win32/nuqel.e and bankerfox virus

View previous topic View next topic Go down

win32/nuqel.e and bankerfox virus

Post by roblkey on Tue Dec 29, 2009 2:07 am

computer infected with win32/nuqel.e and bankerfox virus and antivirus live along with it too. Can not execute anything, regcure, malwarebytes, nothing will run. Can not even start in safe mode. Help please, can not do anything except close alert boxes. Can not get in emails, had to use sons' laptop, sick crap keeps popping up as I type this.

Thanks

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Tue Dec 29, 2009 3:20 am

Please only post in your own topics.

Welcome to GeekPolice.

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a Tech Staff member, administrator, or moderator. Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.

As this topic is for you only, I just need to issue a warning to outside readers:
Roger that Warning: Instructions issued in this topic are for this user only. We are not responsible for damages, so if you need help; please register for this site, and start a new topic requesting help.




Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

can not run

Post by roblkey on Tue Dec 29, 2009 7:08 pm

Will not let me run commy.exe Said file is infected, ask to activate protection. Don't know what to do at this point, can't do anything.

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Tue Dec 29, 2009 11:00 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Thank you

Post by roblkey on Tue Dec 29, 2009 11:47 pm

For some reason Malwarebytes decided to work for my son, after two hours it discovered 6 infected items that I deleted.

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Wed Dec 30, 2009 2:44 am

Post the log, please


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

sorry

Post by roblkey on Wed Dec 30, 2009 3:57 am

Sorry, here is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2127
Windows 5.1.2600 Service Pack 3

12/29/2009 5:33:08 PM
mbam-log-2009-12-29 (17-33-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 261899
Time elapsed: 1 hour(s), 28 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\iWin Games\iWinGamesHookIE.dll (Trojan.BHO) -> Delete on reboot.

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Wed Dec 30, 2009 5:24 am

Please download [You must be registered and logged in to see this link.] to your desktop and run it.

  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "redScan" and save it to your desktop. You will see the .run file on your desktop. Open Notepad, then click File > Open - locate the redScan file and open it in Notepad. Finally, copy all the results, and paste them here in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by roblkey on Wed Dec 30, 2009 12:15 pm

Runscanner logfile

* = signed file
- = file not found

General info
------------
Computer name : YOUR-F2FA57285A
Creation time : 12/30/2009 6:06:50 AM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 3
RunScanner Version : 1.9.0.9
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
* C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
* C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
C:\Program Files\BroadJump\Client Foundation\CFD.exe (BroadJump, Inc.)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (Symantec Corporation)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
C:\WINDOWS\system32\umonit.exe (General)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
* C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
* C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
* C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
* C:\Program Files\iWin Games\iWinTrusted.exe (iWin Inc.)
* C:\WINDOWS\System32\dmadmin.exe (Microsoft Corp., Veritas Software)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
* C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
* C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
* C:\WINDOWS\System32\vssvc.exe (Microsoft Corporation)
* C:\WINDOWS\system32\netdde.exe (Microsoft Corporation)
* C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
* C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation)
C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
* C:\Documents and Settings\Owner\Desktop\runscanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\System32\SCardSvr.exe (Microsoft Corporation)
* C:\WINDOWS\System32\snmp.exe (Microsoft Corporation)
* C:\WINDOWS\System32\snmptrap.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
* C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
* C:\WINDOWS\explorer.exe (Microsoft Corporation)
* C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)

Unrated items
-------------
002 C:\Program Files\BroadJump\Client Foundation\CFD.exe (BroadJump, Inc.)
002 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
002 C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
002 C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
002 C:\WINDOWS\system32\umonit.exe (General)
010 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe LM Service)
010 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (FLEXnet Licensing Service)
010 C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (InstallDriver Table Manager)
010 * C:\Program Files\iWin Games\iWinTrusted.exe (iWinTrusted)
010 C:\Program Files\Common Files\LightScribe\LSSrvc.exe (LightScribeService Direct Disc Labeling Service)
010 * C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (LiveShare P2P Server 10)
010 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Machine Debug Manager)
010 * C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe (NMSAccessU)
010 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (PrismXL)
010 * C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe (Roxio Hard Drive Watcher 10)
010 * C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe (Roxio UPnP Renderer 10)
010 * C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe (Roxio Upnp Server 10)
010 * C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe (RoxMediaDB10)
011 C:\WINDOWS\system32\drivers\ASCTRM.sys (ASCTRM)
011 C:\WINDOWS\system32\drivers\BIOS.sys (BIOS)
011 * C:\WINDOWS\system32\drivers\Cdr4_xp.sys (Cdr4_xp)
011 * C:\WINDOWS\system32\drivers\Cdralw2k.sys (Cdralw2k)
011 C:\WINDOWS\System32\Drivers\Capt905c.sys (DualCamera)
011 C:\WINDOWS\system32\drivers\fixustor.sys (fixustor)
011 * C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR ASPI Filter Driver)
011 C:\WINDOWS\system32\DRIVERS\mhndrv.sys (MHN driver)
011 C:\WINDOWS\system32\drivers\MxlW2k.sys (MxlW2k)
011 C:\WINDOWS\system32\DRIVERS\rt25usbap.sys (Nintendo Wi-Fi USB Connector Service)
011 * C:\WINDOWS\System32\Drivers\PxHelp20.sys (PxHelp20)
011 C:\WINDOWS\system32\drivers\SCDEmu.sys (SCDEmu)
011 C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys (Upper Class Filter Driver)
031 C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation) {CD00020A-8B95-11D1-82DB-00C04FB1625D}
031 C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
031 C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
061 C:\WINDOWS\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
061 C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
061 C:\Program Files\Microsoft IntelliPoint\ipcplact.dll (Microsoft Corporation) {653DCCC2-13DB-45B2-A389-427885776CFE}
061 C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll (Microsoft Corporation) {124597D8-850A-41AE-849C-017A4FA99CA2}
061 C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll (Microsoft Corporation) {AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}
061 C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll (Microsoft Corporation) {20082881-FC36-4E47-9A7A-644C95FF749F}
061 C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
061 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
061 C:\WINDOWS\system32\ShellvRTF.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
062 GUID / CLSID not found {7D4D6379-F301-4311-BEBA-E26EB0561882}
069 C:\WINDOWS\system32\Primomonnt.dll
100 Default_Page_URL HKLM : [You must be registered and logged in to see this link.]
100 ProxyOverride HKLM : *.local;
100 ProxyServer HKCU : http=127.0.0.1:5555
100 ProxyServer HKLM : http=127.0.0.1:9090
100 Start Page HKCU : [You must be registered and logged in to see this link.]
100 Start Page HKLM : [You must be registered and logged in to see this link.]
104 C:\Program Files\Support.com\bin\tgctlcm.dll (SupportSoft, Inc.) {01113300-3E00-11D2-8470-0060089874ED}
104 * C:\WINDOWS\Downloaded Program Files\msi.1.0.0.8.dll (PlayFirst, Inc.) {226ACC34-3194-40E2-9AE8-834FCFE9E80D}
104 * C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx (Aurigma, Inc.) {6E5E167B-1566-4316-B27F-0DDAB3484CF7}
104 C:\WINDOWS\DOWNLO~1\SPINTO~1.DLL (SpinTop Games) {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0}
104 * C:\WINDOWS\Downloaded Program Files\zenerchi.1.0.0.10.dll (PlayFirst, Inc.) {BAC761D3-DFFD-4DB4-A01D-173346E090A7}
104 C:\WINDOWS\DOWNLO~1\BEWITC~1.OCX (TODO: ) {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
104 * C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dll (Zylom Games) {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
104 * C:\WINDOWS\Downloaded Program Files\pcpitstop2.dll (PC Pitstop LLC) {FFB3A759-98B1-446F-BDA9-909C6EB18CC7}
105 Append Link Target to Existing PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
105 Append to Existing PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
105 Convert Link Target to Adobe PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
105 Convert to Adobe PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
105 E&xport to Microsoft Excel : [You must be registered and logged in to see this link.]
107 C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
120 NameServer {A3863E19-A81F-4C56-B890-A6ABA28A2147} : 68.105.28.11,68.105.29.11
170 {88db96a1-5f67-11d9-b266-806d6172696f} : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
170 {a4c25c01-0a49-11dd-b8f5-0018f80dd74a} : L:\LaunchU3.exe
170 {a4c25c02-0a49-11dd-b8f5-0018f80dd74a} : setupSNK.exe
170 D : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
170 K : K:\Autorun.exe
170 L : L:\Autorun.exe
173 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
173 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
221 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
221 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
225 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
225 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
225 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
229 C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
231 GUID / CLSID not found NeroDigitalExt.NeroDigitalColumnHandler
251 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

Missing files
-------------
002 C:\Documents and Settings\Owner\Local Settings\Application Data\feovwc\blhrsysguard.exe
003 C:\Documents and Settings\Owner\Local Settings\Application Data\feovwc\blhrsysguard.exe
010 J:\AVPersonal\AVGUARD.EXE
010 J:\AVPersonal\AVWUPSRV.EXE
010 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
010 C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\Atcamea.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 J:\AVPersonal\AVGNTDW.SYS
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 c:\windows\system32\DRIVERS\szkg.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
042 C:\Program Files\partypoker\PartyPokerNet\RunPF.exe
061 deskpan.dll
063 SsiEfr.ex
173 J:\AVPersonal\AVShlExt.DLL
221 J:\AVPersonal\AVShlExt.DLL
225 J:\AVPersonal\AVShlExt.DLL
225 J:\AVPersonal\AVShlExt.DLL

unscanner logfile

* = signed file
- = file not found

General info
------------
Computer name : YOUR-F2FA57285A
Creation time : 12/30/2009 6:06:50 AM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 3
RunScanner Version : 1.9.0.9
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
* C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
* C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
C:\Program Files\BroadJump\Client Foundation\CFD.exe (BroadJump, Inc.)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (Symantec Corporation)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
C:\WINDOWS\system32\umonit.exe (General)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
* C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
* C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
* C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
* C:\Program Files\iWin Games\iWinTrusted.exe (iWin Inc.)
* C:\WINDOWS\System32\dmadmin.exe (Microsoft Corp., Veritas Software)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
* C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
* C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
* C:\WINDOWS\System32\vssvc.exe (Microsoft Corporation)
* C:\WINDOWS\system32\netdde.exe (Microsoft Corporation)
* C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
* C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation)
C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
* C:\Documents and Settings\Owner\Desktop\runscanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\System32\SCardSvr.exe (Microsoft Corporation)
* C:\WINDOWS\System32\snmp.exe (Microsoft Corporation)
* C:\WINDOWS\System32\snmptrap.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
* C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
* C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
* C:\WINDOWS\explorer.exe (Microsoft Corporation)
* C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)

Unrated items
-------------
002 C:\Program Files\BroadJump\Client Foundation\CFD.exe (BroadJump, Inc.)
002 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
002 C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
002 C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
002 C:\WINDOWS\system32\umonit.exe (General)
010 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe LM Service)
010 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (FLEXnet Licensing Service)
010 C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (InstallDriver Table Manager)
010 * C:\Program Files\iWin Games\iWinTrusted.exe (iWinTrusted)
010 C:\Program Files\Common Files\LightScribe\LSSrvc.exe (LightScribeService Direct Disc Labeling Service)
010 * C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (LiveShare P2P Server 10)
010 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Machine Debug Manager)
010 * C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe (NMSAccessU)
010 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (PrismXL)
010 * C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe (Roxio Hard Drive Watcher 10)
010 * C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe (Roxio UPnP Renderer 10)
010 * C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe (Roxio Upnp Server 10)
010 * C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe (RoxMediaDB10)
011 C:\WINDOWS\system32\drivers\ASCTRM.sys (ASCTRM)
011 C:\WINDOWS\system32\drivers\BIOS.sys (BIOS)
011 * C:\WINDOWS\system32\drivers\Cdr4_xp.sys (Cdr4_xp)
011 * C:\WINDOWS\system32\drivers\Cdralw2k.sys (Cdralw2k)
011 C:\WINDOWS\System32\Drivers\Capt905c.sys (DualCamera)
011 C:\WINDOWS\system32\drivers\fixustor.sys (fixustor)
011 * C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR ASPI Filter Driver)
011 C:\WINDOWS\system32\DRIVERS\mhndrv.sys (MHN driver)
011 C:\WINDOWS\system32\drivers\MxlW2k.sys (MxlW2k)
011 C:\WINDOWS\system32\DRIVERS\rt25usbap.sys (Nintendo Wi-Fi USB Connector Service)
011 * C:\WINDOWS\System32\Drivers\PxHelp20.sys (PxHelp20)
011 C:\WINDOWS\system32\drivers\SCDEmu.sys (SCDEmu)
011 C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys (Upper Class Filter Driver)
031 C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation) {CD00020A-8B95-11D1-82DB-00C04FB1625D}
031 C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
031 C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: cox.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
047 Zone: coxenterprises.com : [You must be registered and logged in to see this link.]
061 C:\WINDOWS\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
061 C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
061 C:\Program Files\Microsoft IntelliPoint\ipcplact.dll (Microsoft Corporation) {653DCCC2-13DB-45B2-A389-427885776CFE}
061 C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll (Microsoft Corporation) {124597D8-850A-41AE-849C-017A4FA99CA2}
061 C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll (Microsoft Corporation) {AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}
061 C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll (Microsoft Corporation) {20082881-FC36-4E47-9A7A-644C95FF749F}
061 C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
061 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
061 C:\WINDOWS\system32\ShellvRTF.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
062 GUID / CLSID not found {7D4D6379-F301-4311-BEBA-E26EB0561882}
069 C:\WINDOWS\system32\Primomonnt.dll
100 Default_Page_URL HKLM : [You must be registered and logged in to see this link.]
100 ProxyOverride HKLM : *.local;
100 ProxyServer HKCU : http=127.0.0.1:5555
100 ProxyServer HKLM : http=127.0.0.1:9090
100 Start Page HKCU : [You must be registered and logged in to see this link.]
100 Start Page HKLM : [You must be registered and logged in to see this link.]
104 C:\Program Files\Support.com\bin\tgctlcm.dll (SupportSoft, Inc.) {01113300-3E00-11D2-8470-0060089874ED}
104 * C:\WINDOWS\Downloaded Program Files\msi.1.0.0.8.dll (PlayFirst, Inc.) {226ACC34-3194-40E2-9AE8-834FCFE9E80D}
104 * C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx (Aurigma, Inc.) {6E5E167B-1566-4316-B27F-0DDAB3484CF7}
104 C:\WINDOWS\DOWNLO~1\SPINTO~1.DLL (SpinTop Games) {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0}
104 * C:\WINDOWS\Downloaded Program Files\zenerchi.1.0.0.10.dll (PlayFirst, Inc.) {BAC761D3-DFFD-4DB4-A01D-173346E090A7}
104 C:\WINDOWS\DOWNLO~1\BEWITC~1.OCX (TODO: ) {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
104 * C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dll (Zylom Games) {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
104 * C:\WINDOWS\Downloaded Program Files\pcpitstop2.dll (PC Pitstop LLC) {FFB3A759-98B1-446F-BDA9-909C6EB18CC7}
105 Append Link Target to Existing PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
105 Append to Existing PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
105 Convert Link Target to Adobe PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
105 Convert to Adobe PDF : [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
105 E&xport to Microsoft Excel : [You must be registered and logged in to see this link.]
107 C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
120 NameServer {A3863E19-A81F-4C56-B890-A6ABA28A2147} : 68.105.28.11,68.105.29.11
170 {88db96a1-5f67-11d9-b266-806d6172696f} : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
170 {a4c25c01-0a49-11dd-b8f5-0018f80dd74a} : L:\LaunchU3.exe
170 {a4c25c02-0a49-11dd-b8f5-0018f80dd74a} : setupSNK.exe
170 D : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
170 K : K:\Autorun.exe
170 L : L:\Autorun.exe
173 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
173 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
221 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
221 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
225 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
225 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
225 * C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll (Sonic Solutions) {70D0238E-E029-4a94-B68D-182018B6C4FF}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
229 C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
231 GUID / CLSID not found NeroDigitalExt.NeroDigitalColumnHandler
251 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

Missing files
-------------
002 C:\Documents and Settings\Owner\Local Settings\Application Data\feovwc\blhrsysguard.exe
003 C:\Documents and Settings\Owner\Local Settings\Application Data\feovwc\blhrsysguard.exe
010 J:\AVPersonal\AVGUARD.EXE
010 J:\AVPersonal\AVWUPSRV.EXE
010 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
010 C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\Atcamea.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 J:\AVPersonal\AVGNTDW.SYS
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 c:\windows\system32\DRIVERS\szkg.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
042 C:\Program Files\partypoker\PartyPokerNet\RunPF.exe
061 deskpan.dll
063 SsiEfr.ex
173 J:\AVPersonal\AVShlExt.DLL
221 J:\AVPersonal\AVShlExt.DLL
225 J:\AVPersonal\AVShlExt.DLL
225 J:\AVPersonal\AVShlExt.DLL

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Wed Dec 30, 2009 8:28 pm

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by roblkey on Thu Dec 31, 2009 12:26 am

ComboFix 09-12-29.06 - Owner 12/30/2009 17:23:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.476 [GMT -6:00]
Running from: c:\documents and settings\Owner\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {F50D9AC1-6409-476C-A8D6-8F5F82336C8F}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Images
c:\recycler\S-1-5-21-2227058028-3093900813-2221775899-500
c:\recycler\S-1-5-21-2296790875-3444667464-1202973334-500
c:\windows\system32\Cache
c:\images\DirCfg.ini
c:\recycler\S-1-5-21-2227058028-3093900813-2221775899-500\desktop.ini
c:\recycler\S-1-5-21-2227058028-3093900813-2221775899-500\INFO2
c:\recycler\S-1-5-21-2296790875-3444667464-1202973334-500\desktop.ini
c:\recycler\S-1-5-21-2296790875-3444667464-1202973334-500\INFO2
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\system32\_000007_.tmp.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LOGICAL_DISK_MANAGER_(DMSERVER)_


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-30 11:59 . 2009-12-30 11:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Runscanner.net
2009-12-29 01:13 . 2009-12-29 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-12-29 01:04 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-29 01:04 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-29 01:04 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-29 01:04 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-29 01:04 . 2009-12-29 01:04 -------- d-----w- c:\program files\Spyware Doctor
2009-12-29 01:04 . 2009-12-29 01:04 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-29 01:04 . 2009-12-29 01:04 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-12-29 01:04 . 2009-12-29 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-28 23:19 . 2009-12-29 20:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\apstxv
2009-12-28 23:19 . 2009-12-28 23:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\feovwc
2009-12-17 02:39 . 2009-12-17 02:43 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
2009-12-01 22:43 . 2009-12-01 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 23:41 . 2008-11-07 05:13 98 ----a-w- c:\windows\system32\mhncache.dat
2009-12-30 23:22 . 2006-02-15 20:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-30 22:59 . 2008-03-13 22:25 -------- d-----w- c:\program files\iWin.com
2009-12-30 01:22 . 2006-02-15 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-29 23:34 . 2009-11-08 14:36 -------- d-----w- c:\program files\iWin Games
2009-12-29 01:05 . 2008-03-13 22:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-29 00:14 . 2009-09-05 22:50 -------- d-----w- c:\program files\QuickPar
2009-12-29 00:14 . 2009-09-27 22:01 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-12-29 00:14 . 2009-04-24 19:21 -------- d-----w- c:\program files\BFG
2009-12-29 00:14 . 2008-12-15 19:38 -------- d-----w- c:\program files\Active ISO Burner
2009-12-17 07:17 . 2009-01-12 03:26 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-22 20:22 . 2008-10-23 01:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-22 01:31 . 2009-11-22 01:31 -------- d-----w- c:\program files\SopCast
2009-11-18 23:23 . 2009-11-18 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Shape games
2009-11-12 21:18 . 2009-11-12 21:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Anabel
2009-11-11 20:19 . 2009-08-11 05:41 -------- d-----w- c:\program files\abgx360
2009-11-10 17:31 . 2009-11-10 17:30 -------- d-----w- c:\documents and settings\Owner\Application Data\SecretIslandEng
2009-11-08 16:42 . 2009-11-08 16:41 -------- d-----w- c:\documents and settings\Owner\Application Data\RobinsonCrusoeIW
2009-10-29 07:46 . 2005-01-09 23:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-01-09 23:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-01-09 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2005-01-09 23:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-01-09 23:48 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-01-09 23:48 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-01-09 23:48 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-01-09 23:48 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 09:55 . 2009-05-09 14:54 16 ----a-w- c:\windows\popcinfo.dat
2008-11-06 22:11 . 2008-11-06 22:11 2372472 ----a-w- c:\program files\mbam-setup.exe
2008-11-03 00:05 . 2008-11-03 00:05 15083520 ----a-w- c:\program files\spybotsd160.exe
2009-05-14 20:14 . 2005-01-05 22:17 1409286144 --sha-w- c:\windows\DUMP5244.tmp
2007-08-24 03:32 . 2007-08-22 05:10 88 --sh--r- c:\windows\system32\4AAAF1F866.sys
2007-08-24 03:32 . 2007-08-22 05:06 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UMonit"="c:\windows\system32\umonit.exe" [2006-07-26 53248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-10-18 483394]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-03-15 116328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-02-27 17:14 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-02-27 21:54 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-09-14 19:38 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-03-15 03:10 116328 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2005-05-03 22:02 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 23:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 21:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-08-22 19:13 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 18:22 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-08-27 13:09 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-03-09 15:49 966656 -c--a-w- c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-09-14 19:38 14820864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 10:12 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-09-16 18:16 1833296 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2001-11-07 10:50 1519616 ----a-w- c:\program files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"Movielink Core Service"=2 (0x2)
"KodakCCS"=2 (0x2)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"gusvc"=3 (0x3)
"ADVService"=3 (0x3)
"lanmanworkstation"=2 (0x2)
"UPS"=2 (0x2)
"Schedule"=2 (0x2)
"WmdmPmSN"=2 (0x2)
"mnmsrvc"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"Messenger"=2 (0x2)
"cisvc"=2 (0x2)
"ImapiService"=2 (0x2)
"MSDTC"=2 (0x2)
"CryptSvc"=3 (0x3)
"BITS"=3 (0x3)
"ALG"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 AVWUpSrv;AntiVir Update;j:\avpersonal\AVWUPSRV.EXE [x]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
R3 Atcamea;Atcamea; [x]
R3 avgntdw;avgntdw;j:\avpersonal\AVGNTDW.SYS [x]
R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2006-07-26 6016]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
R3 SessionLauncher;SessionLauncher;c:\docume~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2009-11-10 78104]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-08-22 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-12-29 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Owner.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

2008-11-07 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-01-18 23:24]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A3863E19-A81F-4C56-B890-A6ABA28A2147} = 68.105.28.11,68.105.29.11
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - [You must be registered and logged in to see this link.]
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - [You must be registered and logged in to see this link.]
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - [You must be registered and logged in to see this link.]
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ujomgq7p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ujomgq7p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ujomgq7p.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ujomgq7p.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-hjlxbdmk - c:\documents and settings\Owner\Local Settings\Application Data\feovwc\blhrsysguard.exe
HKLM-Run-hjlxbdmk - c:\documents and settings\Owner\Local Settings\Application Data\feovwc\blhrsysguard.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-InCD - c:\program files\Nero\Nero 7\InCD\InCD.exe
MSConfigStartUp-LoadMSvcmm - c:\program files\Movielink\MovielinkManager\Movielink User.exe
MSConfigStartUp-NBJ - c:\program files\Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-systray - c:\windows\mstre8.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII\Uninst.isu
AddRemove-MusicMatch Jukebox - c:\program files\MusicMatch Jukebox\Uninst.isu
AddRemove-Network Play System (Patching) - c:\program files\Electronic Arts\Network Play System\NPSPatch.isu
AddRemove-Puzzle Bobble - E:\Loader.exe
AddRemove-RegCure - c:\documents and settings\Owner\Desktop\RegCure\uninst.exe
AddRemove-Uniblue DriverScanner 2009 - c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
AddRemove-{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F} - c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-30 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\umonit.exe?USB\V?F??8ec&?F??\???8????????F??8????F??B\RO????8???????????????????????????h?????A~?F???????????b@?????????????????<$?|?????$?|??B~??@???E~????????????????????@???????????????t??????????????|X$?|?????$?|Q$?|??????????????@

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4612)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Super_DVD_Creator_9.8\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\System32\snmptrap.exe
c:\windows\System32\vssvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-12-30 18:10:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 00:10

Pre-Run: 96,637,984,768 bytes free
Post-Run: 96,554,967,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - D8C308C0243C8010A00C7008BD6650D2

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Thu Dec 31, 2009 2:51 am

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by roblkey on Thu Dec 31, 2009 11:02 am

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/31/2009 5:01:28 AM
mbam-log-2009-12-31 (05-01-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 294733
Time elapsed: 2 hour(s), 22 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Thu Dec 31, 2009 9:25 pm

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

no logfile

Post by roblkey on Thu Dec 31, 2009 11:42 pm

ran the program, said no threats found, had box to remove program when closed. I guess I should have ignored it because it must have included the log file. It did say no threats found & recommended I buy one of two of their programs.

Thanks

roblkey
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-12-29
OS OS : Windows XP
Points Points : 25443
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/nuqel.e and bankerfox virus

Post by Dr Jay on Fri Jan 01, 2010 2:48 am

Please download [You must be registered and logged in to see this link.] and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum