win32 nuqel.e bankerfox.a removal

View previous topic View next topic Go down

win32 nuqel.e bankerfox.a removal

Post by efey on 22nd June 2010, 2:09 am

My computer has the same problem, has Vista operation system. I have fake infection alerts and it say Threat: BankerFox.A and wn32 nuqel.e. Nothing works. It would not let me use any program. I cannot even adjust the sound. Could you please, please help me. Downloaded Malwarebytes, but it would not let me run it. Help!!!!!Sorry for my english.

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 22nd June 2010, 3:54 am

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too Smile and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly Smile.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click then click Preferences. Make sure Always notify me of replies is set to Yes


With that out of the way:

Please download and run RKill.

[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.]



  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.


Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

After RKill runs, please immediately do the following:

To disable CD Emulation programs using DeFogger please perform these steps:

  1. Please download [You must be registered and logged in to see this link.] to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

=======

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [URL="http://www.bleepingcomputer.com/forums/topic114351.html"]here[/URL]
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 22nd June 2010, 1:53 pm

Hi Chris! Thank you for your response. I was getting Win32/Nuqel.E popups, and was not really infected with Win32/Nuqel.E — I was infected with fake anti-spyware software that I needed to remove. I've rebooted computer in safe mode and was able to do System Restore. I am OK now. But I still grateful to you for your prompt response. Thanks again. Elena.

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 22nd June 2010, 5:34 pm

Hi Elena.

Despite the fact that you restored your PC, unless you restored it completely to factory settings the restore point will be infected. I recommend you go through the removal process anyway just to be sure everything is good

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 24th June 2010, 1:37 am

Hi Chris!Thank you for your help. Here is what RKILL came up with:

Ran as Elena on 06/23/2010 at 21:30:05.


Processes terminated by Rkill or while it was running:


C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Users\Elena\Desktop\rkill.com


Rkill completed on 06/23/2010 at 21:30:09.

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 24th June 2010, 2:49 am

ComboFix 10-06-23.02 - Elena 06/23/2010 22:23:39.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2045.884 [GMT -4:00]
Running from: c:\users\Elena\Desktop\commy.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Elena\AppData\Roaming\drivers\downld
c:\users\Elena\AppData\Roaming\FieryAds
c:\users\Elena\GoToAssistDownloadHelper.exe
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-24 02:28 . 2010-06-24 02:29 -------- d-----w- c:\users\Elena\AppData\Local\temp
2010-06-24 02:28 . 2010-06-24 02:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-22 03:35 . 2010-06-22 03:35 -------- d-----w- c:\program files\temp
2010-06-22 03:10 . 2010-06-22 03:10 -------- d-----w- C:\_OTL
2010-06-22 01:54 . 2010-06-22 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 05:48 . 2010-06-18 05:48 -------- d-----w- C:\audio
2010-06-18 05:48 . 1998-04-30 18:56 129024 ----a-w- c:\windows\UNWISE.EXE
2010-06-18 05:15 . 2005-11-17 16:19 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-06-18 05:15 . 2005-11-17 16:19 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-11 16:45 . 2010-06-14 05:21 -------- d-----w- c:\users\Elena\AppData\Roaming\BitTorrent
2010-06-11 16:45 . 2010-06-11 16:45 -------- d-----w- c:\program files\BitTorrent
2010-06-10 02:54 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-10 02:54 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 02:54 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-10 02:54 . 2010-05-04 19:15 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-10 02:54 . 2010-05-04 18:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-10 02:53 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 21:51 . 2010-06-18 05:07 695 ---ha-w- C:\os848618.bin
2010-06-08 21:35 . 2010-06-08 21:35 -------- d-----w- c:\program files\Common Files\Vbox
2010-06-03 12:14 . 2010-06-03 12:14 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-03 12:14 . 2010-06-03 12:14 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-05-28 00:34 . 2010-05-28 00:34 -------- d-----w- c:\program files\iPod
2010-05-28 00:34 . 2010-05-28 00:34 -------- d-----w- c:\program files\iTunes
2010-05-28 00:31 . 2010-05-28 00:31 -------- d-----w- c:\program files\Bonjour
2010-05-28 00:30 . 2010-05-28 00:30 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-26 00:51 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 02:27 . 2009-05-17 01:35 -------- d--h--w- c:\users\Elena\AppData\Roaming\drivers
2010-06-24 01:43 . 2009-12-20 20:58 0 ----a-w- c:\users\Elena\AppData\Local\prvlcl.dat
2010-06-23 22:51 . 2010-01-12 23:55 -------- d-----w- c:\users\Elena\AppData\Roaming\vlc
2010-06-23 11:14 . 2009-10-31 19:53 9 ----a-w- c:\program files\USDownloader.lst
2010-06-23 11:14 . 2009-10-31 19:47 2943 ----a-w- c:\program files\USDownloader.ini
2010-06-23 05:39 . 2009-10-31 19:53 9 ----a-w- c:\program files\USDownloader.lst1.bak
2010-06-23 05:39 . 2009-10-31 19:47 1046403 ----a-w- c:\program files\USDownloader.log
2010-06-23 05:08 . 2009-10-31 19:53 213 ----a-w- c:\program files\USDownloader.lst2.bak
2010-06-23 04:48 . 2009-10-31 19:53 417 ----a-w- c:\program files\USDownloader.lst3.bak
2010-06-23 04:17 . 2009-10-31 19:53 621 ----a-w- c:\program files\USDownloader.lst4.bak
2010-06-23 03:46 . 2009-10-31 19:53 825 ----a-w- c:\program files\USDownloader.lst5.bak
2010-06-23 03:31 . 2009-10-31 19:53 1096 ----a-w- c:\program files\USDownloader.lst6.bak
2010-06-23 03:27 . 2009-10-31 19:53 1096 ----a-w- c:\program files\USDownloader.lst7.bak
2010-06-23 02:35 . 2009-10-31 19:53 1029 ----a-w- c:\program files\USDownloader.lst8.bak
2010-06-23 02:04 . 2009-10-31 19:53 1233 ----a-w- c:\program files\USDownloader.lst9.bak
2010-06-22 04:11 . 2008-12-03 00:10 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-18 05:15 . 2009-02-27 19:30 -------- d-----w- c:\program files\DivX
2010-06-15 19:30 . 2008-12-01 15:19 -------- d-----w- c:\programdata\Roxio
2010-06-10 07:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-08 21:35 . 2008-11-28 18:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-08 21:32 . 2008-11-18 04:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-06 16:43 . 2010-03-07 23:21 -------- d-----w- c:\program files\Minitab 15
2010-06-03 12:13 . 2009-01-31 16:33 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 12:13 . 2008-11-18 23:52 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 00:34 . 2008-11-19 03:11 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 18:14 . 2009-10-03 05:59 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 14:55 . 2008-11-24 04:03 -------- d-----w- c:\program files\Canon
2010-05-08 19:28 . 2009-04-24 00:47 -------- d-----w- c:\program files\Paint.NET
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 19:06 . 2010-03-31 19:06 143976 ----a-w- c:\users\Elena\AppData\Roaming\Move Networks\uninstall.exe
2010-03-31 19:06 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Elena\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2010-01-05 17:12 . 2010-01-05 17:12 51354 ----a-w- c:\program files\HotFileCom.bmp
2010-01-05 17:12 . 2010-01-05 17:12 3655 ----a-w- c:\program files\HotFileCom.jpg
2009-10-31 20:14 . 2009-10-31 20:14 655 ----a-w- c:\program files\USDownloader - Shortcut.lnk
2009-10-31 19:47 . 2009-10-31 19:47 506 --sha-w- c:\program files\USDownloader.exe.manifest
2009-05-28 22:32 . 2009-10-31 19:36 530432 ----a-w- c:\program files\USDownloader.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-03 2065248]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\users\Elena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-6-20 1221928]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-6-8 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):c6,2a,bc,0a,80,74,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3557314420-4042277559-3280422289-1000]
"EnableNotificationsRef"=dword:00000001

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-16 916760]
R3 AsAudioDevice_352;AsAudioDevice_352;c:\windows\system32\drivers\AsAudioDevice_352.sys [2009-01-07 16640]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-03 242896]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVG9WD

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 19:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{710BD501-5BB5-439B-BE39-2697B243FE11}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\44n3uofq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\users\Elena\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKLM-Run-NWEReboot - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-23 22:29
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-23 22:31:38
ComboFix-quarantined-files.txt 2010-06-24 02:31

Pre-Run: 39,079,727,104 bytes free
Post-Run: 40,237,162,496 bytes free

- - End Of File - - FDA4CA839169BB720EEABA87C7A28A79

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 24th June 2010, 4:07 am

That looks clean to me Smile. How are things running now?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 24th June 2010, 4:23 am

Great!!!Thank you Chris for all your help and concern!!!

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 24th June 2010, 4:27 am

Hi,

Let's just do one more scan to be sure

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 25th June 2010, 6:35 pm

C:\dell\Data from Compaq\Lena\Downloads\DIVX 5.05 Pro + DrDivx + AC3 Codec + Xvid-Codec + KEYGEN.ace probably a variant of Win32/StartPage trojan deleted - quarantined
C:\dell\Data from Compaq\Lena\Food\New Folder\Vinigret_2[1].6.1_Retail.rar probably a variant of Win32/IRCBot trojan deleted - quarantined
C:\dell\Data from Compaq\Lena\Info\Programs\FromOldCPrograms\OldIncoming\GoodNero.Ultra.Edition.v8.0.3.0.MULTILANGUAGE.rar Win32/Toolbar.AskSBar application deleted - quarantined
C:\dell\Data from Compaq\Lena\Info\Programs\FromOldCPrograms\OldIncoming\Nero.Ultra.Edition.Vista.8.0.3.0.PTBR.Serial.by.kgbBrasil.UnitedShare.rar Win32/Toolbar.AskSBar application deleted - quarantined
C:\dell\Data from Compaq\Lena\Info\Programs\FromOldCPrograms\OldIncoming\Nero_Burning_ROM_6.6.0.8_MultiLang_incl_KeyGen.rar probably a variant of Win32/SdBot trojan deleted - quarantined
C:\dell\Data from Compaq\Lena\Music\Modern Antique - Robin-Mc-Kelle.zip Win32/PTCasino application deleted - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Users\Elena\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\5b5d2454-37a2ce50 multiple threats deleted - quarantined
C:\Users\Elena\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\5e8c48de-3a100863 multiple threats deleted - quarantined
C:\Users\Elena\Documents\LimeWire\Saved\music notre dame de paris cd - best track ever.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Elena\Documents\LimeWire\Saved\music notre dame de paris cd[256k quality].snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Elena\Food\Process_Detector_v3.14.rar probably a variant of Win32/Agent trojan deleted - quarantined

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 25th June 2010, 6:38 pm

I hope everything OK now!!! Thank you again Chris!Smile

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 25th June 2010, 6:45 pm

Hi efey,

That's removed quite a few infected files.

There are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Please note that as long as you are using any form of P2P networking to download files you can anticipate infestations of malware to occur.

P2P file sharing used to be fairly safe. This is no longer true; continue to use P2P sharing at your own risk!

Keep in mind that this practice may be the source of your current malware infestation.

References... citing the risk factors, of using P2P programs:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

I strongly recommend that you uninstall:

Limewire


Please let me know how things are running now

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 25th June 2010, 8:11 pm

Hi Chris! My daughter was using my computer for awhile. She is not allowed to be even near it anymore. Limewire is uninstalled, everything runs fine. Thank you.

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 25th June 2010, 8:18 pm

Congratulations!! Your PC is all clean! Big Grin

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download [URL="http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe"]DeFogger[/URL] to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

=====

To uninstall ComboFix



  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Reading Tip:
[You must be registered and logged in to see this link.]
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

[You must be registered and logged in to see this link.]

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
[You must be registered and logged in to see this link.]

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

You can read [You must be registered and logged in to see this link.] if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

4. SiteHound Toolbar

[You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See [You must be registered and logged in to see this link.] for more info about malware and prevention.
Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 25th June 2010, 8:49 pm

Thought I've Uninstalled Limewire but its still there shortcut to uninstall not working - opens the program. In programs and features it would not show, so I thought it's gone. How to get rid of stupid thing?

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 25th June 2010, 8:59 pm

Try this:

[You must be registered and logged in to see this link.]
====

Also, there is evidence of several keygens on your machine of Divx.

Your computer has keygens, which is a form of software piracy. What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?

Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware," which is a form of spyware or viruses or trojans that hide themselves inside the keygen or crack files. Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.

Lastly, it is illegal. I will counsel you that we do not report such incidents. However, it is not good practice to pirate software.
======

As a free alternative you could use VLC Player found here:
[You must be registered and logged in to see this link.]

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by efey on 25th June 2010, 9:58 pm

All those keygens on my computer are at least 5-6 years old. They where transferred to my new computer from my sons old computer with the rest of the files and info. If you can see the name of directory where it is Dell and another is Data from Compaq. But I will clean those folders now. Thanks again. Still can't get rid of stupid Limewire Rest of it is fine.

efey
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-06-22
OS OS : Vista
Points Points : 23768
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 nuqel.e bankerfox.a removal

Post by Crush on 25th June 2010, 10:14 pm

Hmm...let's see what this makes of it

[You must be registered and logged in to see this link.]

Revo uninstaller allows you to remove any remnants of programs that normally wouldn't be gone


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum