Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

QLowZones-15, bgates[1].exe trojan on my lovely new laptop

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Bob4 » July 28th, 2006, 10:44 am

McAfee hasn't popped up with any warnings whilst I was carrying out the instructions from your post.
Image

I think we're there . Just let me know exactly what ewido warned you about ?


_I am ging to list a couple of optional fixes for you to consider.
If you decide to do them be sure to disable windws defender before fixing them.

_________________________________
We need to disable windows defender.
A good program but may interfere with our fixes.

Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender

_______________-
You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog.
You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime
Player itself to keep it from resetting itself.. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime



______________________________
You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool
by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors
for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it.
It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis.
This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe



Just let me know what ewido warned you about please.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Unread postby David Clack » July 28th, 2006, 3:33 pm

I'm not so optimistic.... it was the PurityScan trojan that ewido alerted me to earlier... I tried looking for the PurityScan folder in C:\program files as you suggested but it wasn't there.

I've just done a full scan with Ewido... strangely it hasn't reported the PurityScan trojan, but here's the full report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:29:11 28/07/2006

+ Scan result:



HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : No action taken.
C:\!KillBox\iifgdca.dll -> Adware.Virtumonde : No action taken.
C:\!KillBox\iifgdca.dll( 1) -> Adware.Virtumonde : No action taken.
C:\!KillBox\xxyvsst.dll -> Adware.Virtumonde : No action taken.
C:\!KillBox\xxyvsst.dll( 2) -> Adware.Virtumonde : No action taken.
:mozilla.31:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.71:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.72:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.73:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.74:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.75:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.35:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.38:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.7:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.8:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.9:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.36:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Adviva : No action taken.
:mozilla.23:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.63:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.64:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.39:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Clickhype : No action taken.
:mozilla.24:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Dave\Cookies\dave@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.55:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.56:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.57:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.58:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.80:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.81:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.82:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.83:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.50:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Masterstats : No action taken.
:mozilla.37:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Dave\Cookies\dave@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Dave\Cookies\dave@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.44:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.92:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.93:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.66:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.67:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.60:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.18:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.19:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.41:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.42:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.43:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\dixkmuyg.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end



McAfee still isn't doing anything, but there still seems to be issues since Ewido has found problems...

Thanks for the Quicktime tip thing by the way, it's always annoyed me being there and I never use it.
David Clack
Active Member
 
Posts: 10
Joined: July 25th, 2006, 5:52 am
Location: London

Unread postby Bob4 » July 28th, 2006, 6:18 pm

Rerun ewido and quarintine/delete all it found.
but there still seems to be issues since Ewido has found problems
If by this you mean because ewido found things. It's OK. It found mostly cookies and what we have inside of Killbox which is safe. Is that is what you mean by that.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby David Clack » July 28th, 2006, 7:02 pm

Yeah, ewido just finds tracking cookies, but you say they're nothing to worry about?

A McAfee scan finds nothing malicious either, so are my woes over now?
David Clack
Active Member
 
Posts: 10
Joined: July 25th, 2006, 5:52 am
Location: London

Unread postby Bob4 » July 28th, 2006, 7:30 pm

Yes as I said please run ewido again and get thiose cookies off there. There not dangerous but should be dealt with.
Heres how I set up and run ewido.

Ewido
Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Click on scanner
Click on Settings
Under How to act
Choose quarintine

Under Reports check automatically create report after every scan.
Now back to the scan tab andClick on Complete system scan

Let the program scan the machine .
When finished click apply all actions.


__________________

Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!


___________________________________
If we have set your computer to see all files and folders we must reprotect them.

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.





___________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out. But do not ever shut it down for an extended time.
Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK





___________________________________
A few things to help with possible threats
SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and keep these updated and run weekly if you don't already have them.

Adaware
Tutorial

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.



___________________________________
Keep windows updated here

___________________________________
You can read about alot safer surfing here


___________________________________
And it goes without saying do not open Email from someone you don't know.

___________________________________
This is how you may have become infected




Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby 'KotaGuy » July 30th, 2006, 10:40 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware