View original (French)

Qv06.com

Solved
Kotionok Posted messages 14 Status Member -  
g3n-h@ckm@n Posted messages 14350 Status Member -
Hello,

I'm infected with a "Qv06.com" virus and I can't get rid of it (neither with Avast nor Spybot). This virus changes my browser settings. I'm using Chrome and I'm on Windows 7 Home Edition 64-bit.

Thank you to the users who are willing to help me.

18 answers

  1.
    g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    Hi, uninstall Spybot, it's useless.

    ==

    Download and save ADWCleaner to your desktop:

    do not click on Download, wait for the download window to appear for confirmation

    Run it (For Vista/7/8 => right-click "Run as administrator")

    click on deletion and post C:\Adwcleaner[Sx].txt

    ==

    download and run this tool, then paste the content of the report that will open at the window's closure (if it doesn't open: C:\Rapport.txt

    http://www.security-helpzone.com/Tools/g3n/Shortcut_Module.exe

    ==

    close all windows and applications during the installation and scanning.

    ▶ Download here:

    Malwarebytes

    ▶ Install it (make sure to choose "French"; do not modify the installation settings) and update it.

    restart Malwarebytes by strictly following these instructions:

    ! Disconnect and close all running applications!

    ▶ Launch Malwarebyte's.

    Do a "Complete" scan.

    ▶ Let the program work (and do nothing else with the PC during the scan).
    ▶ at the end, click on "results".
    ▶ Ensure all infected items are checked, then click "delete".

    Note: if your PC needs to restart to finish cleaning, do it!

    Post the saved report after deleting the infected items (in the "report/log" tab of Malwarebytes, the latest one)

    ==

    Download here: OTL

    save it on your Desktop.

    if you have XP => double-click
    if you have Vista or Windows 7 / 8 => right-click "run as...."

    on OTL.exe to launch it.

    => Click here to see the Configuration

    ▶ Copy and paste the content of the following in bold in the lower part of OTL "Customization"


    HKCU\Software
    HKLM\Software
    HKCU\Software\Microsoft\Command Processor /s
    %Homedrive%\*
    %Homedrive%\*.
    %Userprofile%\*
    %Userprofile%\*.
    %Allusersprofile%\*
    %Allusersprofile%\*.
    %LocalAppData%\*
    %LocalAppData%\*.
    %Userprofile%\Local Settings\Application Data\*
    %Userprofile%\Local Settings\Application Data\*.
    %programFiles%\*
    %programFiles%\*.
    %Systemroot%\Installer\*.
    %Systemroot%\Temp\*.exe /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\system32\*.in*
    %systemroot%\Tasks\*
    %systemroot%\Tasks\*.
    %systemroot%\system32\Tasks\*
    %systemroot%\system32\Tasks\*.
    %systemroot%\system32\drivers\*.sy* /lockedfiles
    %systemroot%\system32\config\*.exe /s
    %Systemroot%\ServiceProfiles\*.exe /s
    %systemroot%\system32\*.sys
    dir C:\ /S /A:L /C
    msconfig
    activex
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    volsnap.sys
    atapi.sys
    ndisuio.sys
    ndis.sys
    cdrom.sys
    i8042prt.sys
    iastor.sys
    tdx.sys
    netbt.sys
    afd.sys
    /md5stop
    netsvcs
    safebootminimal
    safebootnetwork
    CREATERESTOREPOINT

    ▶ Click on Scan.

    At the end of the scan, Notepad will open with the report (OTL.txt).

    This file is on your Desktop (generally C:\Documents and settings\your_session_name\<Desktop>\OTL.txt)

    ▶▶▶ DO NOT POST IT ON THE FORUM (it's too long)
    host OTL.txt and extra.txt on https://www.cjoint.com/ and give the links
    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0
    1. Kotionok Posted messages 14 Status Member
       
      ¤¤¤¤¤¤¤¤¤¤ | Shortcut_Module 06.04.2013 - g3n-h@ckm@n

      07:19:50 - 20/06/2013
      0
  2. Kotionok Posted messages 14 Status Member
     
    Thank you very much,

    I will try to do all that this evening.

    Have a good day.
    0
  3. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    ok to read your message :)

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0
  4. Kotionok Posted messages 14 Status Member
     
    Good evening,

    I'm sorry, but how should I post the Txt file?
    0
  6. g3n-h@ckm@n Posted messages 14350 Status Member 949
     


    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0
    1. Kotionok Posted messages 14 Status Member
       
      # AdwCleaner v2.303 - Report created on 06/20/2013 at 18:54:15
      # Updated on 06/08/2013 by Xplode
      # Operating system: Windows 7 Home Premium Service Pack 1 (64 bit)
      # Username: Yannick LapTop - YANNICKLAPTOP
      # Boot mode: Normal
      # Executed from: C:\Users\Yannick LapTop\Desktop\AdwCleaner.exe
      # Option [Removal]


      ***** [Services] *****


      ***** [Files / Folders] *****

      Folder Deleted: C:\Program Files (x86)\Conduit
      Folder Deleted: C:\Program Files (x86)\Software
      Folder Deleted: C:\ProgramData\Tarma Installer
      Folder Deleted: C:\ProgramData\Trymedia
      Folder Deleted: C:\Users\Yannick LapTop\AppData\Local\PutLockerDownloader
      Folder Deleted: C:\Users\Yannick LapTop\AppData\LocalLow\Conduit
      Folder Deleted: C:\Users\Yannick LapTop\AppData\LocalLow\mipony-plugin
      Folder Deleted: C:\Users\Yannick LapTop\AppData\Roaming\eIntaller
      File Disinfected: C:\Users\Yannick LapTop\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
      File Disinfected: C:\Users\Yannick LapTop\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
      File Disinfected: C:\Users\Yannick LapTop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
      File Disinfected: C:\Users\Yannick LapTop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
      File Disinfected: C:\Users\Yannick LapTop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

      ***** [Registry] *****

      Key Deleted: HKCU\Software\1ClickDownload
      Key Deleted: HKCU\Software\APN PIP
      Key Deleted: HKCU\Software\AppDataLow\HavingFunOnline
      Key Deleted: HKCU\Software\AppDataLow\Software\Conduit
      Key Deleted: HKCU\Software\AppDataLow\Software\Crossrider
      Key Deleted: HKCU\Software\AppDataLow\Software\mipony-plugin
      Key Deleted: HKCU\Software\AppDataLow\Toolbar
      Key Deleted: HKCU\Software\PIP
      Key Deleted: HKCU\Software\Softonic
      Key Deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
      Key Deleted: HKLM\Software\Boxore
      Key Deleted: HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
      Key Deleted: HKLM\SOFTWARE\Classes\AppID\secman.DLL
      Key Deleted: HKLM\SOFTWARE\Classes\Prod.cap
      Key Deleted: HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
      Key Deleted: HKLM\Software\Conduit
      Key Deleted: HKLM\Software\Desksvc
      Key Deleted: HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
      Key Deleted: HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
      Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{960AAEAC-7028-4F49-8EE9-BF0FE6E1BCF6}
      Key Deleted: HKLM\Software\mipony-plugin
      Key Deleted: HKLM\Software\PIP
      Key Deleted: HKLM\Software\qvo6Software
      Key Deleted: HKLM\Software\V9
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
      Key Deleted: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90D46C30-9F25-4104-AEA9-35C3F84477FF}
      Key Deleted: HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
      Key Deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
      Key Deleted: HKLM\SOFTWARE\Tarma Installer
      Value Deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{90D46C30-9F25-4104-AEA9-35C3F84477FF}]
      Value Deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{90D46C30-9F25-4104-AEA9-35C3F84477FF}]
      Value Deleted: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{90D46C30-9F25-4104-AEA9-35C3F84477FF}]

      ***** [Browsers] *****

      -\\ Internet Explorer v10.0.9200.16611

      Replaced: [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545032B9A300_091226PBPC00QDEXTLWLX&ts=1371486491 --> hxxp://www.google.com
      Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545032B9A300_091226PBPC00QDEXTLWLX&ts=1371486491 --> hxxp://www.google.com
      Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545032B9A300_091226PBPC00QDEXTLWLX&ts=1371486491 --> hxxp://www.google.com
      Replaced: [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545032B9A300_091226PBPC00QDEXTLWLX&ts=1371486491 --> hxxp://www.google.com
      Replaced: [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545032B9A300_091226PBPC00QDEXTLWLX&ts=1371486491 --> hxxp://www.google.com

      -\\ Google Chrome v27.0.1453.110

      File: C:\Users\Yannick LapTop\AppData\Local\Google\Chrome\User Data\Default\Preferences

      [OK] The file contains no illegitimate entries.

      *************************

      AdwCleaner[S1].txt - [6385 bytes] - [06/20/2013 18:54:15]

      ########## EOF - C:\AdwCleaner[S1].txt - [6445 bytes] ##########
      0
    2. Kotionok Posted messages 14 Status Member
       
      Malwarebytes Anti-Malware 1.75.0.1300
      www.malwarebytes.org

      Database version: v2013.06.20.08

      Windows 7 Service Pack 1 x64 NTFS
      Internet Explorer 10.0.9200.16618
      Yannick LapTop :: YANNICKLAPTOP [administrator]

      20/06/2013 19:19:33
      mbam-log-2013-06-20 (19-19-33).txt

      Scan type: Full scan (C:\|D:\|)
      Scan options enabled: Memory | Startup | Registry | File system | Heuristic/Extra | Heuristic/Shuriken | PUP | PUM
      Scan options disabled: P2P
      Item(s) scanned: 485575
      Elapsed time: 2 hour(s), 2 minute(s), 19 second(s)

      Detected memory processes: 0
      (No harmful items detected)

      Detected memory modules: 0
      (No harmful items detected)

      Detected Registry key(s): 0
      (No harmful items detected)

      Detected Registry value(s): 0
      (No harmful items detected)

      Detected Registry data item(s): 0
      (No harmful items detected)

      Detected folder(s): 0
      (No harmful items detected)

      Detected file(s): 1
      C:\Program Files (x86)\WinRAR\Patch.exe (PUP.RiskwareTool.CK) -> Successfully quarantined and deleted.

      (end)
      0
  7. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    re

    missing Extras.txt

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => the same flop as Vista X 10
    0
  9. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    In Chrome, you need to have an extension marked qv06.com, delete it.

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => the same flop as Vista X 10
    0
  10. Kotionok Posted messages 14 Status Member
     
    There are no extensions installed in Chrome.
    0
  11. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    bizarre dans chrome je vois ceci :

    CHR - homepage: http://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545032B9A300_091226PBPC00QDEXTLWLX&ts=1371486491

    https://www.cjoint.com/?CFwhnjxWOBx
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0
  13. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    change your startup page

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => the same flop as Vista X 10
    0
  14. Kotionok Posted messages 14 Status Member
     
    At startup, I have "open the new tab page."
    0
  15. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    hello look here

    http://www.clubic.com/navigateur-internet/google-chrome/aide-astuce-tuto/google-chrome-comment-changer-la-page-d-accueil-2460.html

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0
  16. Kotionok Posted messages 14 Status Member
     
    Hello,

    I have changed my homepage and everything is working fine,

    Thank you for your support.
    0
  17. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    bah if it's not done => the cleaning :

    https://forums-fec.be/entraide/viewtopic.php?f=11&t=229

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0
  18. Kotionok Posted messages 14 Status Member
     
    There you go, it's done.

    A big thank you to you.
    0
  19. g3n-h@ckm@n Posted messages 14350 Status Member 949
     
    a big nothing to you ^^

    --
    ¤¤¤¤¤¤¤¤¤¤_Pre_Scan_Concept_¤¤¤¤¤¤¤¤¤¤
    Windows 8 => same flop as Vista X 10
    0