bankerfox.a and win32/nugel.e viruses

Page 3 of 4 Previous  1, 2, 3, 4  Next

View previous topic View next topic Go down

bankerfox.a and win32/nugel.e viruses

Post by CRC on Fri 09 Jul 2010, 2:58 am

First topic message reminder :

Both of the viruses have appeared on my computer. They will not permit me to use explorer or safari to access the internet. i am not able to access any web sites or download any programs. What should i do from here?

CRC

I am sending this from another computer i will not be with the infected computer until 7 pm central time, usa


Last edited by CRC on Fri 09 Jul 2010, 3:01 am; edited 1 time in total (Reason for editing : more info)

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down


Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun 25 Jul 2010, 9:56 am

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\documents and settings\All Users\SPL*.tmp

    DDS::
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun 25 Jul 2010, 1:19 pm

OK.....


ComboFix 10-07-24.01 - Bubba Clemons 07/24/2010 20:42:03.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.175 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Bubba Clemons\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\Bubba Clemons\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 21:13:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 02:12
ComboFix2.txt 2010-07-24 20:06
ComboFix3.txt 2010-07-24 18:04
ComboFix4.txt 2010-07-24 17:29
ComboFix5.txt 2010-07-25 01:38

Pre-Run: 5,336,645,632 bytes free
Post-Run: 5,315,829,760 bytes free

- - End Of File - - 98737A240EACF766858CBADF0E41138B

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun 25 Jul 2010, 1:56 pm

Hi,

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun 25 Jul 2010, 2:54 pm

Help me understand what all these steps are doing. Are they working?

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun 25 Jul 2010, 3:24 pm

Hi,

Yes, they provide the diagnostics, and the removal power to ensure that you will become malware free.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun 25 Jul 2010, 4:00 pm

Its almost through scanning...Which programs of all these we tried will i be deleting and which will i need to keep including the logs?

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Sun 25 Jul 2010, 4:09 pm

I will give you intructions on cleaning the tools up at the end.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Sun 25 Jul 2010, 4:30 pm

Let me correct myself...the complete scan has started and it looks like it will be a while...We'll continue this tomorrow

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon 26 Jul 2010, 3:20 am

Alright, I await your logs.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon 26 Jul 2010, 11:26 am

Ok believe it or not it just now finished the complete scan but, when i select "cure" the only further choices it gives is delete, rename or move in a small box. What should i do?

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon 26 Jul 2010, 11:27 am

Hi,

Please choose delete.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon 26 Jul 2010, 12:25 pm

Ok when i'm finished and saved the report to the desktop...how do i exit out of the enhanced protection mode and access the file on the desktop?

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Mon 26 Jul 2010, 12:43 pm

Figured it out...


3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
popcaploader.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Deleted.;
A0772954.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807;Trojan.Fakealert.17268;Incurable.Incurable.Deleted.;
A0775077.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP811;Trojan.Click.1487;Deleted.;



Getting closer?

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Mon 26 Jul 2010, 4:10 pm

Hi,

One last check.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by CRC on Tue 27 Jul 2010, 1:31 pm

The internet explorer closes the page because of the activex....it sees it as a malicious add-on.

CRC

Rookie Surfer
Rookie Surfer

Posts : 106
Joined : 2010-07-09
Operating System : xp

View user profile

Back to top Go down

Re: bankerfox.a and win32/nugel.e viruses

Post by Sneakyone on Tue 27 Jul 2010, 2:09 pm

Hi.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


  • I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Wed 28 Jul 2010, 9:52 am

    Here it is....



    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, July 27, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, July 27, 2010 00:40:46
    Records in database: 4199703
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 121912
    Threats found: 1
    Infected objects found: 3
    Suspicious objects found: 0
    Scan duration: 06:38:38


    File name / Threat / Threats count
    C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d Infected: Trojan.Java.ClassLoader.as 3

    Selected area has been scanned.

    CRC

    Rookie Surfer
    Rookie Surfer

    Posts : 106
    Joined : 2010-07-09
    Operating System : xp

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Wed 28 Jul 2010, 3:02 pm

    Hi.

    Please run OTL.exe.

    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


      :Files
      C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d

      :commands
      [emptytemp]
      [resethosts]
      [reboot]


    • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Thu 29 Jul 2010, 1:12 am

    I'm not sure if i foll your directions correctly....I double clicked on otl and got the same error message as before "not a win32 application"
    Is this the same otl that i tried downloading early on in this removal process?

    ETA: Is the .exe referring to the file name? I'm confused

    CRC

    Rookie Surfer
    Rookie Surfer

    Posts : 106
    Joined : 2010-07-09
    Operating System : xp

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Thu 29 Jul 2010, 5:28 am

    Hi.

    Odd, could you please download a fresh copy from here: [You must be registered and logged in to see this link.]

    And run this first:

    Please download exeHelper from one of the two links.
    Link 1
    Link 2

    • Double-click on exeHelper.com or exeHelper.scr to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    After you run exeHelper, please run the fix.


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Thu 29 Jul 2010, 5:39 am

    Log results from exehelper....

    exeHelper by Raktor
    Build 20100414
    Run at 15:47:50 on 07/18/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 13:37:58 on 07/28/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    CRC

    Rookie Surfer
    Rookie Surfer

    Posts : 106
    Joined : 2010-07-09
    Operating System : xp

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Thu 29 Jul 2010, 7:57 am

    Results from otl...

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 169917 bytes

    User: All Users

    User: Bubba Clemons
    ->Temp folder emptied: 107303430 bytes
    ->Temporary Internet Files folder emptied: 21206981 bytes
    ->Java cache emptied: 78134516 bytes
    ->Google Chrome cache emptied: 7991238 bytes
    ->Apple Safari cache emptied: 2369536 bytes
    ->Flash cache emptied: 2708801 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Johanna
    ->Temp folder emptied: 54022 bytes
    ->Temporary Internet Files folder emptied: 36868195 bytes
    ->Flash cache emptied: 853 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Maddie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 16185 bytes
    ->Flash cache emptied: 38804 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Will
    ->Temp folder emptied: 31107434 bytes
    ->Temporary Internet Files folder emptied: 418898 bytes
    ->Java cache emptied: 6101551 bytes
    ->Flash cache emptied: 62746 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
    RecycleBin emptied: 380738 bytes

    Total Files Cleaned = 281.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.9.1 log created on 07282010_134245

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF24D0.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF24DD.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2571.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF257E.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF25B0.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF25BD.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2628.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2635.tmp not found!
    C:\Documents and Settings\Bubba Clemons\Local Settings\Temporary Internet Files\Content.IE5\04QOHGWJ\bankerfoxa-and-win32-nugele-viruses-t22587-60[1].htm moved successfully.
    File move failed. C:\Documents and Settings\Will\Local Settings\Temp\hsperfdata_Will\3332 scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    CRC

    Rookie Surfer
    Rookie Surfer

    Posts : 106
    Joined : 2010-07-09
    Operating System : xp

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Thu 29 Jul 2010, 8:09 am

    Hi.

    How is your computer running now?


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by CRC on Thu 29 Jul 2010, 3:41 pm

    It seems to be running fine...

    I do have a wireless connection problem, i have been using the ethernet cable for connection during the last stages of our problem solving. This was an issue that began before the virus attacks. I will go the the appropriate forum to work that issue out.

    Otherwise what is next?

    CRC

    Rookie Surfer
    Rookie Surfer

    Posts : 106
    Joined : 2010-07-09
    Operating System : xp

    View user profile

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sneakyone on Thu 29 Jul 2010, 4:02 pm

    Hi.

    Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

    Updating System Restore
    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE.


    You now have a clean restore point.

    To get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do a calculation of temporary/old files, and then display a dialogue box.
    • Select the More Options Tab.
    • At the bottom will be a System Restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done.


    ========

    Removing the tools
    Now, to remove all of the tools we used and the files and folders they created, please do the following:

    Download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    ============

    Service Pack upgrade
    Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

    More info about SP3: [You must be registered and logged in to see this link.]

    =====

    Update Programs
    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    =========

    Here are some prevention tips I have provided:

    1. Don't download files from untrusted websites or websites that seem suspious.

    2. Don't use torrents they are a good way to get lots of malware.

    3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

    4. Disable autorun XP or Vista/7

    5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

    6. Don't ever click on the links inside of a popup.

    7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

    8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

    9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

    10. Always keep your Java and Adobe updated.

    11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

    12. Always have a Firewall and a Antivirus.

    Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

    For more information please visit [You must be registered and logged in to see this link.]


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: bankerfox.a and win32/nugel.e viruses

    Post by Sponsored content Today at 6:17 pm


    Sponsored content


    Back to top Go down

    Page 3 of 4 Previous  1, 2, 3, 4  Next

    View previous topic View next topic Back to top


     
    Permissions in this forum:
    You cannot reply to topics in this forum