bankerfox.a and win32/nugel.e viruses

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

bankerfox.a and win32/nugel.e viruses

Post by CRC on Thu Jul 08, 2010 3:58 pm

Both of the viruses have appeared on my computer. They will not permit me to use explorer or safari to access the internet. i am not able to access any web sites or download any programs. What should i do from here?

CRC

I am sending this from another computer i will not be with the infected computer until 7 pm central time, usa


Last edited by CRC on Thu Jul 08, 2010 4:01 pm; edited 1 time in total (Reason for editing : more info)

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Thu Jul 08, 2010 4:21 pm

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

See if the infected machine can access the internet now.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 12:02 am

Ok...I have tried step one but unable to connect to the internet. I looked over the steps and my proxy server box was checked again, so i repeated the steps but still no internet.

For some reason the box is checked everytime i return to the LAN settings window. It also will not give me the option to click "apply".

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 12:10 am

The proxy server box is checked everytime i return to the LAN settings window. When i uncheck it i don't have the option to click "apply"

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Fri Jul 09, 2010 12:14 am

Okay, guess we will need to use another method.
Can you download programs from a working machine with internet access and transfer tools across via USB/external hardware?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 12:23 am

I'm having trouble navigating this site...the only way i can view your response is to back up a select the preview button.

But ok...uhhh i am on a wireless laptop from work and i don't think i have a cable to connect the two

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 12:26 am

will a ethernet cable work

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 12:34 am

This is frustrating....i am not viewing any new posts or replies in the forum underthis topic....i know they are there i'm just not geting them

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 12:56 am

lets try this again....seems to be working now

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri Jul 09, 2010 1:53 am

Belahzur?......Belahzur?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Fri Jul 09, 2010 5:39 pm

Have some patience, I do tend to sleep ever now and then you know. Goofy Is the site working now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 10, 2010 3:09 am

Big Grin ok.....still no change on the virus

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 10, 2010 3:29 am

I have a transfer cable now to help witht the solution

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 10, 2010 6:42 am

I transferred the otl file via flash drive to the infected computer and tried to run it. I got an error message saying "otl.exe is not a valid win32 application"

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 10, 2010 6:19 pm

Now now......are you asleep again?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Sat Jul 10, 2010 6:21 pm

Hello.

We need to use the RKill Tool by Grinler

[You must be registered and logged in to see this link.]

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this [You must be registered and logged in to see this link.] if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]
which are renamed copies of rkill.com, and try them instead.

Try OTL now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 10, 2010 8:07 pm

I downloaded the rkill program to a flash drive installed it on the infected computer, ran the program which gave me a black box then a white box of the reults.

Then i double clicked on the otl program but same error message appeared, "Not a valid win32 application"

ARRGH

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Sat Jul 10, 2010 9:10 pm

Hello.

Please download [You must be registered and logged in to see this link.] to your desktop

Save all work and close all programs, the next step will stop nearly every process on your computer!

Double click the OTH file and select Kill All Processes, your desktop will go blank

[You must be registered and logged in to see this link.]

Then select Start OTL
OTL will now run

  • Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
    Select Scan.txt that you downloaded

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Copy and paste the contents back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 11, 2010 1:21 am

Not able to start the program.....when i try to open the file i get the security warning, "Application cannot be executed. the file oth.scr is infected. Do you want to activate your antivirus software now?

This is the same message i get when trying to open any file, including my ad-aware and ad-watch?

ETA: After playing with the computer i was able to Get the ot helper box to saty on the screen long enough to select kill all processes, which blanked the desktop. Next i selected start otl which i wasn't sure if it was running or not, the screen stayed the same. I let the program run all night and the screen is still the same, an empty desktop and the otlhelper box in the upper left corner.

CRC

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Sun Jul 11, 2010 8:54 pm

Hello.

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Try OTL In Safe Mode please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Tue Jul 13, 2010 4:00 am

Does not work that way either

I feel like we're missing something because so many things are not working

CRC

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Tue Jul 13, 2010 10:07 pm

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.
  • Place a blank CD-R disc in to your CD burning drive.
  • Download [You must be registered and logged in to see this link.] and double-click on it to burn to a CD using ISO Burner.
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps [You must be registered and logged in to see this link.]
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Wed Jul 14, 2010 4:11 pm

Ok.....i burned the disc using my non infected computer (an old 486 that is barely running), so how do i get the REATOGO-X-PE on the desktop of my infected computer in order to follow the rest of the directions?

CRC

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Wed Jul 14, 2010 10:52 pm

Hello.
You need to burn the disc with ImgBurn.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Thu Jul 15, 2010 4:04 am

I don't know what imgburn is.

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Thu Jul 15, 2010 5:53 pm

Actually, leave booting from disc for now, I've still got some old(er) tricks to use.

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Thu Jul 15, 2010 11:56 pm

I copied the file to my desktop from a flash drive. I right clicked on the icon and selected extract all files, It brought up the extraction wizard windowwhich i selected "next" twice and i get an error message of
"no files to extract."

I doubled clicked on the icon and it gives me an error message of "The compressed (zipped) folder is invalid or corrupted."

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 17, 2010 9:40 pm

What's the next trick up your sleeve?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 18, 2010 8:07 pm

Hi, Smile

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then try OTL.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 8:55 pm

exeHelper by Raktor
Build 20100414
Run at 15:47:50 on 07/18/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Is this what you are looking for?

I tried to run otl but got same error message, "otl.exe is not a valid win32 application."

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 9:02 pm

ETA: You know all this started when i purchased a belkin wireless router n-150 to replace my linksys that i thought was broken. Thr belkin router would not work correctly with my dell inspiron laptop (now infected computer). After about four calls to their cust serv and many changes to the laptop to accomodate the router i plugged up my old linksys and the router was working. So i took back the belkin to walmart and a bout a day later i was infected.

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 9:23 pm

Although i did get the error message from trying to start otl...my desktop is now blank with the ot helper box....i selected start otl but haven't noticed anything occurring yet.

how long should it take otl to run if it is running?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 18, 2010 10:37 pm

Hi, Smile

Please hold CTRL+ALT+DEL and go to Task Manager.

Once in task manager please hit 'New Task' and type 'Explorer.exe' then your desktop should pop back up.

If so, please do this:

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 11:46 pm

error message for the name i'm typing in the run box

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 12:01 am

Hi, Smile

Try typing %windir%\explorer.exe


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 1:04 am

that worked but it brought me to the my documents window, is that right?

when do i run commy.exe?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 1:10 am

Hi, Smile

Please run it now.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 2:19 am

Ok here it is.....


ComboFix 10-07-16.02 - Bubba Clemons 07/18/2010 20:39:50.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.191 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BUBBAC~1\LOCALS~1\Temp\svchost.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\pthreadVC.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-pvgxhhpi - c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo\kfyuxwytssd.exe
HKLM-Run-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-pvgxhhpi - c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo\kfyuxwytssd.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-18 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-18 21:13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 02:13

Pre-Run: 2,367,614,976 bytes free
Post-Run: 5,424,795,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0824F890580C347C2DDA7ACC7C34DA51

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 6:33 am

Hi, Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    Folder::
    c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==========

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 3:20 pm

On the malware site, the link said page not found....will this download fit on a 1gb flash drive?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 4:39 pm

Here is #2....


ComboFix 10-07-18.03 - Bubba Clemons 07/19/2010 10:19:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.164 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-19 10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-19 10:37:43
ComboFix-quarantined-files.txt 2010-07-19 15:37
ComboFix2.txt 2010-07-19 02:13

Pre-Run: 5,435,686,912 bytes free
Post-Run: 5,414,174,720 bytes free

- - End Of File - - 42DD658FFFF0FBCA54D4287B6BE62E3F

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 7:33 pm

Hi, Smile

That CFScript didn't work right, could you please do it again.

As for Malwarebytes, yes it will fit on a flash drive.

Here is the updated set of instructions:

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 8:34 pm

Herre are the results from the combofix log.....I have downloaded the malware form the site suggested but will be away from the computer for a few days. When i get back i will run load the malware and post those results.

CRC

ComboFix 10-07-19.01 - Bubba Clemons 07/19/2010 15:04:09.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.120 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-19 19:50 . 2010-07-19 19:50 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-19 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-19 15:27:43
ComboFix-quarantined-files.txt 2010-07-19 20:27
ComboFix2.txt 2010-07-19 15:37
ComboFix3.txt 2010-07-19 02:13

Pre-Run: 5,421,723,648 bytes free
Post-Run: 5,401,247,744 bytes free

- - End Of File - - CFE517975B75356BEB2D8692DCF68A5C


CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 9:56 pm

Hi, Smile

Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt

The reason the CFScript isn't working is because it is not in the same place as ComboFix.

Please save the CFScript to C:\documents and settings\Bubba Clemons\Desktop\CFScript.txt



I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 6:16 pm

Ok...i am back and i ran combo fix again, here are the results......

ComboFix 10-07-23.04 - Bubba Clemons 07/24/2010 12:36:58.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.107 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Bubba Clemons\Desktop\CFscript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 12:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(4740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 13:04:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 18:04
ComboFix2.txt 2010-07-24 17:29
ComboFix3.txt 2010-07-19 20:27
ComboFix4.txt 2010-07-19 15:37
ComboFix5.txt 2010-07-24 17:35

Pre-Run: 5,333,143,552 bytes free
Post-Run: 5,340,016,640 bytes free

- - End Of File - - D24B6BAB24A909E770E3813699984279

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 6:50 pm

results fromthe malware byte scan....

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 1:44:10 PM
mbam-log-2010-07-24 (13-44-10).txt

Scan type: Quick scan
Objects scanned: 150709
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sat Jul 24, 2010 7:28 pm

Hi, Smile

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 7:35 pm

I get an error message saying,

"An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING(12007,0,WinHttpSendRequest)

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sat Jul 24, 2010 7:38 pm

Hi,

Could you please re-run ComboFix. Smile


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 8:13 pm

Here you go...


ComboFix 10-07-23.04 - Bubba Clemons 07/24/2010 14:49:40.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.221 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\Bubba Clemons\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 17:50 . 2010-07-24 17:50 16384 c:\windows\temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-07-24 15:06:49
ComboFix-quarantined-files.txt 2010-07-24 20:06
ComboFix2.txt 2010-07-24 18:04
ComboFix3.txt 2010-07-24 17:29
ComboFix4.txt 2010-07-19 20:27
ComboFix5.txt 2010-07-24 19:48

Pre-Run: 5,347,381,248 bytes free
Post-Run: 5,330,059,264 bytes free

- - End Of File - - 470B5C9B84867F103110FD68B620028C

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum