Bankerfox.A and Win32/Niqel.E Virus Removal Help!

View previous topic View next topic Go down

Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Piedude on 15th June 2010, 1:52 am

I have Windows XP Home Edition 2002. I also have AV Security Suite but not the paid-for version. Whenever i open up a web page a red page comes up saying that it is unsafe or infected(The same happens for any files i run except it just asks me to run it) sometimes even if i click allow it doesnt allow it. Also in the bottom right of my screen alerts come up saying a trojan called either BankerFox.A or Niqel.E is trying to access my computer. If i allow this it brings me to AV Security Suites purchasing page. If i deny it i cannot use the internet and random internet explorer porn sites and viagra pages come up without me clicking it. I have read other ones and downloaded Avenger and ran it but it said something different like it couldnt find anything instead of some hidden file. I really would like to get this fixed because it is also interrupting my Xbox360 internet because they are connected.

Piedude
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-06-15
OS OS : Microsoft Windows XP 2002
Points Points : 23753
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Dr Jay on 15th June 2010, 6:46 am

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Piedude on 16th June 2010, 2:06 am

I came home this afternoon and turned my computer on. I noticed after a while that it was not doing anything that i stated before. I am unable to connect to the internet i think this may be a virus because the rest of the house can get internet access but not me. I tried to open firefox and iternet explorer they both said the same thing access to the proxy servers denied. I dont know if my computer internet settings are messed up or if the virus is doing this. The only way i am posting this is from another computer.Since i cannot access the internet on that computer i cannot use ComboFix to figure out what is wrong. Is there any way to fix this if it is a virus and if it's not would you know how to fix the internet settings? If anythins changes i will post immediately.
---------------------------------------------------------------------------------------------
I have fixed this there was something wrong with proxy settings.


Last edited by Piedude on 16th June 2010, 2:43 am; edited 1 time in total (Reason for editing : Fixed)

Piedude
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-06-15
OS OS : Microsoft Windows XP 2002
Points Points : 23753
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Dr Jay on 16th June 2010, 4:56 pm

Can you run ComboFix now?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Piedude on 17th June 2010, 1:36 am

I ran ComboFix and the results are in the attached files since i couldn't post the whole thing here.Also for some reason it's still not doing anything like it just randomly stopped popping up with infected files and the red box in the bottom left. I wonder if that means it's fixed?? No way!

Piedude
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-06-15
OS OS : Microsoft Windows XP 2002
Points Points : 23753
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Dr Jay on 17th June 2010, 5:53 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    FileLook::
    c:windowssystem32dns-sd.exe

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=192.168.1.1:8800
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 1101

    File::
    c:windowsTEMPTMP0000004C53C87F73FE88CA9C


    Reboot::
  • Save this as CFscript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFscript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Piedude on 18th June 2010, 12:57 am

Here is the second log i got after using the new way.

ComboFix 10-06-17.02 - Alicia 06/17/2010 20:36:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.456 [GMT -4:00]
Running from: c:\documents and settings\Alicia\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Alicia\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-15 01:43 . 2010-06-15 01:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-15 01:43 . 2010-06-15 01:43 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-15 01:43 . 2010-06-15 01:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
2010-06-15 01:43 . 2010-06-15 01:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Swag_Bucks
2010-06-15 00:47 . 2010-06-15 01:36 574 ----a-w- C:\cleanup.bat
2010-06-14 23:41 . 2010-06-14 23:41 -------- d-----w- c:\documents and settings\Alicia\Application Data\QuickScan
2010-06-13 14:41 . 2010-06-16 01:03 -------- d-----w- c:\documents and settings\Alicia\Local Settings\Application Data\awrgrds
2010-06-09 17:20 . 2010-06-09 17:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Swag_Bucks
2010-06-09 12:51 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 02:04 . 2010-06-08 02:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-31 05:00 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-05-30 15:47 . 2010-05-30 19:13 -------- d-----w- c:\documents and settings\Alicia\Application Data\TeamViewer
2010-05-30 15:47 . 2010-05-30 15:47 -------- d-----w- c:\program files\TeamViewer
2010-05-30 14:19 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-30 14:19 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-30 12:32 . 2010-05-30 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\PeerNetworking
2010-05-30 12:31 . 2010-05-30 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-30 12:31 . 2010-05-30 12:32 -------- d-----w- c:\documents and settings\Alicia\Application Data\Yahoo!
2010-05-30 12:19 . 2010-05-30 12:19 -------- d-----w- c:\documents and settings\Alicia\Local Settings\Application Data\Mozilla
2010-05-30 03:38 . 2010-06-16 03:06 -------- d-----w- c:\program files\Gamevance
2010-05-30 02:15 . 2010-05-30 02:15 -------- d-----w- c:\documents and settings\Alicia\Application Data\Uniblue
2010-05-30 02:13 . 2010-05-30 02:13 -------- d-----w- c:\program files\Uniblue
2010-05-30 02:11 . 2009-11-03 18:07 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-05-30 02:11 . 2009-11-03 18:07 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-05-30 02:11 . 2010-05-30 02:15 -------- d-----w- c:\documents and settings\Alicia\Local Settings\Application Data\OpenCandy
2010-05-30 02:11 . 2010-05-30 02:11 -------- d-----w- c:\documents and settings\Alicia\Application Data\OpenCandy
2010-05-30 02:11 . 2010-06-16 03:06 -------- d-----w- c:\program files\Cheat Engine
2010-05-30 01:57 . 2010-05-30 01:58 -------- d-----w- c:\documents and settings\Alicia\Local Settings\Application Data\Swag_Bucks
2010-05-30 01:57 . 2010-05-30 01:57 -------- d-----w- c:\program files\Swag_Bucks
2010-05-30 01:55 . 2010-06-18 00:45 -------- d-----w- c:\program files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 11:13 . 2007-08-26 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-10 01:56 . 2008-12-20 02:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 20:34 . 2010-06-14 23:41 702120 ----a-w- c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-05-31 20:34 . 2010-06-14 23:41 868456 ----a-w- c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-05-31 05:01 . 2010-05-31 05:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-05-31 05:01 . 2010-05-31 05:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-05-30 12:32 . 2008-09-20 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-30 12:32 . 2006-12-08 21:59 -------- d-----w- c:\program files\Yahoo!
2010-05-30 11:57 . 2010-02-24 19:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-30 11:57 . 2010-02-24 19:23 38784 ----a-w- c:\documents and settings\Alicia\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-05-30 03:39 . 2010-05-13 12:58 154112 ----a-w- c:\documents and settings\Alicia\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll
2010-05-30 02:11 . 2010-05-30 02:11 257257 ----a-w- c:\documents and settings\Alicia\Application Data\OpenCandy\OpenCandy_63E786650FA14FFE9C82323BAB46C24D\DLMgr3WrapperUniBlue.exe
2010-05-23 15:33 . 2010-05-23 15:33 503808 ----a-w- c:\documents and settings\Alicia\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2c35705d-n\msvcp71.dll
2010-05-23 15:33 . 2010-05-23 15:33 499712 ----a-w- c:\documents and settings\Alicia\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2c35705d-n\jmc.dll
2010-05-23 15:33 . 2010-05-23 15:33 348160 ----a-w- c:\documents and settings\Alicia\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2c35705d-n\msvcr71.dll
2010-05-21 18:14 . 2009-10-03 04:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-14 01:54 . 2007-11-22 01:01 -------- d-----w- c:\program files\McAfee
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 18:16 . 2010-04-28 18:15 -------- d-----w- c:\program files\iTunes
2010-04-28 18:16 . 2010-04-28 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-28 18:15 . 2010-04-28 18:15 -------- d-----w- c:\program files\iPod
2010-04-28 18:15 . 2007-08-08 20:32 -------- d-----w- c:\program files\Common Files\Apple
2010-04-28 18:12 . 2010-04-28 18:11 -------- d-----w- c:\program files\QuickTime
2010-04-28 18:07 . 2010-04-28 18:07 -------- d-----w- c:\program files\Bonjour
2010-04-28 17:52 . 2010-04-28 17:52 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-21 16:07 . 2010-05-30 15:17 52224 ----a-w- c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
2010-04-21 16:07 . 2010-05-30 15:17 101376 ----a-w- c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
2010-04-20 20:45 . 2010-05-30 12:31 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-04-20 05:30 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-11-07 01:22 . 2008-11-07 01:22 19385 ----a-w- c:\program files\Common Files\ypidofe.ban
2008-11-07 01:22 . 2008-11-07 01:22 16849 ----a-w- c:\program files\Common Files\vomajo._sy
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2010-05-20 2675296]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 16:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
2010-05-20 19:35 2675296 ----a-w- c:\program files\Swag_Bucks\tbSwag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2010-05-20 2675296]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2010-05-20 2675296]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Steam"="c:\program files\steam\steam.exe" [2010-05-30 1238352]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"Gamevance"="c:\program files\Gamevance\gamevance32.exe" [2010-05-30 222720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Alicia\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-22 16:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-22 16:22]

2010-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-06-18 c:\windows\Tasks\User_Feed_Synchronization-{605085C0-5B98-4066-B4DB-6E70B0C00825}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-06-18 c:\windows\Tasks\User_Feed_Synchronization-{79B7F784-C95B-4D49-B4D9-E67329AE0EF3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} - [You must be registered and logged in to see this link.]
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - [You must be registered and logged in to see this link.]
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.search.selectedengine - Swag Bucks Customized Web Search
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1101
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Alicia\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll
FF - component: c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\Alicia\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Alicia\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Alicia\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Alicia\Application Data\Mozilla\Firefox\Profiles\7pvtkbss.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-17 20:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\Alicia\LOCALS~1\Temp\clclean.0001
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-06-17 20:52:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-18 00:52
ComboFix2.txt 2010-06-17 01:21

Pre-Run: 100,035,072,000 bytes free
Post-Run: 100,026,163,200 bytes free

- - End Of File - - CCC8BD6ADC7FA7B6718A29929F9C5697

Piedude
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-06-15
OS OS : Microsoft Windows XP 2002
Points Points : 23753
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Dr Jay on 18th June 2010, 6:12 am

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Piedude on 18th June 2010, 3:55 pm

Here is the log from ESET

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cee0ce4dfa44014c82a182a166b332bc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 03:53:54
# local_time=2010-06-18 11:53:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776537 100 96 5343657 28881583 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=96353
# found=7
# cleaned=7
# scan_time=3574
C:\Documents and Settings\Alicia\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll a variant of Win32/Adware.Gamevance.AI application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alicia\Local Settings\temp\NOD11B.tmp a variant of Win32/Adware.Gamevance.AI application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Gamevance\gvtl.dll.vir a variant of Win32/Adware.Gamevance.AI application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1011\A0088449.dll a variant of Win32/Adware.Gamevance.AI application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1013\A0090682.dll a variant of Win32/Adware.Gamevance.AI application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1013\A0090683.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Piedude
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-06-15
OS OS : Microsoft Windows XP 2002
Points Points : 23753
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Dr Jay on 18th June 2010, 5:24 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by soccerdude on 18th June 2010, 7:18 pm

I'm sorry but i wont be near that computer for a week or so. My father went out of town and i have to stay at my mothers so i cant get on the computer that needs to be fixed. I am very sorry and will post again once i can get back on there.

soccerdude
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2010-04-09
OS OS : windows xp
Points Points : 24375
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.A and Win32/Niqel.E Virus Removal Help!

Post by Dr Jay on 19th June 2010, 2:41 am

Are you the same user as Piedude?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum