Nuqel.e problem

View previous topic View next topic Go down

Nuqel.e problem

Post by gbottje on Sun Jan 17, 2010 11:38 pm

One laptop got infected. Similar symptoms as others that you have helped - Multiple popups, unable to launch any pgms, Internet Explorer 7 only goes to the Antivirus Pro site, then if left a while, launches new tabs with Porno.org, and a couple of other porn-looking sites.

Found your site by searching on a different computer. Saw recommendations from other sites, so decided to trust your work. I couldn't turn off the Proxy Server as you instructed another to do, until I rebooted into Safe Mode. From Safe Mode, I also downloaded ComboFix and ran it (as you instructed many others to do). One thing that concerns me is that it detected Symantec Antivirus Corp Edition running, but I couldn't figure out how to end it. there were no icons in the systray (still in Safe Mode), and there were only 18 processes running in Task Manager, nȯne of which I could identify as Symantec AV. So, I took a chance and continued. It completed, and rebooted the machine. I let it boot in normal mode. ComboFix ran and eventually created a log.txt file in Notepad.

Things seem to be running normally again, but I am concerned that it may not be completely eradicated. Do you have any suggestions for ways I can check, or any other steps I should take? I will follow the good advice that you gave to Louise Townsend on general steps to protect my computer. Thanks in advance.

gbottje
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-01-17
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by Belahzur on Sun Jan 17, 2010 11:46 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by gbottje on Mon Jan 18, 2010 12:03 am

This used to be a corporate computer, so needed to alter some of the text to protect identity. Hope that doesn't make it difficult.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:52:41 PM, on 1/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Barns\reenLock\BreenLock.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\uphclean\uphclean.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Orchestria\Active Policy Management\client\wgncm.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Button\The Button.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\outlookconfiguration\MailCheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gbottje\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\BrowserPlusCore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [zie_user_config] C:\Program Files\Internet Explorer\ie_user_config.EXE /s
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [savsetup] c:\program files\marimba\castanet tuner\tuner -start [You must be registered and logged in to see this link.]
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [OutlookDisclaimerAdd-in] C:\WINDOWS\ODP.EXE
O4 - HKLM\..\Run: [Orchestria APM Client] C:\Program Files\Orchestria\Active Policy Management\client\wgncm.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Flash User Config] C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Flash_user_config.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TheButton] "C:\Program Files\Button\The Button.exe"
O4 - HKLM\..\Run: [Outlook Mail Check] "C:\Program Files\OutlookConfiguration\Auto.vbs"
O4 - HKLM\..\Run: [MediaPlager User Config] C:\Program Files\Windows Media Player\WMP_USER_CONFIG.EXE /s
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.*.ad.bne.net
O15 - Trusted Zone: *.*.ad.jase.com
O15 - Trusted Zone: *.*.bne.net
O15 - Trusted Zone: *.*.cse.com
O15 - Trusted Zone: *.*.exchad.jse.net
O15 - Trusted Zone: *.*.jse.com
O15 - Trusted Zone: *.*.se.net
O15 - Trusted Zone: *.*.an.com
O15 - Trusted Zone: *.*.se.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: *.*.ad.bne.net (HKLM)
O15 - Trusted Zone: *.*.ad.orgae.com (HKLM)
O15 - Trusted Zone: *.*.ba.net (HKLM)
O15 - Trusted Zone: *.*.ase.com (HKLM)
O15 - Trusted Zone: *.*.exchad.jse.net (HKLM)
O15 - Trusted Zone: *.*.j.com (HKLM)
O15 - Trusted Zone: *.*.jse.net (HKLM)
O15 - Trusted Zone: *.*.an.com (HKLM)
O15 - Trusted Zone: *.*.e.com (HKLM)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) -
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - [You must be registered and logged in to see this link.]
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bsna.bsroot.r.com
O17 - HKLM\Software\..\Telephony: DomainName = bsna.bsroot.r.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{86FDF813-AD1B-4E9B-9158-D75FCB40B64F}: NameServer = 165.168.214.10,165.168.214.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bsna.bsroot.r.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bsna.bsroot.r.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: BreenLock - - C:\Program Files\Brns\BeeenLock\BreenLock.exe
O23 - Service: Br Tuner (rTuner) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9ae76645b3752) (gupdate1c9ae76645b3752) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Orchestria APM Infrastructure (WGNINFRA) - Orchestria - C:\Program Files\Orchestria\Active Policy Management\system\wgninfra.exe

--
End of file - 14247 bytes

gbottje
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-01-17
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by Belahzur on Mon Jan 18, 2010 10:37 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555



  • Press "Fix Checked"
  • Close Hijack This.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by gbottje on Thu Jan 21, 2010 12:40 pm

It found 3 items. Here's the log:
Malwarebytes' Anti-Malware 1.44
Database version: 3606
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/21/2010 6:39:30 AM
mbam-log-2010-01-21 (06-39-30).txt

Scan type: Quick Scan
Objects scanned: 170614
Time elapsed: 15 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ESUGRegEx.exe (Trojan.Generic) -> Quarantined and deleted successfully.

gbottje
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-01-17
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by Belahzur on Thu Jan 21, 2010 5:24 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by gbottje on Fri Jan 22, 2010 12:03 pm

Attach.txt log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/2/2005 5:10:46 PM
System Uptime: 1/21/2010 1:35:06 PM (16 hours ago)

Motherboard: IBM | | 2373S89
Processor: Intel(R) Pentium(R) M processor 1.70GHz | nȯne | 798/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 4.825 GiB free.
D: is CDROM ()
F: is NetworkDisk (*NT5CSC) - 33 GiB total, 4.825 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP619: 12/25/2009 8:36:57 PM - System Checkpoint
RP620: 12/27/2009 7:18:46 AM - System Checkpoint
RP621: 1/1/2010 9:16:29 AM - System Checkpoint
RP622: 1/2/2010 9:31:13 AM - System Checkpoint
RP623: 1/3/2010 1:54:36 PM - System Checkpoint
RP624: 1/4/2010 10:14:56 PM - System Checkpoint
RP625: 1/6/2010 6:03:39 AM - System Checkpoint
RP626: 1/9/2010 11:12:50 AM - System Checkpoint
RP627: 1/15/2010 7:18:40 PM - System Checkpoint
RP628: 1/16/2010 3:00:51 AM - Software Distribution Service 3.0
RP629: 1/17/2010 1:35:17 PM - System Checkpoint
RP630: 1/17/2010 5:50:25 PM - Installed HiJackThis
RP631: 1/18/2010 7:18:19 PM - System Checkpoint
RP632: 1/19/2010 10:50:25 PM - System Checkpoint
RP633: 1/20/2010 11:07:03 PM - System Checkpoint
RP634: 1/22/2010 5:41:34 AM - Software Distribution Service 3.0

==== Installed Programs ======================


Access IBM
Access IBM Message Center
Acopia Registry FIX
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.6
AnswerWorks 5.0 English Runtime
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
ar Stearns Marimba Tuner
BNS VM
BNSLogViewer
BNSROE
BNSTradingLimits
Brother Extensions for Paperport
Brother MFL Pro Suite
Canon BJC-3000 (BJRSTR)
Canon iP4300
Canon iP4300 User Registration
Canon My Printer
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Client Simulator
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Default mail setup
Drivers Install For Linksys Easylink Advisor
Easy-WebPrint
Environment Changer
Freedom Scientific Document Server
Freedom Scientific Synthesizer Eloquence
Freedom Scientific Talking Installer 8.0
Freedom Scientific Video Intercept
getPlus(R)_ocx
Google Earth
Google Update Helper
Google Updater
GPL MPEG-1/2 DirectShow Decoder Filter
hBSC Outlook Configuration 1 (R5)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
IBM 32-bit Runtime Environment for Java 2, v1.4.1
IBM Access Connections
IBM Accessibility Speech Interface v1.2
IBM Active Protection System
IBM DLA
IBM Integrated 56K Modem
IBM iSeries Access for Windows
IBM Lotus Sametime Connect 7.5.1
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM Update Connector
IBM ViaVoice TTS Runtime v6.740 - US English
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
ItsDeductible Express
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.2_18
Java Web Start
Java(TM) 6 Update 15
KB906681 RE-ISSUE installed on 12/06/06 5:58:15
KB918899 RE-ISSUE installed on 09/22/06 21:26:59
Linksys EasyLink Advisor 1.6 (0042)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Standard 2003
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
mp
mpmri
MSIforZfS
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Niku 6 Workbench Client
Outlook JPMC Addin 1 (R4)
Outlook No Automatic Junk Mail Filtering Policy (R1)
Outlook Web Access Icon (R1)
PaperPort 6.5
PC-Doctor for Windows
PeregrineServiceCenter 6.12 R2
Performance Navigator 12.0
Performance Navigator 13
Print Server Utilities
PrintServerUpdate
QuickPlace 7.0.0 (R1)
QuickTime
QuickVerse 2007
RealPlayer
Remedy User 6.3
Right Fax Client
RUMBA
SBC Self Support Tool
SBC Yahoo! DSL Activation
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Set Default Mail Client (R1)
Sonic Update Manager
Supervisory Tools
Symantec AntiVirus
Symantec Vault For Outlook 7.5 (R2)
The Button 3.1 (R1)
The Concord Study Package
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Timbuktu Pro
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2006
TurboTax Basic 2007
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Profile Hive Cleanup Service
Visual IP InSight(SBC)
VPN Client
Wallpapers
Web-based System Manager Remote Client
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinZip
WordWeb
XML Paper Specification Shared Components Pack 1.0
Yahoo! BrowserPlus
ZipMail for MS Outlook and Outlook Express

==== Event Viewer Messages From Past Week ========

1/17/2010 6:15:17 AM, error: NETLOGON [5719] - No Domain Controller is available for domain BSNA due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/17/2010 3:15:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC eeCtrl Fips IBMTPCHK intelppm SAVRT SAVRTPEL ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP
1/17/2010 3:15:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/17/2010 3:15:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/16/2010 7:29:03 AM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
1/16/2010 7:20:42 AM, error: Service Control Manager [7024] - The Orchestria APM Infrastructure service terminated with service-specific error 2147942526 (0x8007007E).
1/16/2010 7:18:43 AM, error: Print [6161] - The document Test Page owned by GBottje failed to print on printer Cher-Brother. Data type: NT EMF 1.008. Size of the spool file in bytes: 74868. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\BS128681. Win32 error code returned by the print processor: 2 (0x2).
1/15/2010 6:44:03 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
1/15/2010 6:44:03 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

DDS.txt log

DDS (Ver_09-12-01.01) - NTFSx86
Run by GBottje at 5:49:35.98 on Fri 01/22/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.197 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Brns\BrScreenLock\BreenLock.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\uphclean\uphclean.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Orchestria\Active Policy Management\client\wgncm.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Button\The Button.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\outlookconfiguration\MailCheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Temp\Temporary Internet Files\Content.IE5\Q8WV0D36\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [zie_user_config] c:\program files\internet explorer\ie_user_config.EXE /s
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [savsetup] c:\program files\marimba\castanet tuner\tuner -start [You must be registered and logged in to see this link.]
mRun: [S3TRAY2] S3Tray2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [QCWLIcon] c:\progra~1\thinkpad\connec~1\QCWLIcon.exe
mRun: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
mRun: [OutlookDisclaimerAdd-in] c:\windows\ODP.EXE
mRun: [Orchestria APM Client] c:\program files\orchestria\active policy management\client\wgncm.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [IPInSightMonitor 02] "c:\program files\visual networks\visual ip insight\sbc\IPMon32.exe"
mRun: [IPInSightLAN 02] "c:\program files\visual networks\visual ip insight\sbc\IPClient.exe" -l
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [Flash User Config] c:\windows\system32\macromed\shockwave 10\xtras\Flash_user_config.EXE
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access PC5250 Sound] "c:\program files\ibm\client access\emulator\pcssnd.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe
mRun: [TheButton] "c:\program files\button\The Button.exe"
mRun: [Outlook Mail Check] "c:\program files\outlookconfiguration\Auto.vbs"
mRun: [MediaPlager User Config] c:\program files\windows media player\WMP_USER_CONFIG.EXE /s
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: *.ad.one.net
Trusted Zone: *.ad.jpase.com
Trusted Zone: *.one.net
Trusted Zone: *.ase.com
Trusted Zone: *.exchad.ase.net
Trusted Zone: *.hase.com
Trusted Zone: *.hase.net
Trusted Zone: *.rgan.com
Trusted Zone: *.jnchase.com
Trusted Zone: ar.com
Trusted Zone: ear.com\chhmc1a.is
Trusted Zone: turbotax.com
Trusted Zone: whesupport1
Trusted Zone: *.ad.one.net
Trusted Zone: *.ad.jhase.com
Trusted Zone: *.one.net
Trusted Zone: *.ase.com
Trusted Zone: *.exchad.ase.net
Trusted Zone: *.hase.com
Trusted Zone: *.hase.net
Trusted Zone: *.rgan.com
Trusted Zone: *.jhase.com
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} -
DPF: {74FFE28D-2378-11D5-990C-006094235084} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - [You must be registered and logged in to see this link.]
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - [You must be registered and logged in to see this link.]
TCP: {86FDF813-AD1B-4E9B-9158-D75FCB40B64F} = 165.168.214.10,165.168.214.50
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: QConGina - QConGina.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2005-4-17 17792]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-5-31 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-5-31 54968]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-3-2 16384]
R2 BreenLock;BreenLock;c:\program files\ar stearns\bcreenlock\BreenLock.exe [2004-11-23 36864]
R2 arTunerear Tuner;c:\progra~1\marimba\castan~1\Tuner.exe [2005-3-4 32871]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-5-31 186016]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-5-31 177824]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-5-31 169200]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-31 1764592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-3 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091202.006\naveng.sys [2009-12-3 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091202.006\navex15.sys [2009-12-3 1323568]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [1980-1-1 119296]
S0 vfdafqa;vfdafqa;c:\windows\system32\drivers\ovxllbm.sys --> c:\windows\system32\drivers\ovxllbm.sys [?]
S2 gupdate1c9ae76645b3752;Google Update Service (gupdate1c9ae76645b3752);c:\program files\google\update\GoogleUpdate.exe [2009-3-26 133104]
S2 WGNINFRA;Orchestria APM Infrastructure;c:\program files\orchestria\active policy management\system\wgninfra.exe [2006-10-18 553030]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-9-11 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-9-11 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2006-9-11 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2006-9-11 10368]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2006-5-31 83616]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-3-2 12288]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-2-15 17828]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-2-15 26964]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-12 280344]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-01-22 11:49:30 0 d-----w- c:\temp\A5.tmp
2010-01-22 11:42:00 1266 ----a-w- c:\temp\qcontmp25.vbs
2010-01-22 04:30:25 28 ----a-w- c:\temp\ExchangePerflog_8484fa31c8b5e1abcfcccd43.dat
2010-01-22 03:34:08 16384 ----atw- c:\temp\Perflib_Perfdata_670.dat
2010-01-21 12:53:44 46640 ----a-w- c:\windows\system32\msln.exe
2010-01-21 04:37:52 0 d-----w- c:\docume~1\gbottje\applic~1\Malwarebytes
2010-01-21 04:37:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 04:37:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-21 04:37:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 04:37:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 11:42:50 1266 ----a-w- c:\temp\qcontmp24.vbs
2010-01-17 23:50:27 0 d-----w- c:\program files\TrendMicro
2010-01-17 22:59:45 94208 ----a-w- c:\temp\PSKILL.EXE
2010-01-17 21:52:27 0 d-sha-r- C:\cmdcons
2010-01-17 21:47:38 98816 ----a-w- c:\windows\sed.exe
2010-01-17 21:47:38 77312 ----a-w- c:\windows\MBR.exe
2010-01-17 21:47:38 261632 ----a-w- c:\windows\PEV.exe
2010-01-17 21:47:38 161792 ----a-w- c:\windows\SWREG.exe
2010-01-17 12:25:18 0 d-----w- C:\found.000
2010-01-16 01:00:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2006-07-17 20:35:36 139 ----a-w- c:\program files\wsmjunk.txt

============= FINISH: 5:50:49.42 ===============

Thanks very much for your help.

gbottje
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-01-17
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by Belahzur on Fri Jan 22, 2010 8:56 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    vfdafqa

    :files
    c:\temp\A5.tmp
    c:\temp\qcontmp25.vbs
    c:\temp\qcontmp24.vbs
    C:\found.***
    c:\program files\wsmjunk.txt
    c:\windows\system32\msln.exe


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by gbottje on Sat Jan 23, 2010 6:11 pm

MoveIt Results

========== SERVICES/DRIVERS ==========
Service vfdafqa stopped successfully!
Service vfdafqa deleted successfully!
========== FILES ==========
File/Folder c:\temp\A5.tmp not found.
c:\temp\qcontmp25.vbs moved successfully.
c:\temp\qcontmp24.vbs moved successfully.
C:\found.000\dir0003.chk folder moved successfully.
C:\found.000\dir0002.chk folder moved successfully.
C:\found.000\dir0001.chk folder moved successfully.
C:\found.000\dir0000.chk folder moved successfully.
C:\found.000 folder moved successfully.
c:\program files\wsmjunk.txt moved successfully.
File/Folder c:\windows\system32\msln.exe not found.

OTM by OldTimer - Version 3.1.6.0 log created on 01232010_120906

gbottje
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-01-17
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by Belahzur on Sat Jan 23, 2010 7:37 pm

Hello.

We can remove OTMoveIt now.

  • Please double-click OTM.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by gbottje on Thu Jan 28, 2010 2:11 am

Running great. No sign of the infection. Thank you very much. I appreciate your professionalism and technical solutions. All your instructions were crystal clear and (obviously) worked. I've sent a donation. Thanks again.

gbottje
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-01-17
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Nuqel.e problem

Post by Belahzur on Thu Jan 28, 2010 5:33 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java 2 Runtime Environment Standard Edition v1.3.1_02
    Java 2 Runtime Environment, SE v1.4.2_18
    Java Web Start
    Java(TM) 6 Update 15

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the second option where it says "This special release provides a few key fixes.".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum