Win32/Nuqel.E and Bankerfox.A

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Tue 20 Jul 2010, 3:50 pm

I have both of the viruses listed above on my laptop. I cant do anything with my computer without pop ups saying i have infected files pop up to the point where I can not execute and file . The only thing that seems to be unaffected is mozilla firefox. .I can not run any spyware or removal programs or access my control panel. I also have internet explorer popping up with ad sites.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Tue 20 Jul 2010, 3:55 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

==================================

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Tue 20 Jul 2010, 4:16 pm

I can launch Rkill for about a second hen this pops up "security warning. Application cannot be executed. The file rkill.scr is infected. Do you want to downloas your antivirus softare now?" the software it shows me is Antivir Solution Pro.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Tue 20 Jul 2010, 4:33 pm

This just popped up:
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-Stealing attack, a trojan-dropper or similar.
DETAILS
Attack From: 136.12.148.184 Port 8577
Attacked Port:22312
Threat: BankerFox.E

This is the first of two the other on has the same header about the "Infiltration Alert" but the ip and other info is as follows.

Attack From: 97.110.99.95 Port 50351
Attacked port: 47396
Threat: Win32/Nuqel.E

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Tue 20 Jul 2010, 4:49 pm

I got rkill to launch and it is running now.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Wed 21 Jul 2010, 12:52 am

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Ian on 07/20/2010 at 8:49:55.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\ian\My Documents\Downloads\rkill(2).com


Rkill completed on 07/20/2010 at 8:50:05.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Wed 21 Jul 2010, 2:06 am

it came back so i ran rkill again and this is the second log.

This log file is located at C:\rkill.log.
Processes terminated by Rkill or while it was running:
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Ran as Ian on 07/20/2010 at 10:04:26.



Processes terminated by Rkill or while it was running:


C:\Documents and Settings\ian\Local Settings\Application Data\bpjuvqknk\bgmbpivtssd.exe
C:\Documents and Settings\ian\Start Menu\Programs\Startup\netbhl32.exe
C:\Documents and Settings\ian\My Documents\Downloads\rkill(7).com
C:\Documents and Settings\ian\Local Settings\Temp\274.tmp\pev.rkexe
C:\Documents and Settings\ian\Local Settings\Temp\273.tmp\nircmdc.rkexe


Rkill completed on 07/20/2010 at 10:04:39.


ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Wed 21 Jul 2010, 5:55 am

Now, try ComboFix.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Wed 21 Jul 2010, 8:11 am

An error saying "Some files could not be created. Please close all applications, reboot windows and restart this installation." Should i Reboot? I am on Mozilla not internet explorer if that matters.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Wed 21 Jul 2010, 2:25 pm

Try rebooting and see if it helps.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Wed 21 Jul 2010, 3:23 pm

rebooting made it come back so i ran rkill again and here is the log. I will try to run combofix again and see what happens.

This log file is located at C:\rkill.log.
Processes terminated by Rkill or while it was running:
Otherwise you can close this log when you wish.
Please post this only if requested to by the person helping you.

Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Please post this only if requested to by the person helping you.
Please post this only if requested to by the person helping you.
Ran as Ian on 07/20/2010 at 23:20:54.

Otherwise you can close this log when you wish.

Otherwise you can close this log when you wish.
Ran as Ian on 07/20/2010 at 23:20:54.
Otherwise you can close this log when you wish.
Otherwise you can close this log when you wish.
Ran as Ian on 07/20/2010 at 23:20:54.

Ran as Ian on 07/20/2010 at 23:20:54.
Processes terminated by Rkill or while it was running:

Ran as Ian on 07/20/2010 at 23:20:54.

Ran as Ian on 07/20/2010 at 23:20:54.






Processes terminated by Rkill or while it was running:
Processes terminated by Rkill or while it was running:
Processes terminated by Rkill or while it was running:


ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Wed 21 Jul 2010, 3:34 pm

combofix started to run and gave me the disclamer, i clicked yes then it closed and gave me the same error from before.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Wed 21 Jul 2010, 4:41 pm

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Wed 21 Jul 2010, 5:47 pm

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/21/2010 1:37:23 AM
mbam-log-2010-07-21 (01-37-23).txt

Scan type: Quick scan
Objects scanned: 161876
Time elapsed: 26 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bopnxhgs (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bopnxhgs (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a0a2fb12-45b7-4c87-9128-197ef0c0112d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a0a2fb12-45b7-4c87-9128-197ef0c0112d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af723207-ce0c-46f4-be51-91ad4d3a2a7a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c4c4e819-fdf3-4b2a-bae1-1518d70316e4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c4c4e819-fdf3-4b2a-bae1-1518d70316e4}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\ian\Local Settings\Temp\wz6247\IK.Multimedia.AmpliTube.Fender.v1.1.VST.RTAS.Incl.KeyGen-DYNAMiCS\KeyGen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\ian\Local Settings\Application Data\bpjuvqknk\bgmbpivtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Wed 21 Jul 2010, 7:53 pm

Flush DNS Cache

You have DNS Cache Poisoning, which is a form of attack that causes your Internet browsing to be redirected to a rogue DNS server. Read more here

  • Click Start > Run, type in cmd and hit OK.
  • Enter in this exactly: ipconfig /flushdns
  • Exit Command Prompt.





Now, please try ComboFix, and see if it works.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Thu 22 Jul 2010, 1:25 pm

flushed dns but combofix still will not run.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Thu 22 Jul 2010, 6:02 pm

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try it again.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Sat 24 Jul 2010, 8:21 am

ok i will try that.

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Sat 24 Jul 2010, 12:50 pm

ComboFix 10-07-23.02 - Ian 07/23/2010 20:37:18.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.317 [GMT -5:00]
Running from: c:\documents and settings\ian\My Documents\Downloads\ComboFix.exe
.
The following files were disabled during the run:
c:\windows\system32\bootetup.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\bbarsis\g2mdlhlpx.exe
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\chrome.manifest
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\chrome\content\_cfg.js
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\chrome\content\overlay.xul
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\install.rdf
c:\windows\aheyivoq.dll
c:\windows\ajemejesuxitoke.dll
c:\windows\axuxilexexexivu.dll
c:\windows\ofabavuk.dll
c:\windows\system32\ernel32.dll
c:\windows\system32\msvcsv60.dll
c:\windows\uqoyucuc.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-20 14:39 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\o31m93w7u.dll
2010-07-20 14:28 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C79u1m.dll
2010-07-20 04:03 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\uOCE93kU9.dll
2010-07-20 02:18 . 2010-07-20 04:22 2811 ----a-w- c:\windows\Isifobubobo.dat
2010-07-20 02:18 . 2010-07-20 02:18 0 ----a-w- c:\windows\Dvemanesu.bin
2010-07-20 02:17 . 2010-07-21 06:37 -------- d-----w- c:\documents and settings\ian\Local Settings\Application Data\bpjuvqknk
2010-07-20 02:17 . 2010-07-24 01:42 767488 ----a-w- c:\windows\system32\drivers\xfdkcrk.sys
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 21:08 . 2010-07-21 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 11:35 . 2010-07-22 11:35 47616 ----a-w- c:\windows\system32\bootetup.dll.vir
2010-07-20 13:55 . 2010-06-21 00:38 -------- d-----w- c:\documents and settings\ian\Application Data\uTorrent
2010-07-04 02:45 . 2010-05-30 03:25 -------- d-----w- c:\program files\SopCast
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-21 01:19 . 2010-06-21 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ARPPRODUCTICON.exe
2010-05-30 05:51 . 2010-05-30 05:51 40960 ----a-w- c:\windows\charkrnl.dll.vir
2010-05-30 05:51 . 2010-05-30 05:51 4 ----a-w- c:\documents and settings\LocalService\Application Data\czyiwa.dat
2010-05-30 05:49 . 2008-07-09 14:39 -------- d-----w- c:\program files\Google
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Bing Bar Installer
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Microsoft
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\MSN Toolbar
2010-05-30 03:11 . 2010-05-30 03:11 40960 ---ha-w- c:\windows\system32\charkrnl.dll
2010-05-30 02:48 . 2010-05-30 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-05-28 05:00 . 2010-05-28 05:00 503808 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcp71.dll
2010-05-28 05:00 . 2010-05-28 05:00 348160 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcr71.dll
2010-05-28 05:00 . 2010-05-28 05:00 499712 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\jmc.dll
2010-05-07 22:22 . 2009-12-25 21:04 68648 ----a-w- c:\documents and settings\ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 20:39 . 2010-07-21 05:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-07-21 05:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 04:18 . 2009-10-04 03:44 32 ----a-w- c:\windows\msocreg32.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-07 149280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-06-13 525592]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-08-27 124184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-2-1 6144]
WinZip Quick Pick.lnk - c:\program files\Winzip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [10/10/2007 9:58 AM 43640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 8:23 PM 135664]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 11:59 AM 1047880]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 11:07 PM 113152]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/20/2010 8:22 PM 14424]
S3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 3:18 PM 20352]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 3:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 3:36 PM 142976]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 11:18 AM 10064]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - xfdkcrk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-24 c:\windows\Tasks\f00fa74b.job
- c:\documents and settings\ian\Application Data\f00fa74b.exe [2010-06-23 02:39]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009Core.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009UA.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: bmnet.dll
DPF: {7D12A6AE-8F73-4FFF-824B-41EEE98AB37B} - [You must be registered and logged in to see this link.]
DPF: {D7967FA2-F1F9-420D-A49E-9249309056A2} - [You must be registered and logged in to see this link.]
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\ian\Application Data\Mozilla\Firefox\Profiles\w5z8jv77.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\ian\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sta - lkvkp.dll
HKLM-Run-Nqawoqoziyi - c:\windows\axuxilexexexivu.dll
HKU-Default-RunOnce-3014026 - c:\documents and settings\NetworkService\Local Settings\Application Data\30286208.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-23 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xfdkcrk]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-07-23 20:45:42
ComboFix-quarantined-files.txt 2010-07-24 01:45

Pre-Run: 6,333,202,432 bytes free
Post-Run: 8,091,729,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 14A68B26E7ABD5FDD980B42585A2E8BF

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Sat 24 Jul 2010, 2:01 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Download the CFScript from the attachment below. Save it to your Desktop.
  • Drag the downloaded CFScript.txt in to ComboFix


  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Sat 24 Jul 2010, 3:19 pm

ComboFix 10-07-23.02 - Ian 07/23/2010 22:58:52.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.263 [GMT -5:00]
Running from: c:\documents and settings\ian\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\ian\My Documents\Downloads\CFscript.txt

FILE ::
"c:\windows\Dvemanesu.bin"
"c:\windows\Isifobubobo.dat"
"c:\windows\system32\charkrnl.dll"
"c:\windows\system32\drivers\xfdkcrk.sys"
"c:\windows\system32\Spool\prtprocs\w32x86\C79u1m.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\o31m93w7u.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\uOCE93kU9.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ian\Local Settings\Application Data\bpjuvqknk
c:\windows\Dvemanesu.bin
c:\windows\Isifobubobo.dat
c:\windows\system32\charkrnl.dll
c:\windows\system32\drivers\xfdkcrk.sys
c:\windows\system32\Spool\prtprocs\w32x86\C79u1m.dll
c:\windows\system32\Spool\prtprocs\w32x86\o31m93w7u.dll
c:\windows\system32\Spool\prtprocs\w32x86\uOCE93kU9.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_xfdkcrk
-------\Service_xfdkcrk


((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 04:06 . 2010-07-24 04:06 50176 ----a-w- c:\windows\system32\ernel32.dll
2010-07-24 04:06 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c9sKUO3.dll
2010-07-24 02:00 . 2010-07-24 02:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-22 11:35 . 2010-07-22 11:35 47616 ----a-w- c:\windows\system32\bootetup.dll
2010-07-21 06:41 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\yW5uO.dll
2010-07-21 05:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 05:45 . 2010-07-23 21:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 05:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 13:55 . 2010-06-21 00:38 -------- d-----w- c:\documents and settings\ian\Application Data\uTorrent
2010-07-04 02:45 . 2010-05-30 03:25 -------- d-----w- c:\program files\SopCast
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-21 01:19 . 2010-06-21 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ARPPRODUCTICON.exe
2010-05-30 05:51 . 2010-05-30 05:51 40960 ----a-w- c:\windows\charkrnl.dll
2010-05-30 05:51 . 2010-05-30 05:51 4 ----a-w- c:\documents and settings\LocalService\Application Data\czyiwa.dat
2010-05-30 05:49 . 2008-07-09 14:39 -------- d-----w- c:\program files\Google
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Bing Bar Installer
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Microsoft
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\MSN Toolbar
2010-05-30 02:48 . 2010-05-30 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-05-28 05:00 . 2010-05-28 05:00 503808 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcp71.dll
2010-05-28 05:00 . 2010-05-28 05:00 348160 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcr71.dll
2010-05-28 05:00 . 2010-05-28 05:00 499712 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\jmc.dll
2010-05-07 22:22 . 2009-12-25 21:04 68648 ----a-w- c:\documents and settings\ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 04:18 . 2009-10-04 03:44 32 ----a-w- c:\windows\msocreg32.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 04:05 . 2010-07-24 04:05 16384 c:\windows\temp\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-07 149280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-06-13 525592]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-08-27 124184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-2-1 6144]
WinZip Quick Pick.lnk - c:\program files\Winzip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 11:59 AM 1047880]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [10/10/2007 9:58 AM 43640]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 3:18 PM 20352]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 11:18 AM 10064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 8:23 PM 135664]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 11:07 PM 113152]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/20/2010 8:22 PM 14424]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 3:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 3:36 PM 142976]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-24 c:\windows\Tasks\f00fa74b.job
- c:\documents and settings\ian\Application Data\f00fa74b.exe [2010-06-23 02:39]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009Core.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009UA.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: bmnet.dll
DPF: {7D12A6AE-8F73-4FFF-824B-41EEE98AB37B} - [You must be registered and logged in to see this link.]
DPF: {D7967FA2-F1F9-420D-A49E-9249309056A2} - [You must be registered and logged in to see this link.]
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\ian\Application Data\Mozilla\Firefox\Profiles\w5z8jv77.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\ian\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-23 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x820C5EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8513f28
\Driver\ACPI -> ACPI.sys @ 0xf8386cb8
\Driver\atapi -> atapi.sys @ 0xf8238852
\Driver\iaStor -> iaStor.sys @ 0xf816eb58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf806ebb0
PacketIndicateHandler -> NDIS.sys @ 0xf807ba21
SendHandler -> NDIS.sys @ 0xf805987b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1420)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(1024)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\AGRSMMSG.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-23 23:16:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 04:16
ComboFix2.txt 2010-07-24 01:45

Pre-Run: 8,075,800,576 bytes free
Post-Run: 7,963,373,568 bytes free

- - End Of File - - 48F5193B742BA92FB5742B1D37C2A42E

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Sun 25 Jul 2010, 1:24 pm

so what should i do now?

ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Sun 25 Jul 2010, 9:16 pm

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by ipaultexas on Mon 26 Jul 2010, 9:37 am

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


ipaultexas

Newbie Surfer
Newbie Surfer

Posts : 25
Joined : 2010-07-20
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by DragonMaster Jay on Mon 26 Jul 2010, 7:15 pm

Looks like the MBR is slightly damaged. We'll fix it, just in case.

Please open Notepad and enter in the following:
@echo off
start remover.exe fix \.\PhysicalDrive0
exit
Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Bankerfox.A

Post by Sponsored content Today at 6:09 pm


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum