Results 1 to 9 of 9
  1. #1
    New Lounger
    Join Date
    Feb 2013
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How to remove QueryRabbit malware?

    I run FlashBlock in my Firefox. I have noticed for the past few weeks an icon for Flash in the upper left of all web pages. Including my own pages, which are simple static HTML. So I clicked it. I had to click it twice. A couple of random words on my page became hyperlinks. One for QueryRabbit to find the best local deals on tablecloths. And the word Amazon was turned into an associate link for QueryRabbit.

    I was unable to find QueryRabbit in the list of Firefox addons, or in the Firefox extensions, or in Windows' Programs and Features. Searching the web didn't find anything for uninstalling it. The http://www.queryrabbit.com/ site has nothing. Not even a contact to complain to. And the domain registration (new last October) is cloaked.

    Web searching, with excluding the QueryRabbit site itself, finds almost no mentions of this product. I thought it to be malware. I ran Malwarebytes. Nothing. I ran Spybot. Nothing. I contacted Spybot. I sent them a log. They suggested removing a Browser Helper Object entry in the Registry. It was an entry with no value. It didn't help. Spybot suggested resetting the browser. I have not done that. I'm assuming it will clear all my addins and settings.

    So how do I remove QueryRabbit from my system?

  2. #2
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,396
    Thanks
    445
    Thanked 404 Times in 376 Posts
    I would start by running CCleaner. Go to Tools, and bring up the list of startup items. See if you can find QueryRabbit in any of the startup lists; if you do, uncheck it, so that it won't start the next time you start Windows. While there, disable other unwanted items.

    Then reboot to Safe Mode with Networking. Run your malware scan from there.

    If none of that fixes it, then, from another computer, create a Windows Defender Offline disk (http://windows.microsoft.com/en-US/w...fender-offline), or some other "pre-Windows" scan disk by another vendor, and reboot the computer with the disk in the drive. You might catch the malware if Windows isn't running while the computer is being scanned.

  3. #3
    New Lounger
    Join Date
    Feb 2013
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I run CCleaner regularly. I run a licensed WinPatrol. One of its features is listing all the Startup Programs. I had not checked it. I am checking it now. I am able to identify all processes.

    Before creating a Windows Defender disc I will see if there are any other suggestions. And the infection is clearly in Flash in the browser.

    What baffles me on all of this is why hasn't anyone else discovered this and mentioned it on the web.
    Last edited by donwiss; 2013-02-07 at 19:41.

  4. #4
    New Lounger
    Join Date
    Feb 2013
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Since it is using Flash I tried something. Using the downloadable program from Adobe, I uninstalled Flash. It was gone. I then reinstalled Flash. It came back.

  5. #5
    WS Lounge VIP Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    1,650
    Thanks
    38
    Thanked 161 Times in 139 Posts
    Do you have a restore point prior to this happening?

  6. #6
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,396
    Thanks
    445
    Thanked 404 Times in 376 Posts
    Quote Originally Posted by donwiss View Post
    Since it is using Flash I tried something. Using the downloadable program from Adobe, I uninstalled Flash. It was gone. I then reinstalled Flash. It came back.
    Check your flash cookies. I'm sorry that I don't have any knowledge of how to do that, but I understand that Flash has its own cookies, in its own special place.

  7. #7
    New Lounger
    Join Date
    Feb 2013
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    > Do you have a restore point prior to this happening?

    This malware has been on my machine for weeks. Maybe months. I wouldn't know what old restore to use. If they go that far back. Remember I do run CCleaner.

    > Check your flash cookies.

    I had forgotten about them. A search learns there is an Adobe page that has a settings utility that lists them. Only one address is listed for website storage location. I do run BetterPrivacy, a Flash cookie blocking program. Maybe it got the other cookies and not this listed one? It is cdncache1-a.akamaihd.net. A visit to the site finds XML. I deleted the cookie. I closed Firefox. I reopened it. The Flashblock icon to start QueryRabbit is still in the upper left. I went back to the Adobe page. The entry did not reappear.

  8. #8
    New Lounger
    Join Date
    Feb 2013
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I thought I'd spend some time playing with QueryRabbit. I used my own pages. They would make it easiest to see the added links. Sometimes I clicked the Flashblock icon once and it went away. I then find no links added to that page. Only when the Flashblock icon reappeared and I clicked it a second time, do the links appear on the page. Apparently some pages are not worthy of adding links to.

    The links are not added to the source code. Large tool tips are displayed when you hover over the links. When you hover over a link at the bottom it shows as an empty link that would refresh the page, but there is a link. Pages get two to four links added near the page top. The number appears to be related to page size. It doesn't care where the words it adds links to are located. Text, picture caption, heading, where ever.

    Some examples:

    Beefgrd: The word "your" was turned into a link to instantly find your credit scores, and the word almond turned into a link.

    Relishes: Turned the word sweetener to a link for artificial sweeteners. Turned "stock photo" to a link to informationgetter.com, which has a contact page. Changed "mailing list" to a link to informationgetter.com.

    Appetizers: Avocado became a link to SymptomFind.com/Avocados. Gum became a link to SymptomFind.com/ChewingGum. "Fruits and Vegetables" got a link to something about a tip for a flat stomach. "Begin" got a link to enrolling in a college education.

  9. #9
    New Lounger
    Join Date
    Feb 2013
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I tried it on a couple more of my pages:

    flatbreads: This was the first page that I saw this on. This time it didn't display any links. Apparently it only adds links every few pages visited. Probably a small random number.

    glutrice: A mid-sized page, so it got three links:
    food coloring - hover and a big popup for "by CouponDropDown" for Love to Bake
    recipe - hover and a big popup for "by CouponDropDown" for iPad and other hot tech items
    grocery - link to socialSurveyusa.com "Congrats brooklyn Visitor:" then enticement to win

    QueryRabbit was just the name on one of the popups on my first page. That name may not be appropriate for this malware.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •