BankerFox.A and Win32/Nuqel.E Virus and how to remove it

View previous topic View next topic Go down

BankerFox.A and Win32/Nuqel.E Virus and how to remove it

Post by weswins on Wed Nov 04, 2009 2:10 pm

This was origionally posted by dragonmasterjay to help janyamagami remove their virus and i could not post in that reply.

So this it what I did to successfully remove the bankerFox.A and Win32/Nuqel.E viruses from my computer:

Post by DragonMaster Jay on Mon Nov 02, 2009 8:53 pm
Please download the Kaspersky AVP Tool from Kaspersky-labs.com.

* Save it to your desktop.
* Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
* Double click the setup file to run it.
* Click Next to continue.
* It will by default install it to your desktop folder.Click Next.
* Hit ok at the prompt for scanning in Safe Mode.
* It will then open a box There will be a tab that says Automatic scan.
* Under Automatic scan make sure these are checked:

o System Memory
o Startup Objects
o Disk Boot Sectors.
o My Computer.
o Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.


* Then click on Scan at the to right hand Corner.
* It will automatically Neutralize any objects found.
* If some objects are left un-neutralized then click the button that says Neutralize all
* If it says it cannot be Neutralized then chooose The delete option when prompted.
* After that is done click on the reports button at the bottom and save it to file name it Kas.
* Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

it worker and upon restart i was notified of a couple programs trying to start up and just deleted them.
Since then, I have had no problems other than Toshiba flashcards have still stopped working, but that was happening well in advance of the virus...

Thank you Dragonmasterjay, I now have my computer back!

weswins
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-11-03
Gender Gender : Male
OS OS : Vista
Points Points : 25907
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Virus and how to remove it

Post by weswins on Wed Nov 04, 2009 2:21 pm

This is the report i received from the kaspersky virus removal tool:

Scan
----
Scanned: 929355
Detected: 70
Untreated: 0
Start time: 03/11/2009 9:37:11 PM
Duration: 09:17:20
Finish time: 04/11/2009 6:54:31 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Packed.Win32.Krap.ah File: c:\windows\svc.exe
deleted: Trojan program Trojan-Clicker.Win32.Vesloruki.cpp File: c:\windows\odb.exe
deleted: Trojan program Packed.Win32.Krap.ah File: c:\windows\lsass.exe
deleted: Trojan program Trojan.Win32.FraudPack.zcq File: c:\program files\ecclmu\ufsmsysguard.exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.crak File: c:\users\we\appdata\roaming\dealassistant\dealassistant.exe
deleted: Trojan program Packed.Win32.Krap.ag File: c:\users\we\appdata\local\temp\4.exe
deleted: Trojan program Packed.Win32.Krap.ag File: c:\users\we\appdata\local\temp\f.exe
deleted: Trojan program Packed.Win32.Krap.ah File: c:\users\we\appdata\roaming\sdra64.exe
deleted: Trojan program Packed.Win32.TDSS.z File: c:\windows\temp\139.tmp
deleted: Trojan program Trojan.Win32.BHO.whc File: c:\windows\system32\iehelper.dll
deleted: Trojan program Packed.Win32.Krap.ag File: c:\windows\msb.exe
deleted: Trojan program Trojan-Clicker.WMA.Agent.d File: C:\Users\we\Documents\LimeWire\Saved\02 - The Underdog Project - Summer Jam 2003.wma
deleted: Trojan program Trojan-Downloader.WMA.Wimad.u File: C:\Users\we\Documents\LimeWire\Saved\05 hell raiser.wma
deleted: Trojan program Trojan-Downloader.WMA.Wimad.u File: C:\Users\we\Documents\LimeWire\Saved\Eddy Money - Two Tickets to Paradise.wma
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.c File: C:\Users\we\Documents\LimeWire\Saved\Eminem_ Ass like that.mp3
deleted: Trojan program Trojan-Downloader.WMA.GetCodec.c File: C:\Users\we\Documents\LimeWire\Saved\roll another joint neil young.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.ah File: C:\Users\we\Documents\LimeWire\Saved\summer jam.wma
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.ah File: C:\Users\we\Documents\LimeWire\Saved\welcome to wherever you are.wma
deleted: Trojan program Packed.Win32.Krap.x File: C:\ProgramData\50088829\50088829.exe
not found: Trojan program Packed.Win32.Krap.x File: C:\Users\All Users\50088829\50088829.exe
deleted: Trojan program Exploit.Win32.DirektShow.a File: C:\Users\we\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QBE43J44\win[1].jpg
deleted: Trojan program Trojan.Win32.FraudPack.zcq File: C:\Users\we\AppData\Local\Temp\0.3644698465808196.exe
deleted: Trojan program Trojan.Win32.FraudPack.zcq File: C:\Users\we\AppData\Local\Temp\0.3945486530825457.exe
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Users\we\AppData\Local\Temp\1256017402.exe
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Users\we\AppData\Local\Temp\1256226213.exe
deleted: Trojan program Trojan.Win32.Scar.zgn File: C:\Users\we\AppData\Local\Temp\1Windows_Protector.exe//Execryptor
deleted: Trojan program Trojan.Win32.FraudPack.vxt File: C:\Users\we\AppData\Local\Temp\2.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\3.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\4_pinnew.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\5_odb.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\6_ldr3.exe
deleted: Trojan program Trojan-Dropper.Win32.BHO.dl File: C:\Users\we\AppData\Local\Temp\a.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\avto.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\avto1.exe
deleted: Trojan program Trojan-Dropper.Win32.BHO.dl File: C:\Users\we\AppData\Local\Temp\b.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\B337.tmp
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\d.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\e.exe
deleted: Trojan program Trojan-Dropper.Win32.BHO.dl File: C:\Users\we\AppData\Local\Temp\g.exe
deleted: Trojan program Trojan-Dropper.Win32.BHO.dl File: C:\Users\we\AppData\Local\Temp\h.exe
deleted: Trojan program Trojan.Win32.FraudPack.vwc File: C:\Users\we\AppData\Local\Temp\i.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\j.exe
deleted: Trojan program Trojan.Win32.FraudPack.vwc File: C:\Users\we\AppData\Local\Temp\k.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\l.exe
deleted: Trojan program Trojan-Dropper.Win32.BHO.dl File: C:\Users\we\AppData\Local\Temp\m.exe
deleted: Trojan program Trojan.Win32.BHOLamp.gmu File: C:\Users\we\AppData\Local\Temp\msxml71.dll
deleted: Trojan program Trojan.Win32.FraudPack.vwc File: C:\Users\we\AppData\Local\Temp\n.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\o.exe
deleted: Trojan program Trojan-Dropper.Win32.BHO.dl File: C:\Users\we\AppData\Local\Temp\p.exe
deleted: Trojan program Trojan.Win32.FraudPack.vwc File: C:\Users\we\AppData\Local\Temp\q.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\q1.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\r.exe
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Users\we\AppData\Local\Temp\teste1_p.exe
deleted: Trojan program Packed.Win32.TDSS.w File: C:\Users\we\AppData\Local\Temp\tmpD92.tmp
deleted: Trojan program Trojan.Win32.Patched.hs (modification) File: C:\Users\we\AppData\Local\Temp\tmpDA3.tmp
deleted: Trojan program Trojan.Win32.FraudPack.vxt File: C:\Users\we\AppData\Local\Temp\u.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\v.exe
deleted: Trojan program Trojan.Win32.FraudPack.vxt File: C:\Users\we\AppData\Local\Temp\y.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Users\we\AppData\Local\Temp\z.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.xrf File: C:\Users\we\Downloads\MediaTubeCodec_ver1.1187.0.exe
deleted: Trojan program Packed.Win32.Krap.ag File: C:\Windows\msa.exe
deleted: Trojan program Trojan-Clicker.Win32.Vesloruki.cps File: C:\Windows\tmp4640371.log
deleted: Trojan program Backdoor.Win32.UltimateDefender.zg File: C:\Windows\tmp6232144.log
deleted: Trojan program Packed.Win32.Krap.ah File: C:\Windows\System32\e.exe
deleted: Trojan program Trojan.Win32.Scar.zgn File: C:\Windows\System32\minix32.exe//Execryptor
deleted: Trojan program Trojan.Win32.BHOLamp.gmu File: C:\Windows\System32\msxml71.dll
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Windows\System32\spool\prtprocs\w32x86\3C.tmp
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Windows\System32\spool\prtprocs\w32x86\FF26.tmp
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Windows\Temp\2FA.tmp
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.eve File: C:\Windows\Temp\tempo-649816689.tmp

weswins
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-11-03
Gender Gender : Male
OS OS : Vista
Points Points : 25907
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Virus and how to remove it

Post by Belahzur on Thu Nov 05, 2009 12:41 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Virus and how to remove it

Post by weswins on Thu Nov 05, 2009 3:22 am

K, this is what I got:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:50 PM, on 04/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winguard2009.microsoft.com
O1 - Hosts: 91.212.127.226 winguard-2009.com
O1 - Hosts: 91.212.127.226 [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Mirar - {3D750085-5FC3-40BD-899D-513F7CA6134F} - C:\Windows\system32\a678.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Mirar - {3D750084-5FC3-40BD-899D-513F7CA6134F} - C:\Windows\system32\a678.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SfKg6wIPuSpdcduD7] C:\Users\we\AppData\Roaming\Microsoft\Windows\oulwsv.exe
O4 - HKCU\..\Run: [userinit] C:\Users\we\AppData\Roaming\sdra64.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
O4 - Startup: is-F1LRN.lnk = C:\Users\we\Desktop\Virus Removal Tool\is-F1LRN\startup.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: MBCameraMonitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10169 bytes

weswins
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-11-03
Gender Gender : Male
OS OS : Vista
Points Points : 25907
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Virus and how to remove it

Post by Belahzur on Thu Nov 05, 2009 10:23 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.226 winguard2009.microsoft.com
    O1 - Hosts: 91.212.127.226 winguard-2009.com
    O1 - Hosts: 91.212.127.226 [You must be registered and logged in to see this link.]
    O2 - BHO: Mirar - {3D750085-5FC3-40BD-899D-513F7CA6134F} - C:\Windows\system32\a678.dll
    O3 - Toolbar: Mirar - {3D750084-5FC3-40BD-899D-513F7CA6134F} - C:\Windows\system32\a678.dll
    O4 - HKCU\..\Run: [SfKg6wIPuSpdcduD7] C:\Users\we\AppData\Roaming\Microsoft\Windows\oulwsv.exe
    O4 - HKCU\..\Run: [userinit] C:\Users\we\AppData\Roaming\sdra64.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum