Delete Qo-pro.com

Solved
JordanVELARD Posted messages 125 Status Member -  
bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   -
Hello,

When I search with Google Chrome, before the search results appear, the URL qo-pro.com shows up in the search bar...
After several searches and scans with ZHP Cleaner, the problem persists...
I have also uninstalled Chrome and reinstalled it...

I am not sure what to do.

Thank you in advance for your help.

Configuration: Windows / Chrome 81.0.4044.138

16 answers

  1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
     
    Hello,
    Download FRST and once downloaded save it on the desktop then open it and you will see this:

    Then check the shortcut box like this:

    Click on Analyze and at the end of the analysis you will have three text files on the desktop FRST, Addition and Shortcut, make sure to wait for the messages saying that the analysis is complete, then send these reports to https://pjjoint.malekal.com/ see this tutorial paragraph Send analysis reports to pjjoint then provide the three links generated by Pjoint in your next message.

    --
    bazfile..
    Moderator/Security Contributor.
    a hello, a response, a thank you are always appreciated.
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Procedure to follow in the indicated order:

      1- Open FRST
      2 - Copy the entire script that is in the box that follows:
      Start::
      CreateRestorePoint:
      CloseProcesses:
      GroupPolicy: Restriction ?
      FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction
      HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction
      Edge HomeButtonPage: HKU\S-1-5-21-3961947222-2854571345-2454660537-1001 -> hxxp://www.qo-pro.com/
      CHR DefaultSearchURL: Default -> hxxp://www.qo-pro.com/search?q={searchTerms}
      HKU\.DEFAULT\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Legass\Application\chrome.exe
      HKU\S-1-5-21-3961947222-2854571345-2454660537-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Footper\Application\chrome.exe
      HKU\S-1-5-18\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Legass\Application\chrome.exe
      Task: {EE277C40-023A-4945-A5E7-4D868B7473AD} - \Microsoft\Windows\UNP\RunCampaignManager -> No file
      SearchScopes: HKU\S-1-5-21-3961947222-2854571345-2454660537-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL =
      C:\Program Files (x86)\Legass
      C:\Program Files (x86)\Footper
      EmptyTemp:
      End::

      3- Once the script is copied click on Fix.

      Allow the fix to complete and once it is finished you will be asked to restart your pc, do so as soon as you are prompted, see below.
      Then once your computer has restarted:
      4- You will have a Fixlog file on your desktop send it via https://pjjoint.malekal.com/ then put the link generated by Pjoint in your next message.
      5- Reset Google Chrome with THIS SOFTWARE

      6- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT

      0
  2. JordanVELARD Posted messages 125 Status Member
     
    It's all good, the problem is solved. Thank you.
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Good day.
      0
  3. aurelien
     
    Hello, I have exactly the same problem. Can I copy the same correction?
    Thank you
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Good evening,
      No, definitely not, the scripts are custom-made and are therefore only intended for the computers for which they were written. Perform a FRST analysis and provide the reports as indicated in the procedure https://forums.commentcamarche.net/forum/affich-36664297-supprimer-qo-pro-com#1
      0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Procedure to follow in the indicated order:

      1- Open FRST
      2 - Copy the entire script that is in the box below:
      Start::
      CreateRestorePoint:
      CloseProcesses:
      FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction
      CHR HKLM\SOFTWARE\Policies\Google: Restriction
      Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2020-07-13]
      ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> (No File)
      HKU\S-1-5-21-3806746808-4152399581-3084288339-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.qo-pro.com/
      SearchScopes: HKU\S-1-5-21-3806746808-4152399581-3084288339-1001 -> DefaultScope {D9243B22-1605-4FF6-8805-0DE0B50C51D4} URL = hxxp://www.qo-pro.com/search?q={searchTerms}
      SearchScopes: HKU\S-1-5-21-3806746808-4152399581-3084288339-1001 -> {D9243B22-1605-4FF6-8805-0DE0B50C51D4} URL = hxxp://www.qo-pro.com/search?q={searchTerms}
      Edge HomeButtonPage: HKU\S-1-5-21-3806746808-4152399581-3084288339-1001 -> hxxp://www.qo-pro.com/
      CHR HomePage: Default -> hxxp://www.qo-pro.com/
      CHR StartupUrls: Default -> "hxxp://www.qo-pro.com/"
      CHR DefaultSearchURL: Default -> hxxp://www.qo-pro.com/search?q={searchTerms}
      Task: {99504D62-36A1-4552-9527-B2817C749A51} - \Microsoft\Windows\UpdateOrchestrator\AC Power Install -> No File
      EmptyTemp:
      End::

      3- Once the script is copied click on Fix.

      Let the fixing process complete, once it is finished you will be asked to restart your PC, do it as soon as you are prompted, see below.
      Then once your computer has restarted:
      4- You will have a Fixlog file on your desktop send it via https://pjjoint.malekal.com/ then put the link generated by Pjoint in your next message.
      5- Reset Google Chrome https://support.google.com/chrome/answer/3296214?hl=fr

      6- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT

      0
  4. Aurelien
     
    Good evening again,
    Thank you very much, it worked!
    Here’s the link: https://pjjoint.malekal.com/files.php?id=20200713_k7s6e5v12k10
    Do you know how to avoid getting this thing again? Maybe my protection isn’t good enough...

    Thanks again.
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Nothing to do with your protection, be careful what you install especially if the software is free. For example:
      When you install free software, you need to read the various screens carefully during the installation to avoid getting trapped.
      You need to uncheck the proposed boxes; they are not always visible at first glance, for example:


      FOR INFORMATION:

      Your version of Windows 10 is not up to date, check it with THIS MICROSOFT TOOL.

      Good night.
      0
  5. Aurelien
     
    Okay, thank you very much, have a good evening and good night.
    0
  6. Ninicoco44
     
    Hello,
    I have the same issue (on Edge Chromium), could a good Samaritan come to my aid?

    Addition: https://pjjoint.malekal.com/files.php?id=20200717_n6h6b12o15m12
    FRST: https://pjjoint.malekal.com/files.php?id=FRST_20200717_z15s9e15q15p13
    Shortcut: https://pjjoint.malekal.com/files.php?id=20200717_j7b11p12f5s8

    Thanks in advance ;-)
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Procedure to follow in the indicated order:

      1- Open FRST
      2 - Copy the entire script that is in the box below:
      Start::
      CreateRestorePoint:
      CloseProcesses:
      HKU\S-1-5-21-508807138-4054684981-3814915774-1001\...\Run: [Chromium] => "c:\users\hermeland-27\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
      C:\Users\HERMELAND-27\AppData\Local\Chromium
      Edge HomePage: Default -> hxxp://www.qo-pro.com/
      Edge DefaultSearchURL: Default -> hxxp://www.qo-pro.com/search?q={searchTerms}
      Edge DefaultSearchKeyword: Default -> qo-pro.com
      EmptyTemp:
      End::

      3- Once the script is copied, click on Fix.

      Let the correction take place, once it is finished you will be asked to restart your PC, do it as soon as you are prompted, see below.
      Then, once your computer is restarted:
      4- You will have a Fixlog file on your desktop, send it via https://pjjoint.malekal.com/ then put the link generated by Pjoint in your next message.

      5- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT

      0
  7. protectioniste
     
    I'm sorry, I can't assist with that.
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      I'm sorry, I can't assist with that.
      0
  8. MikeC
     
    Hello,

    I am also infected with qo-pro (and maybe more...)

    Could you please help me?

    Here are the links:

    https://pjjoint.malekal.com/files.php?id=20201223_g118k10v7k5

    https://pjjoint.malekal.com/files.php?id=FRST_20201223_m5j6j13v6w12

    https://pjjoint.malekal.com/files.php?id=20201223_l8c14n9n7k14

    Thank you in advance!
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Hello,
      Procedure to follow in the order indicated:

      1- Open FRST
      2 - Copy the entire script in the box below:
      Start::
      CreateRestorePoint:
      CloseProcesses:
      HKU\S-1-5-21-3817573752-3000552934-4059848185-1000\...\Run: [GalaxyClient] => [X]
      Task: {2347FF16-2A7C-4D2F-9E1E-695D128CC354} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No file
      Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No file
      Task: {9F7FFB58-9CC1-47ED-B97B-12EA4A3F8877} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No file
      Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No file
      Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No file
      Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No file
      FF Plugin: @microsoft.com/GENUINE -> disabled [No file]
      FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No file]
      FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No file]
      S2 AntiVirMailService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe" [X]
      S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [X]
      S2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [X]
      S2 AntiVirWebService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe" [X]
      S2 Avira.ServiceHost; "C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe" [X]
      S3 Futuremark SystemInfo Service; "C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe" [X]
      U1 aswbdisk; no ImagePath
      U3 avgbdisk; no ImagePath
      S2 avgntflt; system32\DRIVERS\avgntflt.sys [X]
      S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
      HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction
      CHR Notifications: Default -> hxxps://www.fnac.com; hxxps://www.gouvernement.fr; hxxps://www.humorpolitico.com.br; hxxps://www.inspideco.org; hxxps://www.pinterest.fr
      FF Homepage: Mozilla\Firefox\Profiles\6pm6bc7f.default -> hxxp://www.qo-pro.com/
      CHR StartupUrls: Default -> "hxxp://www.google.fr/","hxxp://www.qo-pro.com/"
      CHR NewTab: Default -> Not-active:"chrome-extension://ommbgnllpkjnidkcnginhlacffdcdijc/index.html"
      CHR DefaultSearchURL: Default -> hxxps://fr.search.yahoo.com/search?fr=mcafee&type=E210FR91082G0&p={searchTerms}
      CHR DefaultSearchKeyword: Default -> mcafee
      CHR DefaultSuggestURL: Default -> hxxps://fr.search.yahoo.com/sugg/gossip/gossip-fr-partner?output=fxjson&appid=mca&source=yahoo_mcafee_searchassist&command={searchTerms}
      CHR HKLM\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll]
      CHR HKLM\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files\VDownloader\Addons\Chrome.crx [2014-05-05]
      CHR HKLM-x32\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll]
      CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
      CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck]
      CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk]
      CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki]
      CHR HKLM-x32\...\Chrome\Extension: [npdicihegicnhaangkdmcgbjceoemeoo]
      Avira (HKLM-x32\...\{670F06EC-252B-4791-BE79-8A20635B9707}) (Version: 1.2.134.56164 - Avira Operations GmbH & Co. KG) Hidden
      EmptyTemp:
      End::

      3- Once the script is copied, click on Fix.

      Let the fix complete, once done you will be prompted to restart your PC, do so as soon as you are asked, see below.
      Then once your computer has restarted:
      4- You will have a Fixlog file on your desktop send it via https://pjjoint.malekal.com/ then put the link generated by Pjoint in your next message.
      5- Reset Chrome and Firefox with https://www.commentcamarche.net/telecharger/utilitaires/19335-resetbrowser/

      6- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT


      ____________________________________________________________________________________

      To finish:

      7- You uninstalled Avira but it is not completely uninstalled, uninstall it with Revo Uninstaller in Advanced scan mode see below


      Here is how to proceed to uninstall a program in advanced scan mode.






      Accept the uninstallation of the program you wish to uninstall and if there is an error message saying that uninstallation is impossible close the error message and continue the procedure.


      Check "Advanced scan" then click on "Scan".


      Click on "Select all" then on "Delete" if a second list appears do the same then once everything is deleted click on "Finish" a restart may be requested.

      .
      0
  9. MikeC
     
    Thank you for your quick response!

    Here is the fixlog:

    https://pjjoint.malekal.com/files.php?id=20201223_p10h6k12f11z5

    However, Qo-Pro is still present!

    (Avira has been completely uninstalled now, thank you!)
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      He is available on which internet browser ??
      Make a new FRST analysis and provide the links.
      0
  10. MikeC
     
    Sorry, I forgot the Reset Browser step!

    So I reinstalled Chrome, and Qo-Pro seems to be gone!

    Thank you so much for your efficiency and availability!
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      You're welcome
      Have a nice day.
      0
  11. Maxence
     
    Hello,

    Here are the 3 links from pjjoint.malekal.com

    https://pjjoint.malekal.com/files.php?id=FRST_20201229_e6n9t8x14q10
    https://pjjoint.malekal.com/files.php?id=20201229_k10y10n6j12v14
    https://pjjoint.malekal.com/files.php?id=20201229_e7m119n15n8

    Wouldn't it be easier for you to show how to obtain the script? Because if you have to reply to everyone, you will lose a lot of time, anyway thanks in advance!
    0
    1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266
       
      Isn't it easier for you to show how to obtain the script?

      Creating a script requires certain knowledge, each script is different because qo-pro is visible but there may be other infections on the PC which was not your case, only qo-pro was present.

      Procedure to follow in the order indicated:

      1- Open FRST
      2 - Copy the entire script in the box below:
      Start::
      CreateRestorePoint:
      CloseProcesses:
      HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction
      CHR StartupUrls: Default -> "hxxp://www.qo-pro.com/"
      EmptyTemp:
      End::

      3- Once the script is copied, click on Fix.

      Let the fix complete, once it is finished you will be asked to restart your PC, do so as soon as it is requested, see below.
      Then once your computer is restarted:
      4- You will have a Fixlog file on your desktop, send it via https://pjjoint.malekal.com/ then put the link generated by Pjoint in your next message.

      5- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT

      ===If the problem is still present after the FRST fix, reset Google Chrome with THIS SOFTWARE.===
      0
      1. bazfile Posted messages 58489 Registration date   Status Moderator Last intervention   20 266 > Maxence
         
        Everything is fine.
        Happy end of year holidays to you too.
        0