Infected with Qone8

Viruses and worms
1

Hi, I’ve got the malware Qone8 from the same faked Java update that AlbertoGilbert was referring to in his post.

I had an extensive scan by Avast that found some malware and (apparently) removed it. Also had an extensive scan (many hours) by Avast at reboot.
Start Qone8 is still there when I open Firefox.
Also a writing on my desktop states that my Windows is an unauthorized one (which is false) and the coincidence seems too odd to think it’s not connected to Qone8.

I have done what essexboy suggested to do to AlbertoGilbert, running the Otl program and now I have the two .txt files (OTL and Extras).
What I am supposed to do with them now?

Thanks in advance for your help

2

Monitoring…

3

attach the OTL.txt loge here … not copy and paste

also run and attach AdwCleaner / Malwarebytes logs. http://forum.avast.com/index.php?topic=53253.0

see attachment and other options below the box you write in here

4

attaching the OTL.txt
in the meanwhile I have the Adwcleaner running. Once it is over I’ll attach that log too

5

and here it is the Adwcleaner log

6

Hello,

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

Then…

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

7

I am attaching the Gmer report.

I have tried unsuccessfully to download the farbar recovery scantool.
I always get the same error “Firefox cannot contact the server download.bleepingcomputer.com

8

and if you use another browser… IE ?

9

Try this link, for me, it’s working

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

10

same result
Actually, I am really naive in searching through the logs I have attached, but I was able to see that if you search for “Qone8” you get the same lines for Firefox and IE
Plus, surfing through the web, the scarce information I have got on Qone8 says that it infects all browsers

11

Ok, follow this

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

===============================================

After that, try to download FRST and post it’s log…

12

Same result. Still get the same error: “Firefox cannot contact the server download.bleepingcomputer.com

13

Read my previos post, and try Adwcleaner, but now be sure to press Clean button after scanning…

14

I have tried Adwcleaner and I’m posting the post logfile.
Anyway, after opening firefox it looks like the Qone8 disappeared
I’ll try FRST, too

15

This is the FRST post log file, plus the Addition.txt file
It seems that the problem has been solved, anyway
thanks a lot for your help.

hasta luego

16

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

MountPoints2: {0414b20e-6a28-11e2-8008-001d72e45f50} - G:\LaunchU3.exe -a
MountPoints2: {0571062d-49ca-11de-8024-001d72e45f50} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
MountPoints2: {09315331-0317-11de-bf2d-001d72e45f50} - b00ijwpu.exe
MountPoints2: {252c70f8-c45f-11de-90b9-001d72e45f50} - F:\ur0.com
MountPoints2: {37f506c0-7173-11de-9a1c-00a0c6000000} - F:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {55613b46-9d67-11e0-8a95-001d72e45f50} - H:\LaunchU3.exe -a
MountPoints2: {69e3c4a2-565c-11de-8af2-001d72e45f50} - F:\tvlx2fg.exe
MountPoints2: {85d5c80c-bdee-11df-9969-001d72e45f50} - G:\LaunchU3.exe -a
MountPoints2: {888d16c3-40e1-11e1-af65-001d72e45f50} - H:\LaunchU3.exe -a
MountPoints2: {aad3b1ae-e885-11de-b3dc-e2511050a08c} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msw0vks.exe
MountPoints2: {b5192c49-1919-11de-b97d-001d72e45f50} - F:\RECYCLER\autorun.exe
MountPoints2: {ca663a60-c993-11e1-9766-001d72e45f50} - G:\LaunchU3.exe -a
MountPoints2: {cd9f3519-148c-11df-95a5-001d72e45f50} - F:\xlk9.com
MountPoints2: {d3ec907e-0b19-11df-9b1e-001d72e45f50} - F:\muza\\sguza.exe
MountPoints2: {dbed06c1-d8ce-11de-a0ae-001d72e45f50} - F:\wu1n.exe
MountPoints2: {e66ae28f-05c6-11df-8626-001d72e45f50} - G:\LaunchU3.exe -a
MountPoints2: {f5112f98-8e59-11df-97fa-001d72e45f50} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\_.vbs
MountPoints2: {fa09d929-6024-11e0-86c6-001d72e45f50} - I:\LaunchU3.exe -a
C:\Users\Paolo\AppData\Local\Temp\BackupSetup.exe
C:\Users\Paolo\AppData\Local\Temp\Java.exe
C:\Users\Paolo\AppData\Local\Temp\Quarantine.exe
C:\Users\Paolo\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\Paolo\AppData\Local\Temp\_is12A6.exe
C:\Users\Paolo\AppData\Local\Temp\_is1F7A.exe
C:\Users\Paolo\AppData\Local\Temp\_is25F0.exe
C:\Users\Paolo\AppData\Local\Temp\_is80C3.exe
C:\Users\Paolo\AppData\Local\Temp\_is9B84.exe
C:\Users\Paolo\AppData\Local\Temp\_isA006.exe
C:\Users\Paolo\AppData\Local\Temp\_isB01C.exe
C:\Users\Paolo\AppData\Local\Temp\_isD5F4.exe
C:\Users\Paolo\AppData\Roaming\desktop.ini
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Then…

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

17

I attach the three log files you told me.
I had all the suggested programs running and fixing.
Looks like the pc is all right now.
Is there anything else I should do?

18

Ok, we’re done here :slight_smile:

Let’s clear up the tools :slight_smile:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

DeleteQuarantine:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to you to keep MCShield, because I saw the signs of Conficker worm in your logs.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

Uninstall Java and Adobe Reader, and install latest versions. Keep your software updated, and stay safe :slight_smile:

Greetings

19

wow!
this is done! :smiley:
I believe I have learned quite a few things
thanks a lot for your help.

regards,