please help me remove BankerFox.A, Win32/Nuqel.E

View previous topic View next topic Go down

Solved please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 12:01 am

my computer keeps getting pop-up messages saying i have the viruses BankerFox.A and Win32/Nuqel.E and no pictures come up on any sites i go to. thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:13 PM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\rdl9.tmp
C:\WINDOWS\TEMP\winlognn.exe
C:\WINDOWS\TEMP\rdl12.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\WINDOWS\sysguard.exe
C:\WINDOWS\TEMP\rdl20.tmp
C:\Documents and Settings\Tom\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Uciyoviloxeg] rundll32.exe "C:\WINDOWS\Ynebupise.dll",e
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKLM\..\Run: [Xmutibebax] rundll32.exe "C:\WINDOWS\efufeyuz.dll",e
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6615 bytes

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 12:03 am

Hello.
Before we even start, I need to check something.

This infection is carrying a virus called Virut. Virut cannot be fixed.
Right now, your machine has a 50/50 chance of surviving this.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 12:33 am

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tom at 19:31:20.64 on Tue 02/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.187 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\rdl9.tmp
C:\WINDOWS\TEMP\winlognn.exe
C:\WINDOWS\TEMP\rdl12.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\WINDOWS\sysguard.exe
C:\WINDOWS\TEMP\rdl20.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by MySpace
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: c:\windows\system32\rah3b8ffdnd.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rah3b8ffdnd.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [sysguard] c:\windows\sysguard.exe
uRun: [lrijh8s73jhbfgfd] c:\windows\temp\winlognn.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\windows\temp\csrssc.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Uciyoviloxeg] rundll32.exe "c:\windows\Ynebupise.dll",e
mRun: [lrijh8s73jhbfgfd] c:\windows\temp\winlognn.exe
mRun: [Xmutibebax] rundll32.exe "c:\windows\efufeyuz.dll",e
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll
STS: c:\windows\system32\rah3b8ffdnd.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rah3b8ffdnd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\l7szotge.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {A231DEC6-4D7F-4533-B282-B606EAB2192E} - c:\documents and settings\tom\local settings\application data\{a231dec6-4d7f-4533-b282-b606eab2192e}\

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-24 24652]

=============== Created Last 30 ================

2009-02-10 18:27 133,632 a------- c:\windows\efufeyuz.dll
2009-02-10 18:16 15,000 a------- c:\windows\system32\rah3b8ffdnd.dll
2009-02-10 18:16 9,216 a------- c:\windows\system32\iehelper.dll
2009-02-10 18:16 363,016 a------- c:\windows\sysguard.exe
2009-02-10 18:15 43,008 a------- c:\windows\Ynebupise.dll
2009-02-10 18:14 --d----- c:\program files\Microsoft Common
2009-02-08 10:57 --d----- c:\documents and settings\Tom
2009-02-01 16:39 --d----- c:\program files\ValuSoft
2009-01-30 12:44 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-30 12:44 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-30 12:43 --d----- c:\program files\iPod
2009-01-30 12:43 --d----- c:\program files\iTunes
2009-01-30 12:43 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-30 12:43 --d----- c:\program files\Bonjour
2009-01-30 12:40 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-19 11:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-19 11:51 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-19 11:48 --d----- c:\windows\system32\CatRoot_bak
2009-01-19 11:48 --d----- c:\program files\LimeWire
2009-01-19 11:47 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-19 11:47 272,128 -------- c:\windows\system32\drivers\bthport.sys

==================== Find3M ====================


============= FINISH: 19:31:36.35 ===============

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 12:38 am

Hello.
Good news and bad news.

Good news is I don't think Virut has gotten in, meaning you might not having to format, but we have only just started.

The bad news is your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 12:57 am

hi
its scanning now. i'll post the report after i reboot.
thank you so much for helping me i realy appreciate it

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 1:44 am

If you knew the cause would it be easier to fix? because this started after i deleted a folder from my mp3 player. could deleting an infected file infect a computer?

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 1:50 am

Not sure.

I have another post written ready once Avira is done. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 1:58 am

alright here's the avira report

Avira AntiVir Personal
Report file date: Tuesday, February 10, 2009 19:51

Scanning for 1329361 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: USER-2D1F74419F

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1/14/2009 00:49:23
ANTIVIR2.VDF : 7.1.1.240 1659904 Bytes 2/7/2009 00:49:32
ANTIVIR3.VDF : 7.1.2.5 83456 Bytes 2/10/2009 00:49:34
Engineversion : 8.2.0.76
AEVDF.DLL : 8.1.1.0 106868 Bytes 2/11/2009 00:49:51
AEscript.DLL : 8.1.1.43 344442 Bytes 2/11/2009 00:49:49
AESCN.DLL : 8.1.1.6 127348 Bytes 2/11/2009 00:49:47
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 2/11/2009 00:49:46
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 2/11/2009 00:49:45
AEHEUR.DLL : 8.1.0.90 1573237 Bytes 2/11/2009 00:49:44
AEHELP.DLL : 8.1.2.0 119159 Bytes 2/11/2009 00:49:39
AEGEN.DLL : 8.1.1.14 332148 Bytes 2/11/2009 00:49:38
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.6.4 176501 Bytes 2/11/2009 00:49:36
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, February 10, 2009 19:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rdl24.tmp' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\rdl24.tmp'
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'rdl20.tmp' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\rdl20.tmp'
Scan process 'sysguard.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\sysguard.exe'
Scan process 'csrssc.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\csrssc.exe'
Scan process 'rdl12.tmp' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\rdl12.tmp'
Scan process 'winlognn.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\winlognn.exe'
Scan process 'rdl9.tmp' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\rdl9.tmp'
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'aimtbServer.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'scardsvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'rdl24.tmp' has been terminated
Process 'rdl20.tmp' has been terminated
Process 'sysguard.exe' has been terminated
Process 'csrssc.exe' has been terminated
Process 'rdl12.tmp' has been terminated
Process 'winlognn.exe' has been terminated
Process 'rdl9.tmp' has been terminated
C:\WINDOWS\TEMP\rdl24.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\TEMP\rdl20.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\sysguard.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\TEMP\csrssc.exe
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!
C:\WINDOWS\TEMP\rdl12.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\TEMP\winlognn.exe
[DETECTION] Is the TR/Pakes.mxd Trojan
[NOTE] TR/Pakes.mxd:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:=sz:winlognn.exe
[NOTE] The file was deleted!
C:\WINDOWS\TEMP\rdl9.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!

58 processes with 51 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\Program Files\Microsoft Common\svchost.exe
[DETECTION] Is the TR/Inject.ond Trojan
[NOTE] The file was deleted!

The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Tom\Local Settings\Temp\csrssc.exe
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\Z3SMUJR1\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\Z3SMUJR1\cd[1].htm
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\yo\My Documents\LimeWire\Saved\sportcenter.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.N.2 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{C4D8CA04-99D4-4682-BA5B-83C2E5B7B252}\RP74\A0110895.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{C4D8CA04-99D4-4682-BA5B-83C2E5B7B252}\RP74\A0110896.exe
[DETECTION] Is the TR/Inject.ond Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{C4D8CA04-99D4-4682-BA5B-83C2E5B7B252}\RP74\A0110897.exe
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\iehelper.dll
[DETECTION] Is the TR/BHO.9216 Trojan
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was deleted!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SLCXOV4Z\18416[1].exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\Temp\rdl8.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\20HT8OOR\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\20HT8OOR\cd[1].htm
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\HBI88ERV\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\HBI88ERV\cd[1].htm
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QCUG0N4E\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QCUG0N4E\cd[1].htm
[DETECTION] Is the TR/Dldr.Suurch.IV Trojan
[NOTE] The file was deleted!


End of the scan: Tuesday, February 10, 2009 20:41
Used time: 50:08 Minute(s)

The scan has been done completely.

6562 Scanning directories
570634 Files were scanned
27 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
20 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
570606 Files not concerned
1209 Archives were scanned
2 Warnings
20 Notes

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 1:58 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:05 PM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tom\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Uciyoviloxeg] rundll32.exe "C:\WINDOWS\Ynebupise.dll",e
O4 - HKLM\..\Run: [Xmutibebax] rundll32.exe "C:\WINDOWS\efufeyuz.dll",e
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6994 bytes

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 2:10 am

Hello.
I'm going to bed now, but there is a few things to do here so it should keep you busy while I sleep. LMBO or ROFL

I'm sure you already notice a difference here. Lets carry on.

I see you have Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.]

Additional info: [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
    O4 - HKLM\..\Run: [Uciyoviloxeg] rundll32.exe "C:\WINDOWS\Ynebupise.dll",e
    O4 - HKLM\..\Run: [Xmutibebax] rundll32.exe "C:\WINDOWS\efufeyuz.dll",e
    O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
    O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
    O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Please post the following logs. (use more than one post here)

GooredFix log
MBAM log
New DDS log


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 3:15 am

goodnight. and yes i already have noticed the difference. thank you very much. i don't know what the new DDS log is but here are the other 2

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 3:15 am

GooredFix v1.9 by jpshortstuff
Log created at 21:17 on 10/02/2009 running Option #2 (Tom)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A231DEC6-4D7F-4533-B282-B606EAB2192E}"="C:\Documents and Settings\Tom\Local Settings\Application Data\{A231DEC6-4D7F-4533-B282-B606EAB2192E}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Tom\Local Settings\Application Data\{A231DEC6-4D7F-4533-B282-B606EAB2192E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 3:16 am

Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 2

2/10/2009 10:07:39 PM
mbam-log-2009-02-10 (22-07-39).txt

Scan type: Quick Scan
Objects scanned: 53728
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf4552-94f1-42bd-f434-3604812c807d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xmutibebax (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Temp\rdl4.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl11.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl1F.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl23.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\efufeyuz.dll (Trojan.Agent) -> Delete on reboot.

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 3:19 am

i found the DDS here is the new log



DDS (Ver_09-02-01.01) - NTFSx86
Run by Tom at 22:17:45.96 on Tue 02/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.309 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by MySpace
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\l7szotge.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {21222C22-ABB2-4504-AF39-6A7DB9A9E4DA} - c:\documents and settings\tom\local settings\application data\{21222c22-abb2-4504-af39-6a7db9a9e4da}\

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-10 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-10 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-10 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-10 52032]

=============== Created Last 30 ================

2009-02-10 21:51 --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-02-10 21:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 21:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 21:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 21:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 19:47 --d----- c:\program files\Avira
2009-02-10 19:47 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-10 18:16 15,000 a------- c:\windows\system32\rah3b8ffdnd.dll
2009-02-10 18:15 43,008 a------- c:\windows\Ynebupise.dll
2009-02-08 10:57 --d----- c:\documents and settings\Tom
2009-02-01 16:39 --d----- c:\program files\ValuSoft
2009-01-30 12:44 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-30 12:44 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-30 12:43 --d----- c:\program files\iPod
2009-01-30 12:43 --d----- c:\program files\iTunes
2009-01-30 12:43 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-30 12:43 --d----- c:\program files\Bonjour
2009-01-30 12:40 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-19 11:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-19 11:51 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-19 11:48 --d----- c:\windows\system32\CatRoot_bak
2009-01-19 11:48 --d----- c:\program files\LimeWire
2009-01-19 11:47 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-19 11:47 272,128 -------- c:\windows\system32\drivers\bthport.sys

==================== Find3M ====================


============= FINISH: 22:18:17.50 ===============

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 11:21 am

well i have to go to school so i'll be back in about 8 hours. i don't if we're done but everything seems to be fine. thank you for everything you really saved my butt Thank You!

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 2:40 pm

Hello.
This looks so much better.

Need you ro run option 2 in Gooredfix again, the goored infection managed to sneak back in while we were removing it.

Refer to my other post if you need the Gooredfix instructions.
[You must be registered and logged in to see this link.]

Once you have done that, there's a few more files to remove.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\rah3b8ffdnd.dll
    c:\windows\Ynebupise.dll
    c:\program files\LimeWire


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log, along with the NEW Gooredfix log.

I also need to see a new DDS log, you may have a new variant of Goored.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 8:04 pm

alright im back. so are we done or is there something else i have to do? i just want to know because the computer is my friends and i was just borrowing it for the night so i want to make sure that everything is good.
thanks again

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 8:05 pm

o i didnt know there was another page so nvm my last post

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 8:16 pm

GooredFix v1.9 by jpshortstuff
Log created at 15:07 on 11/02/2009 running Option #2 (Tom)
Firefox version 3.0.5 (en-US)
(Subsequent Run)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{21222C22-ABB2-4504-AF39-6A7DB9A9E4DA}"="C:\Documents and Settings\Tom\Local Settings\Application Data\{21222C22-ABB2-4504-AF39-6A7DB9A9E4DA}\"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Tom\Local Settings\Application Data\{21222C22-ABB2-4504-AF39-6A7DB9A9E4DA}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"



========== FILES ==========
c:\windows\system32\rah3b8ffdnd.dll NOT unregistered.
c:\windows\system32\rah3b8ffdnd.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\Ynebupise.dll
c:\windows\Ynebupise.dll NOT unregistered.
c:\windows\Ynebupise.dll moved successfully.
c:\program files\LimeWire\root\magnet10 moved successfully.
c:\program files\LimeWire\root moved successfully.
c:\program files\LimeWire\lib moved successfully.
c:\program files\LimeWire\.NetworkShare moved successfully.
Folder move failed. c:\program files\LimeWire scheduled to be moved on reboot.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02112009_150922

Files moved on Reboot...
Folder move failed. c:\program files\LimeWire scheduled to be moved on reboot.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Tom at 15:15:42.78 on Wed 02/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.301 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by MySpace
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\l7szotge.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-10 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-10 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-10 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-10 52032]

=============== Created Last 30 ================

2009-02-11 15:09 --d----- C:\_OTMoveIt
2009-02-10 21:51 --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-02-10 21:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 21:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 21:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 21:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 19:47 --d----- c:\program files\Avira
2009-02-10 19:47 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-08 10:57 --d----- c:\documents and settings\Tom
2009-02-01 16:39 --d----- c:\program files\ValuSoft
2009-01-30 12:44 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-30 12:44 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-30 12:43 --d----- c:\program files\iPod
2009-01-30 12:43 --d----- c:\program files\iTunes
2009-01-30 12:43 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-30 12:43 --d----- c:\program files\Bonjour
2009-01-30 12:40 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-19 11:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-19 11:51 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-19 11:48 --d----- c:\windows\system32\CatRoot_bak
2009-01-19 11:48 --d----- c:\program files\LimeWire
2009-01-19 11:47 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-19 11:47 272,128 -------- c:\windows\system32\drivers\bthport.sys

==================== Find3M ====================


============= FINISH: 15:16:14.90 ===============

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 8:23 pm

Hello.
This looks so much better now.

Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
note the space between " and /
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.

  • Please double-click OTMoveIt3.exe to run it again one final time.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt.
  • It will start cleaning now, and will want to reboot after, please allow it to do so.
  • It will make a log of what it has removed, but I don't need to see the log.

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 8:29 pm

hi, i pasted that into the run box and when i hit enter it just opens gooredfix
is there another way to uninstall it?

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by SoulStalker on Wed Feb 11, 2009 8:30 pm

nvm it was just the security warning LOL Banner

SoulStalker
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-02-10
OS OS : windows xp
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Belahzur on Wed Feb 11, 2009 8:33 pm

Hello.
Once you've done that, Gooredfix and OTMoveIt will be gone, but DDS hasn't been included in the CleanUp! routine, so delete it manually.

Please let me know how the machine is running now.

Note:
I see your start page is MySpace. Be careful around MySpace, there are a lot of malware writers that hang around sites like MySpce and Facebook.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: please help me remove BankerFox.A, Win32/Nuqel.E

Post by Doctor Inferno on Mon Jul 06, 2009 3:22 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum