resurgence of the bankerFox.A Win32/Nuqel.E

View previous topic View next topic Go down

resurgence of the bankerFox.A Win32/Nuqel.E

Post by woof132 on Thu Feb 18, 2010 8:56 pm

I have the BankerFox.A and Win32/Nuqel.E delight. constant msg boxes with false virus/malware warnings. I have successfully downloaded, but am unable to run HijackThis.msi, OTL, and IceSword. These 3 programs all downloaded successfully, but will not open. What's the next step I can take? Thanks

woof132
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2010-01-01
OS : windows vista

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by Dr Jay on Thu Feb 18, 2010 9:26 pm

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by woof132 on Thu Feb 18, 2010 10:06 pm

i downloaded the program successfully. It will not open. i just get an alert message saying the file is infected

woof132
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2010-01-01
OS : windows vista

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by Dr Jay on Thu Feb 18, 2010 10:20 pm

Delete your copy of ComboFix; grab a fresh copy, except before you download it, rename it to blackpudding.bat


Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by woof132 on Thu Feb 18, 2010 10:39 pm

nope

woof132
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2010-01-01
OS : windows vista

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by Dr Jay on Thu Feb 18, 2010 11:19 pm

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Then, please try ComboFix again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by woof132 on Fri Feb 19, 2010 1:04 am

voila!

ComboFix 10-02-18.05 - u 02/18/2010 19:23:37.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.665 [GMT -5:00]
Running from: c:\users\u\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1887481080-508804646-1125826050-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3090746094-3283488223-3727284219-500
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 00:28 . 2010-02-19 00:29 -------- d-----w- c:\users\u\AppData\Local\temp
2010-02-19 00:28 . 2010-02-19 00:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-18 23:36 . 2010-02-18 23:37 78184 ----a-w- c:\users\u\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-15 06:55 . 2010-02-15 06:55 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-02-15 06:55 . 2010-02-15 06:55 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-02-15 06:55 . 2010-02-15 06:55 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-02-15 06:55 . 2010-02-15 06:55 83968 ----a-w- c:\windows\system32\mscories.dll
2010-02-15 06:55 . 2010-02-15 06:55 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-02-15 06:18 . 2010-02-15 06:18 2855424 ----a-w- c:\windows\system32\mf.dll
2010-02-15 06:18 . 2010-02-15 06:18 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-15 06:18 . 2010-02-15 06:18 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-15 06:18 . 2010-02-15 06:18 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-15 06:18 . 2010-02-15 06:18 2048 ----a-w- c:\windows\system32\mferror.dll
2010-02-15 06:18 . 2010-02-15 06:18 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2010-02-15 06:18 . 2010-02-15 06:18 94720 ----a-w- c:\windows\system32\logagent.exe
2010-02-15 06:17 . 2010-02-15 06:17 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-02-15 06:16 . 2010-02-15 06:16 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2010-02-15 06:16 . 2010-02-15 06:16 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-02-15 06:15 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-02-15 06:14 . 2010-02-15 06:14 274432 ----a-w- c:\windows\system32\raschap.dll
2010-02-15 06:14 . 2010-02-15 06:14 232960 ----a-w- c:\windows\system32\rastls.dll
2010-02-15 06:13 . 2010-02-15 06:13 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-02-15 06:11 . 2010-02-15 06:11 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 06:11 . 2010-02-15 06:11 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 06:11 . 2010-02-15 06:11 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 06:11 . 2010-02-15 06:11 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 06:11 . 2010-02-15 06:11 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 06:11 . 2010-02-15 06:11 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 06:11 . 2010-02-15 06:11 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 06:11 . 2010-02-15 06:11 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 06:11 . 2010-02-15 06:11 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 06:11 . 2010-02-15 06:11 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 06:10 . 2010-02-15 06:10 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-02-15 06:09 . 2010-02-15 06:09 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 06:09 . 2010-02-15 06:09 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-15 05:13 . 2010-02-15 05:13 -------- d-----w- c:\users\u\AppData\Roaming\PeerNetworking
2010-02-12 04:25 . 2010-02-12 04:25 -------- d-----w- c:\program files\Free PDF to Word Doc Converter
2010-02-09 03:05 . 2010-02-09 03:05 -------- d-----w- c:\programdata\Norton
2010-01-27 03:57 . 2010-01-27 03:57 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2010-01-22 17:08 . 2010-01-22 17:08 -------- d-----w- c:\program files\ConvertHelper
2010-01-22 17:06 . 2010-01-22 17:06 -------- d-----w- c:\users\u\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 20:51 . 2010-01-01 20:36 211893 ----a-w- c:\windows\system32\drivers\IsDrv122.sys
2010-02-14 03:36 . 2009-07-27 21:16 -------- d-----w- c:\program files\Warcraft III
2010-01-31 17:31 . 2010-01-01 08:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 04:43 . 2008-05-09 18:43 -------- d-----w- c:\users\u\AppData\Roaming\Corel
2010-01-07 23:12 . 2010-01-07 23:12 -------- d-----w- c:\users\u\AppData\Roaming\Red Alert 3
2010-01-07 20:53 . 2010-01-07 20:53 -------- d-----w- c:\program files\Electronic Arts
2010-01-07 04:05 . 2010-01-07 02:57 -------- d-----w- c:\users\u\AppData\Roaming\Steinberg
2010-01-07 02:59 . 2010-01-07 02:57 -------- d-----w- c:\program files\Steinberg
2010-01-07 02:57 . 2010-01-07 02:55 -------- d-----w- c:\program files\Syncrosoft
2010-01-07 02:57 . 2010-01-07 02:57 -------- d-----w- c:\programdata\Syncrosoft
2010-01-07 02:57 . 2010-01-07 02:57 2892 ----a-w- c:\windows\system32\audcon.sys
2010-01-01 21:57 . 2010-01-01 08:11 -------- d-----w- c:\users\u\AppData\Roaming\QuickScan
2010-01-01 08:06 . 2010-01-01 08:06 -------- d-----w- c:\users\u\AppData\Roaming\Malwarebytes
2010-01-01 08:06 . 2010-01-01 08:06 -------- d-----w- c:\programdata\Malwarebytes
2009-12-31 11:37 . 2008-11-07 01:19 1330 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp7411.tmp\cur.scr
2009-12-14 14:01 . 2008-11-07 01:19 1407 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp7411.tmp\hub.scr
2009-11-30 05:47 . 2009-09-22 04:47 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AutoLaunch.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-11-17 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-05 4317184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-23 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-23 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-23 81920]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-01-23 321656]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-22 520024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-5-31 256000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-4-14 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-02-13 23:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IsDrv122.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^u^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\users\u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-01-10 04:59 115816 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickBooks Simple Start]
2007-01-31 04:59 371712 ----a-w- c:\program files\Intuit\SimpleStartEntice\entice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-02-24 17:34 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-30 00:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSecurity]
2006-11-28 22:30 2150400 ----a-w- c:\program files\Sony\VAIO Security Center\VSC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2006-12-07 00:08 577536 ----a-w- c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [6/22/2009 11:47 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080617.001\IDSvix86.sys [6/17/2008 9:18 PM 261680]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1/31/2007 9:08 AM 28933976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/19/2008 12:41 PM 109616]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 4:32 PM 38200]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [1/6/2010 9:56 PM 18432]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\System32\drivers\tascusb2.sys [1/6/2010 9:28 PM 367616]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\System32\drivers\tscusb2m.sys [7/25/2008 7:18 PM 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\System32\drivers\tscusb2a.sys [7/25/2008 7:18 PM 33792]
S3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [2/24/2008 11:57 AM 807424]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [4/14/2008 4:54 PM 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [4/14/2008 4:54 PM 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [4/14/2008 4:54 PM 1089536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:47]

2010-02-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - u.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 08:09]

2008-12-30 c:\windows\Tasks\Vaio Service Utility.job
- c:\program files\Sony\Vaio Service Utility\VAIO-SU.exe [2007-02-16 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\u\AppData\Roaming\Mozilla\Firefox\Profiles\8mmbyxhp.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-nyiyuvpn - c:\users\u\AppData\Local\atyaft\lsvgsysguard.exe
HKCU-Run-hlqfhbuk - c:\users\u\AppData\Local\yavpsl\jexjsftav.exe
HKLM-Run-masqform.exe - c:\program files\PureEdge\Viewer 6.5\masqform.exe
HKLM-RunOnce- - (no file)
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire\Corel PhotoDownloader.exe
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
AddRemove-Axis and Allies - c:\program files\Hasbro Interactive\Axis and Allies\Uninst.isu
AddRemove-GOM Player - c:\program files\GRETECH\GomPlayer\Uninstall.exe
AddRemove-Warcraft III Demo - c:\windows\W3DemoUnin.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-18 19:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3090746094-3283488223-3727284219-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:26,c4,81,60,e4,93,81,b5,88,1c,95,10,85,11,26,0b,fe,b6,97,47,ed,06,b7,
9d,a1,24,cd,5b,60,5f,65,34,bd,c5,25,d7,c4,a4,2c,d1,da,44,30,83,4e,d9,7f,cf,\
"??"=hex:28,ce,cb,36,3b,0c,e9,95,36,1a,07,a1,20,6d,17,94

[HKEY_USERS\S-1-5-21-3090746094-3283488223-3727284219-1005\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:10,74,23,8d,e9,fb,e0,d3,3d,21,65,7d,a9,d3,ea,2d,11,f6,da,a6,20,
01,3b,c4,65,6f,15,b7,68,d3,78,75,eb,e9,65,05,e3,ef,fd,25,60,27,03,66,d7,c6,\
"rkeysecu"=hex:c0,9b,d7,2c,bf,40,3c,41,f8,6a,7e,75,aa,ab,fb,84

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-18 19:30:47
ComboFix-quarantined-files.txt 2010-02-19 00:30

Pre-Run: 39,801,516,032 bytes free
Post-Run: 40,719,749,120 bytes free

- - End Of File - - AAE0CE263935B1B6CD5650A123A32D42

woof132
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2010-01-01
OS : windows vista

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by Dr Jay on Fri Feb 19, 2010 4:43 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: resurgence of the bankerFox.A Win32/Nuqel.E

Post by Dr Jay on Wed Feb 24, 2010 6:17 pm

Still with us? If so, please do the following:

Please download DDS by sUBs from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click Yes to the Optional_Scan
  • Please follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your Desktop.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum