bankerfox.a and win32/nugel.e viruses

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Belahzur on Thu Jul 15, 2010 5:53 pm

Actually, leave booting from disc for now, I've still got some old(er) tricks to use.

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Thu Jul 15, 2010 11:56 pm

I copied the file to my desktop from a flash drive. I right clicked on the icon and selected extract all files, It brought up the extraction wizard windowwhich i selected "next" twice and i get an error message of
"no files to extract."

I doubled clicked on the icon and it gives me an error message of "The compressed (zipped) folder is invalid or corrupted."

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 17, 2010 9:40 pm

What's the next trick up your sleeve?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 18, 2010 8:07 pm

Hi, Smile

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then try OTL.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 8:55 pm

exeHelper by Raktor
Build 20100414
Run at 15:47:50 on 07/18/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Is this what you are looking for?

I tried to run otl but got same error message, "otl.exe is not a valid win32 application."

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 9:02 pm

ETA: You know all this started when i purchased a belkin wireless router n-150 to replace my linksys that i thought was broken. Thr belkin router would not work correctly with my dell inspiron laptop (now infected computer). After about four calls to their cust serv and many changes to the laptop to accomodate the router i plugged up my old linksys and the router was working. So i took back the belkin to walmart and a bout a day later i was infected.

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 9:23 pm

Although i did get the error message from trying to start otl...my desktop is now blank with the ot helper box....i selected start otl but haven't noticed anything occurring yet.

how long should it take otl to run if it is running?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 18, 2010 10:37 pm

Hi, Smile

Please hold CTRL+ALT+DEL and go to Task Manager.

Once in task manager please hit 'New Task' and type 'Explorer.exe' then your desktop should pop back up.

If so, please do this:

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 18, 2010 11:46 pm

error message for the name i'm typing in the run box

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 12:01 am

Hi, Smile

Try typing %windir%\explorer.exe


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 1:04 am

that worked but it brought me to the my documents window, is that right?

when do i run commy.exe?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 1:10 am

Hi, Smile

Please run it now.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 2:19 am

Ok here it is.....


ComboFix 10-07-16.02 - Bubba Clemons 07/18/2010 20:39:50.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.191 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BUBBAC~1\LOCALS~1\Temp\svchost.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\pthreadVC.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-pvgxhhpi - c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo\kfyuxwytssd.exe
HKLM-Run-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-pvgxhhpi - c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo\kfyuxwytssd.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-18 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-18 21:13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 02:13

Pre-Run: 2,367,614,976 bytes free
Post-Run: 5,424,795,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0824F890580C347C2DDA7ACC7C34DA51

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 6:33 am

Hi, Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    Folder::
    c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==========

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 3:20 pm

On the malware site, the link said page not found....will this download fit on a 1gb flash drive?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 4:39 pm

Here is #2....


ComboFix 10-07-18.03 - Bubba Clemons 07/19/2010 10:19:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.164 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-19 10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-19 10:37:43
ComboFix-quarantined-files.txt 2010-07-19 15:37
ComboFix2.txt 2010-07-19 02:13

Pre-Run: 5,435,686,912 bytes free
Post-Run: 5,414,174,720 bytes free

- - End Of File - - 42DD658FFFF0FBCA54D4287B6BE62E3F

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 7:33 pm

Hi, Smile

That CFScript didn't work right, could you please do it again.

As for Malwarebytes, yes it will fit on a flash drive.

Here is the updated set of instructions:

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 19, 2010 8:34 pm

Herre are the results from the combofix log.....I have downloaded the malware form the site suggested but will be away from the computer for a few days. When i get back i will run load the malware and post those results.

CRC

ComboFix 10-07-19.01 - Bubba Clemons 07/19/2010 15:04:09.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.120 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-19 19:50 . 2010-07-19 19:50 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-19 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-19 15:27:43
ComboFix-quarantined-files.txt 2010-07-19 20:27
ComboFix2.txt 2010-07-19 15:37
ComboFix3.txt 2010-07-19 02:13

Pre-Run: 5,421,723,648 bytes free
Post-Run: 5,401,247,744 bytes free

- - End Of File - - CFE517975B75356BEB2D8692DCF68A5C


CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 19, 2010 9:56 pm

Hi, Smile

Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt

The reason the CFScript isn't working is because it is not in the same place as ComboFix.

Please save the CFScript to C:\documents and settings\Bubba Clemons\Desktop\CFScript.txt



I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 6:16 pm

Ok...i am back and i ran combo fix again, here are the results......

ComboFix 10-07-23.04 - Bubba Clemons 07/24/2010 12:36:58.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.107 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Bubba Clemons\Desktop\CFscript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 12:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(4740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 13:04:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 18:04
ComboFix2.txt 2010-07-24 17:29
ComboFix3.txt 2010-07-19 20:27
ComboFix4.txt 2010-07-19 15:37
ComboFix5.txt 2010-07-24 17:35

Pre-Run: 5,333,143,552 bytes free
Post-Run: 5,340,016,640 bytes free

- - End Of File - - D24B6BAB24A909E770E3813699984279

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 6:50 pm

results fromthe malware byte scan....

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 1:44:10 PM
mbam-log-2010-07-24 (13-44-10).txt

Scan type: Quick scan
Objects scanned: 150709
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sat Jul 24, 2010 7:28 pm

Hi, Smile

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 7:35 pm

I get an error message saying,

"An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING(12007,0,WinHttpSendRequest)

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sat Jul 24, 2010 7:38 pm

Hi,

Could you please re-run ComboFix. Smile


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sat Jul 24, 2010 8:13 pm

Here you go...


ComboFix 10-07-23.04 - Bubba Clemons 07/24/2010 14:49:40.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.221 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\Bubba Clemons\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 17:50 . 2010-07-24 17:50 16384 c:\windows\temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-07-24 15:06:49
ComboFix-quarantined-files.txt 2010-07-24 20:06
ComboFix2.txt 2010-07-24 18:04
ComboFix3.txt 2010-07-24 17:29
ComboFix4.txt 2010-07-19 20:27
ComboFix5.txt 2010-07-24 19:48

Pre-Run: 5,347,381,248 bytes free
Post-Run: 5,330,059,264 bytes free

- - End Of File - - 470B5C9B84867F103110FD68B620028C

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sat Jul 24, 2010 10:56 pm

Hi, Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\documents and settings\All Users\SPL*.tmp

    DDS::
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 25, 2010 2:19 am

OK.....


ComboFix 10-07-24.01 - Bubba Clemons 07/24/2010 20:42:03.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.175 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Bubba Clemons\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\Bubba Clemons\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 21:13:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 02:12
ComboFix2.txt 2010-07-24 20:06
ComboFix3.txt 2010-07-24 18:04
ComboFix4.txt 2010-07-24 17:29
ComboFix5.txt 2010-07-25 01:38

Pre-Run: 5,336,645,632 bytes free
Post-Run: 5,315,829,760 bytes free

- - End Of File - - 98737A240EACF766858CBADF0E41138B

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 25, 2010 2:56 am

Hi, Smile

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 25, 2010 3:54 am

Help me understand what all these steps are doing. Are they working?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 25, 2010 4:24 am

Hi, Smile

Yes, they provide the diagnostics, and the removal power to ensure that you will become malware free.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 25, 2010 5:00 am

Its almost through scanning...Which programs of all these we tried will i be deleting and which will i need to keep including the logs?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 25, 2010 5:09 am

I will give you intructions on cleaning the tools up at the end. Smile


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun Jul 25, 2010 5:30 am

Let me correct myself...the complete scan has started and it looks like it will be a while...We'll continue this tomorrow

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun Jul 25, 2010 4:20 pm

Alright, I await your logs. Smile


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 26, 2010 12:26 am

Ok believe it or not it just now finished the complete scan but, when i select "cure" the only further choices it gives is delete, rename or move in a small box. What should i do?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 26, 2010 12:27 am

Hi, Smile

Please choose delete. Right On!


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 26, 2010 1:25 am

Ok when i'm finished and saved the report to the desktop...how do i exit out of the enhanced protection mode and access the file on the desktop?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon Jul 26, 2010 1:43 am

Figured it out...


3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
popcaploader.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Deleted.;
A0772954.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807;Trojan.Fakealert.17268;Incurable.Incurable.Deleted.;
A0775077.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP811;Trojan.Click.1487;Deleted.;



Getting closer?

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon Jul 26, 2010 5:10 am

Hi, Smile

One last check. Right On!

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56084
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Tue Jul 27, 2010 2:31 am

The internet explorer closes the page because of the activex....it sees it as a malicious add-on.

CRC
Intermediate
Intermediate

Posts Posts : 106
Joined Joined : 2010-07-08
OS OS : xp
Points Points : 25111
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Tue Jul 27, 2010 3:09 am

Hi.

Please go to [You must be registered and logged in to see this link.] and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


  • I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56084
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Tue Jul 27, 2010 10:52 pm

    Here it is....



    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, July 27, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, July 27, 2010 00:40:46
    Records in database: 4199703
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 121912
    Threats found: 1
    Infected objects found: 3
    Suspicious objects found: 0
    Scan duration: 06:38:38


    File name / Threat / Threats count
    C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d Infected: Trojan.Java.ClassLoader.as 3

    Selected area has been scanned.

    CRC
    Intermediate
    Intermediate

    Posts Posts : 106
    Joined Joined : 2010-07-08
    OS OS : xp
    Points Points : 25111
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Wed Jul 28, 2010 4:02 am

    Hi.

    Please run OTL.exe.

    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


      :Files
      C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d

      :commands
      [emptytemp]
      [resethosts]
      [reboot]


    • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56084
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Wed Jul 28, 2010 2:12 pm

    I'm not sure if i foll your directions correctly....I double clicked on otl and got the same error message as before "not a win32 application"
    Is this the same otl that i tried downloading early on in this removal process?

    ETA: Is the .exe referring to the file name? I'm confused Whoa!

    CRC
    Intermediate
    Intermediate

    Posts Posts : 106
    Joined Joined : 2010-07-08
    OS OS : xp
    Points Points : 25111
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Wed Jul 28, 2010 6:28 pm

    Hi.

    Odd, could you please download a fresh copy from here: [You must be registered and logged in to see this link.]

    And run this first:

    Please download exeHelper from one of the two links.
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    • Double-click on exeHelper.com or exeHelper.scr to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    After you run exeHelper, please run the fix.


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56084
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Wed Jul 28, 2010 6:39 pm

    Log results from exehelper....

    exeHelper by Raktor
    Build 20100414
    Run at 15:47:50 on 07/18/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 13:37:58 on 07/28/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    CRC
    Intermediate
    Intermediate

    Posts Posts : 106
    Joined Joined : 2010-07-08
    OS OS : xp
    Points Points : 25111
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Wed Jul 28, 2010 8:57 pm

    Results from otl...

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 169917 bytes

    User: All Users

    User: Bubba Clemons
    ->Temp folder emptied: 107303430 bytes
    ->Temporary Internet Files folder emptied: 21206981 bytes
    ->Java cache emptied: 78134516 bytes
    ->Google Chrome cache emptied: 7991238 bytes
    ->Apple Safari cache emptied: 2369536 bytes
    ->Flash cache emptied: 2708801 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Johanna
    ->Temp folder emptied: 54022 bytes
    ->Temporary Internet Files folder emptied: 36868195 bytes
    ->Flash cache emptied: 853 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Maddie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 16185 bytes
    ->Flash cache emptied: 38804 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Will
    ->Temp folder emptied: 31107434 bytes
    ->Temporary Internet Files folder emptied: 418898 bytes
    ->Java cache emptied: 6101551 bytes
    ->Flash cache emptied: 62746 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
    RecycleBin emptied: 380738 bytes

    Total Files Cleaned = 281.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.9.1 log created on 07282010_134245

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF24D0.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF24DD.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2571.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF257E.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF25B0.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF25BD.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2628.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2635.tmp not found!
    C:\Documents and Settings\Bubba Clemons\Local Settings\Temporary Internet Files\Content.IE5\04QOHGWJ\bankerfoxa-and-win32-nugele-viruses-t22587-60[1].htm moved successfully.
    File move failed. C:\Documents and Settings\Will\Local Settings\Temp\hsperfdata_Will\3332 scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    CRC
    Intermediate
    Intermediate

    Posts Posts : 106
    Joined Joined : 2010-07-08
    OS OS : xp
    Points Points : 25111
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Wed Jul 28, 2010 9:09 pm

    Hi.

    How is your computer running now?


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56084
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Thu Jul 29, 2010 4:41 am

    It seems to be running fine...

    I do have a wireless connection problem, i have been using the ethernet cable for connection during the last stages of our problem solving. This was an issue that began before the virus attacks. I will go the the appropriate forum to work that issue out.

    Otherwise what is next?

    CRC
    Intermediate
    Intermediate

    Posts Posts : 106
    Joined Joined : 2010-07-08
    OS OS : xp
    Points Points : 25111
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Thu Jul 29, 2010 5:02 am

    Hi.

    Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

    Updating System Restore
    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE.


    You now have a clean restore point.

    To get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do a calculation of temporary/old files, and then display a dialogue box.
    • Select the More Options Tab.
    • At the bottom will be a System Restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done.


    ========

    Removing the tools
    Now, to remove all of the tools we used and the files and folders they created, please do the following:

    Download [You must be registered and logged in to see this link.] by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    ============

    Service Pack upgrade
    Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

    More info about SP3: [You must be registered and logged in to see this link.]

    =====

    Update Programs
    Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Please download the newest version of Java from [You must be registered and logged in to see this link.].

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    =========

    Here are some prevention tips I have provided:

    1. Don't download files from untrusted websites or websites that seem suspious.

    2. Don't use torrents they are a good way to get lots of malware.

    3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

    4. Disable autorun [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]

    5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

    6. Don't ever click on the links inside of a popup.

    7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

    8. Use a Site Advisor so you don't go to sites that will infect you. [You must be registered and logged in to see this link.]

    9. Also there are many holes and flaws in Internet Explorer I recommend using [You must be registered and logged in to see this link.] to keep you more safe.

    10. Always keep your [You must be registered and logged in to see this link.] and Adobe updated.

    11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

    12. Always have a Firewall and a Antivirus.

    Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

    For more information please visit [You must be registered and logged in to see this link.]


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56084
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Page 1 of 2 1, 2  Next

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum