Win32/Nuqel.E and Banker A virus hijacked my laptop

View previous topic View next topic Go down

Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Tue 14 Sep 2010, 2:15 pm

I have a laptop that is on loan through a public school administration center in another state so I do not have administrator privileges like most people. The school provides the security but that was hijacked when the virus was downloaded. I have tried following instructions to other people but have had no success as either I have no privileges or the virus won't allow me to open the program. Is there ANY help out there for getting rid of these things?

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by DragonMaster Jay on Tue 14 Sep 2010, 4:05 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.




Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Tue 14 Sep 2010, 4:16 pm

when I double click on RKill it tells me the application cannot be executed and asks if I would like to activate the antivirus software (which is actually the virus I'm trying to get rid of - Security Suite).

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Tue 14 Sep 2010, 4:38 pm

ok I got it to run for a few seconds before being hijacked again. It said that it was terminating known malware processes and to please be patient. Then a warning pops up saying it cannot find C:\rkill.log and to run a search for it.

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Tue 14 Sep 2010, 4:43 pm



Rkill by Lawrence Abrams (Grinler)
BleepingComputer.com

Terminating known malware processes.
Please be patient.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
pevFind by Billy Robert O'Neal III
Version: 509
Distributed under the Boost Software License, Version 1.0.
(See accompanying file LICENSE_1_0.txt or copy at
[You must be registered and logged in to see this link.]

pevFind contains some code from Info-ZIP, used with permission.
In accordance with Info-ZIP's License, it can be found at
[You must be registered and logged in to see this link.]
Special thanks to Lucian Wischik's for Zip Utils

Filename regular expressions library is
Copyright (C)1997-1998 by David R. Tribble, all rights reserved.

Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Tue 14 Sep 2010, 4:44 pm

I had to repeatedly click on the log file until it would let me select all and copy before closing the window. But thats what I got. Any advice?

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Wed 15 Sep 2010, 7:34 pm

ok. I was able to trick the virus and terminate the process itself immediately upon loading windows. I used my installed anti-virus program (Microsoft forefront) to preform a scan and quarantine the intruder. It doesn't allow me to delete so I have to use this process every time I sign onto the laptop for the time being. I tried the Combofix but it just tells me I don't have administrative rights. I'm not going to be able to fix this myself am I?

Blasted coffee shop servers!

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by DragonMaster Jay on Thu 16 Sep 2010, 2:03 pm

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then try again.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Momsy on Fri 17 Sep 2010, 4:01 am

Sadly I fear there is no solution other than returning the computer to the school and paying for repairs

I tried rebooting in Safe Networking mode but when I reach the blue Windows screen to load windows there is no account name available to click on (weird I know). It says "click on a name to open account" but there is nothing.

So unless you have further advice thank you for your help up to this point.

Momsy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-09-14
Operating System : XP

View user profile

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by DragonMaster Jay on Fri 17 Sep 2010, 8:04 pm

  • Kaspersky RescueDisk
    If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32/Nuqel.E and Banker A virus hijacked my laptop

Post by Sponsored content Today at 2:28 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum