Home Malware Programs Browser Hijackers Qvo6 Hijacker

Qvo6 Hijacker

Posted: March 29, 2013

Threat Metric

Ranking: 7,169
Threat Level: 5/10
Infected PCs: 36,396
First Seen: March 29, 2013
Last Seen: October 9, 2023
OS(es) Affected: Windows

Qvo6 Hijacker Screenshot 1The Qvo6 hijacker is a browser hijacker that's promoted by Qvo6.com as a useful search-enhancing utility, even though Qvo6's real search-related features appear to be limited to redirecting PC users to popular search engines like Google. Installation methods for the Qvo6 hijacker appear to include many non-consensual methods, and although Qvo6.com does provide uninstallation instructions, these instructions may not remove all of the components of any particular Qvo6 hijacker. As a standard precaution against Qvo6 hijacker infections, malware researchers recommend using anti-malware programs to analyze and disinfect your PC whenever your browser redirects to Qvo6.com repeatedly – the defining symptom of all Qvo6 hijackers.

From Search Engine to Search Engine with Nary a Choice in the Matter

The Qvo6 hijacker is one of a virtually innumerable horde of browser hijackers that are used to promote obscure search engine websites. Unlike some search sites promoted thusly, SpywareRemove.com malware research team has found zero indications of Qvo6.com attempting serious attacks against your machine, such as drive-by-downloads or the promotion of fake PC security products. However, a browser hijacker promoting Qvo6.com does pose a problem, which affects all prominent browsers from Microsoft's Internet Explorer to Google's Chrome. Regardless of the browser that's being hijacked, the result always is the same: you're being redirected to Qvo6.com without your permission. Qvo6 may add the argument http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=&ts= to different web browser shortcuts and other non-internet applications. This may cause Qvo6 to open up when another hijacked shortcuts are accessed on an infected computer. Qvo6 may also be connected to other third-party applications like the Certified Toolbar on various web browsers.

For its half of the deal, Qvo6.com does not appear to have any functions besides redirecting would-be searchers to Google and similar search engines. Qvo6 hijackers tend to be installed without your permission and may be included in software bundles distributed through torrent-based networks and/or freeware websites. In some cases, you may be notified of a Qvo6 hijacker's installation and be allowed to refuse it, but such courtesies are far from universal. Many victims of Qvo6 hijacker attacks appear only to be aware of a Qvo6 hijacker's presence after their browser redirects to Qvo6.com, which, as mentioned beforehand, SpywareRemove.com malware experts don't consider to be a major danger to your computer. Qvo6 and the Qvo6.com generic search engine have been tied to PortaldoSites.com as being the publishing company.

Re-Railing Your Browser Towards Your Favorite Search Sites without the Qvo6 Hijacker Muddling the Matter

While Qvo6.com includes uninstallation instructions for removing its Qvo6 hijacker, SpywareRemove.com malware analysts don't recommend that you avail yourself of them; the majority of browser hijackers will leave setting changes and other components behind even after they're removed by the usual methods. However, appropriate anti-malware products can be a more surefire option for deleting a Qvo6 hijacker without leaving any unwanted files or settings on your PC after the fact. The Qvo6 hijacker, as stated earlier, isn't likely to expose you to hostile content. However, PC threats that install the Qvo6 hijacker also may install other forms of malware. Combating this risk is done most easily via qualified anti-malware programs that can detect any relevant PC threats in a thorough scan.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%TEMP%\eIntaller\85711E23AE47427bAAA87EB7BBA4EBE9\eXQ.exe File name: eXQ.exe
Size: 460.34 KB (460344 bytes)
MD5: edcd457e9a88012c97f3946ac14993f8
Detection count: 103
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\eIntaller\85711E23AE47427bAAA87EB7BBA4EBE9
Group: Malware file
Last Updated: September 17, 2013
adks_ar_qvo6.exe File name: adks_ar_qvo6.exe
Size: 489.55 KB (489552 bytes)
MD5: 4e6273221edf7559c439d35fe9eac94e
Detection count: 99
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: September 23, 2013
amt_ar_qvo6.exe File name: amt_ar_qvo6.exe
Size: 93.77 KB (93776 bytes)
MD5: 3f580a0c95f82e4d126483c121055b98
Detection count: 97
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 2, 2013
qvo6.exe File name: qvo6.exe
Size: 543.23 KB (543232 bytes)
MD5: a4c227701f45a8b12d5f92b8607b8d89
Detection count: 58
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 8, 2013
%TEMP%\eIntaller\BCA018E31ACD433795EE1854C270BC08\DProtect.exe File name: DProtect.exe
Size: 1.42 MB (1423936 bytes)
MD5: acc378147807fd12136cfbde2f81af02
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\eIntaller\BCA018E31ACD433795EE1854C270BC08
Group: Malware file
Last Updated: September 17, 2013

Registry Modifications

The following newly produced Registry Values are:

CLSID{27588682-6FCC-4061-B2BB-7176E03359B8}{2EEFF6A3-9828-48F2-A7BF-1A5365D7DA32}HKEY..\..\{CLSID Path}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}File name without pathqvo6.lnkRegexp file mask%APPDATA%\qvo6.exe%PROGRAMFILES%\Mozilla Firefox\browser\searchplugins\qvo6.xml%PROGRAMFILES%\Mozilla Firefox\searchplugins\qvo6.xml%PROGRAMFILES(x86)%\Mozilla Firefox\browser\searchplugins\qvo6.xml%PROGRAMFILES(x86)%\Mozilla Firefox\searchplugins\qvo6.xmlHKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "DisplayName" = "qvo6"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "URL" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "DisplayName" = "qvo6"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "URL" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes "DefaultScope"" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera\shell\open\command "(Default)" = ""C:\Program Files\Opera\Opera.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera.exe\shell\open\command "(Default)" = ""C:\Program Files\Opera\Opera.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Safari.exe\shell\open\command "(Default)" = ""C:\Program Files\Safari\Safari.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\SEAMONKEY.EXE\shell\open\command "(Default)" = "C:\Program Files\SeaMonkey\seamonkey.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONHKEY_LOCAL_MACHINE\SOFTWARE\qvo6SoftwareHKEY..\..\..\..{RegistryKeys}Software\Microsoft\Internet Explorer\DOMStorage\qvo6.comSOFTWARE\Microsoft\Tracing\qvo6i_RASAPI32SOFTWARE\Microsoft\Tracing\qvo6i_RASMANCSSOFTWARE\Microsoft\Tracing\wpc_ar_2013829113027_qvo6_RASAPI32SOFTWARE\Microsoft\Tracing\wpc_ar_2013829113027_qvo6_RASMANCSSOFTWARE\qvo6SoftwareSOFTWARE\Wow6432Node\Microsoft\Tracing\Qvo6_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\Qvo6_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\qvo6i_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\qvo6i_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\TrayDownloader_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\TrayDownloader_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\wpc_ar_2013829113027_qvo6_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\wpc_ar_2013829113027_qvo6_RASMANCSSOFTWARE\Wow6432Node\qvo6SoftwareHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}qvo6 Browser Protecter

Additional Information

The following URL's were detected:
http://qvo6.com/web?q=

4 Comments

Loading...