BankerFox.A and Win32/Nuqel.E Help Please!

View previous topic View next topic Go down

BankerFox.A and Win32/Nuqel.E Help Please!

Post by JohnCee on 19th March 2009, 4:00 am

Hello,

My Dell Desktop has been infected with the BankerFox.A and Win32/Nuqel.E virus'. I have a feeling there's quite a bit more though. Here is the HiJackThisLog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:35 PM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svcnost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\svcho.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\a.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\winlognn.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\9.tmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Laurie\Desktop\HiJackThis.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\rph108vslu.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\vep3x33xtgbp.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\b8tayf1v.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\p7n4oh.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\dodwscusm.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\knvdfzbmiel.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\mtx8lscnhcug.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\wcdgz0nx20.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\ktrmk7.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\uyqvowasjvq.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\t3645b5.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\i4a7id18.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\oobcgak83xly.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\k0w189hmsco9.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\eoz2jo1x5.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\dpcyfh1nz.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\t7wxkifdpg.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\r278ag9czen22.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\rxvpuhx9.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\gg9kvbb4.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\rauej9.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\jeamrb.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\lzumzj6of1unl.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\mcn6nqkhgsect.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\evkmeypxi9yxx.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\dwee1whl4okg.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\z8i3cveztodm.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\j1hfpizk.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\l1714hwqp7g.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\kn6alwa.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\n2kx0tfzjj.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\y504by8kyqxqd.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\k5muhcfptg.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\yaj71fwyyqkk.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\elgojbd.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\kq7w7dtc6ftu.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\ili7xbn.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\ze9cqy.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\heoyiodtk0.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\ju8ktl69ygb.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\w9w3am.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\pr1rg7g34l0pr.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\yqhhxi.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\iozd0mg3z.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\kuo9txbw3hqrk.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\yug3ibdus42gd.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\mzxf0dd.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\njxgxaer8tcz.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\hzckdh2.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\xsilm2.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\yh6e34qtbbxdm.exe
C:\DOCUME~1\Laurie\LOCALS~1\Temp\ymphth5c3qva.exe

JohnCee
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-19
OS OS : Windows XP
Points Points : 28231
# Likes # Likes : 0

View user profile

Back to top Go down

Part 2 of HiJackThis Log

Post by JohnCee on 19th March 2009, 4:02 am

Part 2:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {166C15B6-5A6E-4F55-A740-0749E94BFB23} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: C:\WINDOWS\system32\gsdrgfdrrgnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\gsdrgfdrrgnd.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [j2291436] rundll32 C:\WINDOWS\system32\j2291436.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\exhuhlfc.dll",realset
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\system32\svcnost.exe
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Laurie\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [20074746] rundll32.exe "C:\WINDOWS\system32\rikojine.dll",b
O4 - HKLM\..\Run: [masatonine] Rundll32.exe "C:\WINDOWS\system32\sulejere.dll",s
O4 - HKLM\..\Run: [CPM233474da] Rundll32.exe "c:\windows\system32\diguweha.dll",a
O4 - HKCU\..\Run: [Etao] "C:\DOCUME~1\Laurie\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00F560A5D0.exe] C:\DOCUME~1\Laurie\LOCALS~1\Temp\_A00F560A5D0.exe
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\Laurie\LOCALS~1\Temp\a.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Laurie\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Laurie\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [A00F5B4DA8.exe] C:\DOCUME~1\Laurie\LOCALS~1\Temp\_A00F5B4DA8.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Laurie\LOCALS~1\Temp\9.tmp.exe
O4 - HKCU\..\Run: [yq5etfxpoafraq0oqfbsoz3ql84rn6dyd24] C:\DOCUME~1\Laurie\LOCALS~1\Temp\jujtln6.exe
O4 - HKCU\..\Run: [ap6s1nu7ntxnl] C:\DOCUME~1\Laurie\LOCALS~1\Temp\axygda.exe
O4 - HKCU\..\Run: [etwwlwwecw8y5q2qou1ot7gu2lmyzgxj92mgfgz65erj] C:\DOCUME~1\Laurie\LOCALS~1\Temp\fe6000ashsruo.exe
O4 - HKCU\..\Run: [aukbmbq8818lu9] C:\DOCUME~1\Laurie\LOCALS~1\Temp\vrtfs66t.exe
O4 - HKCU\..\Run: [ixvhocol44fejqozfr0e8l9u] C:\DOCUME~1\Laurie\LOCALS~1\Temp\tl3nqsdiq2rl.exe
O4 - HKCU\..\Run: [afo65pncteuzicsdmbgx05twsld] C:\DOCUME~1\Laurie\LOCALS~1\Temp\atelk6z1mq.exe
O4 - HKCU\..\Run: [vxgm1tbt4uoa4bypj1gcg1pc0nh] C:\DOCUME~1\Laurie\LOCALS~1\Temp\z9gjtbbfjs4e.exe
O4 - HKCU\..\Run: [rz95r2vfihg4gkcl1cwrf] C:\DOCUME~1\Laurie\LOCALS~1\Temp\l7d1lvjj.exe
O4 - HKCU\..\Run: [scn5fjflt8] C:\DOCUME~1\Laurie\LOCALS~1\Temp\lxet5rgdy.exe
O4 - HKCU\..\Run: [r2lujyi5ud3cx23kpv8fu] C:\DOCUME~1\Laurie\LOCALS~1\Temp\eu7pxkgi.exe
O4 - HKCU\..\Run: [yiuxt309uxqg1im2mm0z9e1q5] C:\DOCUME~1\Laurie\LOCALS~1\Temp\s7zzx59.exe
O4 - HKCU\..\Run: [ht4qj1ur61yf4gsq3rbnp0o63kbijp6tstmalt9unamlwc5] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ucrollu44.exe
O4 - HKCU\..\Run: [d4mcbzlak9z58puqv74msd5rqjlc38i9dxcthzpncsauz] C:\DOCUME~1\Laurie\LOCALS~1\Temp\hjmwse.exe
O4 - HKCU\..\Run: [q0syg28190idbhg5t76wp3ja5deefbw2ra6htfp47] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ucx5c2w3.exe
O4 - HKCU\..\Run: [mu300bl44lw3qrsl1jw] C:\DOCUME~1\Laurie\LOCALS~1\Temp\n4s7socj.exe
O4 - HKCU\..\Run: [rsvnmedjyeokjwgt7fw1yjk51nriv1vsw8qksbsemee9cn31] C:\DOCUME~1\Laurie\LOCALS~1\Temp\jpb9lpz584.exe
O4 - HKCU\..\Run: [eq3pl4qjyzu55qphywgz3ia5bxldltz] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ymq0biri254.exe
O4 - HKCU\..\Run: [fh5y994jc9omexazsqfhbmn406gemojwlx9mjnfeu9o4of] C:\DOCUME~1\Laurie\LOCALS~1\Temp\n6m3ba2qf1e.exe
O4 - HKCU\..\Run: [jlqi5whc7twwdi3r1huj5rtfd68b1q90] C:\DOCUME~1\Laurie\LOCALS~1\Temp\nrjx3buqk8r46.exe
O4 - HKCU\..\Run: [wa57t6swkq0gja2pchxdzhc7bk87] C:\DOCUME~1\Laurie\LOCALS~1\Temp\pdtonrtnbmxgp.exe
O4 - HKCU\..\Run: [q9vp4ltonqrkaz5bmux4lpuyz5f6um9y22] C:\DOCUME~1\Laurie\LOCALS~1\Temp\a3kfecui.exe
O4 - HKCU\..\Run: [o1s8pk8nbu6hh9awmmw6wsbg84hpcwehxpva8ojoxmgox] C:\DOCUME~1\Laurie\LOCALS~1\Temp\c6qg318q.exe
O4 - HKCU\..\Run: [fh3e5upo7qx] C:\DOCUME~1\Laurie\LOCALS~1\Temp\jvsdge.exe
O4 - HKCU\..\Run: [bvtvu0118ojdwc0m7fdj5fm10v9mb10xm9] C:\DOCUME~1\Laurie\LOCALS~1\Temp\w2d5xplnopf4.exe
O4 - HKCU\..\Run: [v8dowardd9znq3cq6mmo51u9xt1fxphuljg4lvc4c] C:\DOCUME~1\Laurie\LOCALS~1\Temp\fob9babvaa.exe
O4 - HKCU\..\Run: [lflozxt5f9zfaasecytklltr7uzc7ed01xucj03o6] C:\DOCUME~1\Laurie\LOCALS~1\Temp\p78hpim5.exe
O4 - HKCU\..\Run: [oyrr8efur] C:\DOCUME~1\Laurie\LOCALS~1\Temp\bkt5r4z1szce.exe
O4 - HKCU\..\Run: [llo7wnybv3ftcqeetywm16n7v6l5m6tpip] C:\DOCUME~1\Laurie\LOCALS~1\Temp\n8ijtsveoi9k.exe
O4 - HKCU\..\Run: [niamkcsypf2n47az37b] C:\DOCUME~1\Laurie\LOCALS~1\Temp\evowzt5.exe
O4 - HKCU\..\Run: [b7ai6efzi15eo8akwq687d5wc6unnjc0jq8oyl6pldf] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ibl1sns.exe
O4 - HKCU\..\Run: [im06qejx6sm9cxbf06vbha8nj2ph2juwko93m2] C:\DOCUME~1\Laurie\LOCALS~1\Temp\o568tzqztpi.exe
O4 - HKCU\..\Run: [t9a3cm0jwngfbc0mpqdcn] C:\DOCUME~1\Laurie\LOCALS~1\Temp\bdet474ry.exe
O4 - HKCU\..\Run: [blxmuhwnola8b29gfbjikna9w7ejyzf3r82] C:\DOCUME~1\Laurie\LOCALS~1\Temp\b54i37fm.exe
O4 - HKCU\..\Run: [o1f7bh05g1yxf] C:\DOCUME~1\Laurie\LOCALS~1\Temp\jkspv8br84q.exe
O4 - HKCU\..\Run: [d5k73b32dye4vmrkb3q3lkqsypbc] C:\DOCUME~1\Laurie\LOCALS~1\Temp\kljrgik.exe
O4 - HKCU\..\Run: [ptvs9pjvk] C:\DOCUME~1\Laurie\LOCALS~1\Temp\rjgn0h.exe
O4 - HKCU\..\Run: [pkeb1tjzk0p3xcf73b] C:\DOCUME~1\Laurie\LOCALS~1\Temp\u9ij370omt5u.exe
O4 - HKCU\..\Run: [unj0tcs2hbw7fii9x2uwrjka09uvst9tkvbgzgcg336smocbzu] C:\DOCUME~1\Laurie\LOCALS~1\Temp\r46jn8o.exe
O4 - HKCU\..\Run: [zznp0d4k7y38dp7ci2hsbnn] C:\DOCUME~1\Laurie\LOCALS~1\Temp\fnasoqu3.exe
O4 - HKCU\..\Run: [mvq8lt96bio] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ql3pv6x2bcyj.exe
O4 - HKCU\..\Run: [lfsvqospk0hccqrvm1qdq38cpmy9wtxsl13mjq9xza] C:\DOCUME~1\Laurie\LOCALS~1\Temp\u9d04o43.exe
O4 - HKCU\..\Run: [c66xdwuww5cmkviki3cuo4bragvkohnk5uhz5xnm2] C:\DOCUME~1\Laurie\LOCALS~1\Temp\erkj13866j4.exe
O4 - HKCU\..\Run: [fboiszacskkcavxwtlvk] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ibihl3ix4khns.exe
O4 - HKCU\..\Run: [vys0wu7fs0t6k] C:\DOCUME~1\Laurie\LOCALS~1\Temp\j6fsonits.exe
O4 - HKCU\..\Run: [yujk4y8jpk4ff6yrk0jflzc19bq] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ka3wirdm1rxm0.exe
O4 - HKCU\..\Run: [s1y0tqsio5ygle0ts4biuyjw] C:\DOCUME~1\Laurie\LOCALS~1\Temp\xm0oy1bp.exe
O4 - HKCU\..\Run: [x3h67rf58itfsc9] C:\DOCUME~1\Laurie\LOCALS~1\Temp\u68xtv0b0h0.exe
O4 - HKCU\..\Run: [zi2hap6p2k0w92kx2a5nrkpdrl8m66y8] C:\DOCUME~1\Laurie\LOCALS~1\Temp\infjlke78bv9l.exe
O4 - HKCU\..\Run: [ktd1mui0gmqdk230et66aiiw8dcwf3nmmp2kuawzdtm] C:\DOCUME~1\Laurie\LOCALS~1\Temp\o8lulum.exe
O4 - HKCU\..\Run: [qbxlcc6sedoualsq8n76] C:\DOCUME~1\Laurie\LOCALS~1\Temp\zrbg13hizo.exe
O4 - HKCU\..\Run: [px0y6i5bdoy3wzy5wyl2t87gfsoug] C:\DOCUME~1\Laurie\LOCALS~1\Temp\xh3o1k.exe
O4 - HKCU\..\Run: [emd7b8281vqzpnt928r8dcjrq0c0lwk0tyeghhmp] C:\DOCUME~1\Laurie\LOCALS~1\Temp\ccyr1up8x6fk.exe
O4 - HKCU\..\Run: [uzr4zzea7uq6s9u86af] C:\DOCUME~1\Laurie\LOCALS~1\Temp\h6zna4wnud274.exe
O4 - HKCU\..\Run: [lneugo1a0xvzpruje] C:\DOCUME~1\Laurie\LOCALS~1\Temp\zcpb87x6w75.exe
O4 - HKCU\..\Run: [z09lkx4it7kgfmw3ac9hzco3n3r1ah11b0b] C:\DOCUME~1\Laurie\LOCALS~1\Temp\b30kmlnn7jtx.exe
O4 - HKCU\..\Run: [yna4z7v77ga81bx610du85wzybz9d3gm2r1] C:\DOCUME~1\Laurie\LOCALS~1\Temp\es9r7y9zcef.exe
O4 - HKCU\..\Run: [l88502ra4l1y2doarl4jtwe] C:\DOCUME~1\Laurie\LOCALS~1\Temp\azix2y.exe
O4 - HKCU\..\Run: [gzr4u3aoua33y686wbtlnjsxbpnvkz37u6v] C:\DOCUME~1\Laurie\LOCALS~1\Temp\gt7uhidx32r.exe
O4 - HKCU\..\Run: [ai7c3abslouzf5j5pnq2bsgok] C:\DOCUME~1\Laurie\LOCALS~1\Temp\z0fat59pbrs.exe
O4 - HKCU\..\Run: [mjdn805nzjstn3kac2mnpz1mohy9zyl1m] C:\DOCUME~1\Laurie\LOCALS~1\Temp\fvgoicywl.

JohnCee
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-19
OS OS : Windows XP
Points Points : 28231
# Likes # Likes : 0

View user profile

Back to top Go down

Part 3

Post by JohnCee on 19th March 2009, 4:04 am

Should I just upload the rest of the file to Mediafire? Its pretty big.

This will be easier: [You must be registered and logged in to see this link.]

JohnCee
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-19
OS OS : Windows XP
Points Points : 28231
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by Belahzur on 19th March 2009, 9:33 am

Omg wow.
How have you let this happen? The log is so huge I can't tell what else is lurking, but I'd be willing to bet you have Virut (Virut is a file infector and CANNOT be fixed, formatting is the only way out of Virut)


Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by JohnCee on 19th March 2009, 10:29 am

Actually I have Spybot and Adaware installed on the computer which is my friend's as I am doing her a very painful favor. Especially now that I have installed the Anti Virus software that you suggested and now I have millions of beeping windows popping up. Once I deal with this I will post the log. Thanks

JohnCee
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-19
OS OS : Windows XP
Points Points : 28231
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by JohnCee on 19th March 2009, 10:41 am

After Rebooting, I can't open anything now.

JohnCee
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-19
OS OS : Windows XP
Points Points : 28231
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by Belahzur on 19th March 2009, 11:28 am

As I've already told you, there is an incredible amount of damage done and I don't think we can fix this, I'm willing to bet Virut is present.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by JohnCee on 19th March 2009, 11:50 am

Oh I understand thanks. And the elitist attitude helps matters...Thanks anyway

JohnCee
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-19
OS OS : Windows XP
Points Points : 28231
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by mokshamike on 26th March 2009, 5:31 pm

This guy seems to be a real jerk... Elitist attitude... Hmph... I found nothing wrong with your reply or your attempt to help, and thought your honesty in being able to deal with the situation was exemplary...

mokshamike
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-03-26
OS OS : windows xp pro sp3
Points Points : 28152
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by Belahzur on 26th March 2009, 5:48 pm

[You must be registered and logged in to see this link.] wrote:This guy seems to be a real jerk... Elitist attitude... Hmph... I found nothing wrong with your reply or your attempt to help, and thought your honesty in being able to deal with the situation was exemplary...

Meh, I'm not offended that easily.

Anyhow, is there a reason for posting here mokshamike? Just wondering if you had malware issues or just sticking up for me. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by mokshamike on 26th March 2009, 6:24 pm

Actually, our office girl is having issues with our computer, "Spyware Protect 2009" keeps opening windows. I'm trying to help her remotely. She ran virus scan and came up with win32/nuqel.e.... So I was just snooping around... Don't want to get my hands to dirty with the situation... Not my problem and don't want it to be... Just was looking for an easy fix. She is trying windows malicious software removal right now... Don't have access to any reports or anything. She's pretty computer illiterate, and I'm no pro.

mokshamike
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-03-26
OS OS : windows xp pro sp3
Points Points : 28152
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by Belahzur on 26th March 2009, 6:29 pm

Okay, I won't ask you to do anything.
Looking for an easy fix might not be as easy as you think, we ask that people do not run tools I have posted for other users. Special fixes are made for certain people only.

If she wants me to help, ask her to register here and we'll see what we can do.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by reeko on 29th March 2009, 2:18 am

i first got hit with the BankerFox.a yesterday, but it quickly "learned" apparently that i was after it. it then disabled my internet connection and began turning off my system (abruptly with a loud audible pop) going to a black screen, then a blue error screen. now, the machine can only be turned on in safe mode, and cannot connect to the internet. it also somehow disabled the CD driver as no CD is readable and i can't reinstall anything. i try to run a very clean system (XP with IE7 and paid McAfee antivirus and firewalled) so i'm not sure how this got through - and think it is a clone of BankerFox.A - or else why would it turn off the internet and then do further damage?

this week started bad, because Monday i was hit with the click-jack trojan Lando. after quickly assessing that, i downloaded Malwarebytes and took care of that one fairly easily. i cussed out McAfee for letting it through anyway... until last night's hit with this, i thought it was a fluke. this is more than a fluke. i think this was deliberate and it trashed my computer.

still, i have no way to download anything to fix it, i tried from this computer to download several fixes onto an external thumb drive and transport that to the infected computer. in safe mode, it will read and copy files externally, but it won't install or run them - unless i'm doing it wrong. is there a way to download a fix to a thumbdrive and then install from there? its the only way i have to clean it up, or otherwise it will become a doorstop. i run a business and a website on it, and it will take me weeks to recover that loss since i hadn't backed anything up this month. i know... bad practice. so, can it be fixed from the thumbdrive?

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28149
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A and Win32/Nuqel.E Help Please!

Post by Doctor Inferno on 29th March 2009, 2:21 am

Hello reeko, welcome to GeekPolice.

Please post your problem in a new topic here:

[You must be registered and logged in to see this link.]

Thank you.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum