win32.nugel.e virus

View previous topic View next topic Go down

win32.nugel.e virus

Post by walterjhon on Mon Mar 01, 2010 2:02 pm

I have read several things to do for this virus but it seems the combofix is the best way to get started when you can't access anything on your computer. I downloaded it onto a 8 gig flash drive and then downloaded it onto my laptop before the virus could stop it. One of the forums that DragonMaster Jay said to do is post the log and get more info on whats goin on by the proffestionals such as himself. So here is my Log File after I ran Combofix.






ComboFix 10-02-27.01 - Shaun Rinehart 03/01/2010 7:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.64 [GMT -6:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shaun Rinehart\Local Settings\Application Data\dwvqss
c:\documents and settings\Shaun Rinehart\Local Settings\Application Data\dwvqss\vmqbsftav.exe
c:\recycler\S-1-5-21-583907252-1060284298-854245398-1003
c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-27 01:18 . 2010-02-27 02:31 -------- d-----w- C:\$AVG
2010-02-25 05:17 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-25 05:17 . 2010-02-25 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 05:17 . 2010-02-25 05:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 05:17 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 05:15 . 2010-02-25 05:16 -------- d-----w- c:\program files\a-squared Free
2010-02-25 05:14 . 2010-02-25 05:14 -------- d-----w- c:\program files\Secunia
2010-02-10 23:18 . 2010-02-10 23:18 -------- d-----w- c:\documents and settings\Shaun Rinehart\Application Data\Corel
2010-02-01 18:20 . 2010-01-29 19:25 58856 ----a-w- c:\documents and settings\All Users\Application Data\Wyyo\wyyo163.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 05:21 . 2009-02-18 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Wyyo
2010-02-22 17:09 . 2010-01-21 19:10 79488 ----a-w- c:\documents and settings\Shaun Rinehart\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-10 02:25 . 2009-02-18 20:03 -------- d-----w- c:\program files\Wyyo
2010-01-05 10:00 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2004-08-10 18:51 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-10 18:51 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-04 04:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-10 18:51 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\My.Freeze.com NetAssistant\NetAssistant.dll" [2008-11-27 253048]

[HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-03 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-03 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-29 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-29 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-28 24576]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Notebook Card Adapter\DynexWCUI.exe [2009-1-20 1454080]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

R2 Wyyo Service;Wyyo Service;c:\documents and settings\All Users\Application Data\Wyyo\wyyo163.exe [2/1/2010 12:20 PM 58856]
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 11:00]

2010-03-01 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2009-02-18 20:10]

2010-03-01 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2009-02-18 20:48]

2010-03-01 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2009-02-18 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kgbvxueg - c:\documents and settings\Shaun Rinehart\Local Settings\Application Data\dwvqss\vmqbsftav.exe
HKLM-Run-SynTPLpr - c:\program files\Synaptics\SynTP\SynTPLpr.exe
HKLM-Run-kgbvxueg - c:\documents and settings\Shaun Rinehart\Local Settings\Application Data\dwvqss\vmqbsftav.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-01 07:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-01 07:42:41
ComboFix-quarantined-files.txt 2010-03-01 13:42

Pre-Run: 7,370,498,048 bytes free
Post-Run: 7,434,649,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5C2001263793B0CEE8A76DF2D828CA1F





If you can help me it would be appreciated very much, please remember that im not real smart but I was able to understand some from all the forum reading ive done in the last week trying to get rid of viruses on 2 computers.
Thank you for your time and patience.


Walterjhon Let me think

walterjhon
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2010-02-27
OS OS : xp pro; vista; windows 7
Points Points : 24743
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.nugel.e virus

Post by Belahzur on Mon Mar 01, 2010 8:27 pm

Hello.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum