 just after restart).

To my great sorrow, I can’t send to you the log files from FSTR due it fails when scanning when “Listing files and folders” for an unknown file _TMP5xxxx we are not able to localize in the infected PC. Anyway, the program says he can “help me” with three info files. I attach only one of them due the size exceeds 512 KB and the forum attachment rules only allow .txt or .log files (nor .xml neither .mdmp).

Any hints for running properly the FSTR?

Thank you in advance.

13

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

14

Here you have.

Thank you.

15

Open notepad and copy/paste the text present inside the code box below:

Folder::
c:\windows\86CA3695A4124BAE92B649A60C2AC663.TMP
c:\users\TECN_AAG\AppData\Roaming\0D0S1L2Z1P1B

ClearJavaCache::

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Then…

Run FRST and attach me the logs…

16

At last, here you have.

I guess everything should be ok.

Thank you in advance.

17

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\qone8.xml
C:\Program Files (x86)\mozilla firefox\browser\searchplugins\qone8.xml
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Tell me, how are the things now?

18

Perfect, TwinHeadedEagle!

It has been a long trip to the success, but it works perfectly (I attacht the result). I’ve tested it in Mozilla, Chrome and IE ok: Qone8 has disappeared.

So, my last question is about the Pondus recommendation (“unless you know what you do, I recomend you keep it that way and let Malwarebytes handle the PUPs as what it targets are just crap avast however also class some factory installed programs as PUP bc of what they can do”).

Do you think it’s the proper way in order to manage our security? Any other hint for improving our Avast configuration?

Thank you very much!

19

Adware is unlike virus in 99% of cases installed by user itself. It is bundled in majority of free software, various sites and similar. Everything you need to do is to watch out what are you installing and to follow installation, not to install anything exept program itself.
There is no realtime protection against such threats, so everything is on you.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

20

TwinHeadedEagle, my browsers (firefox & chrome) are also infected with qone8.

Can I follow your steps to remove it?
Or I have to do different steps since maybe I have different machine?

This qone8 really annoys me, I tried the Avast bootscan and fullscan but it is still there.

Hope you can help me.
Thanks in advance,
Steven