Win32/Nuqel/Bankerfox

View previous topic View next topic Go down

Win32/Nuqel/Bankerfox

Post by AQCC4 on 31st March 2009, 10:58 pm

Hello,
I am in need of some assistance with removing a virus off my daughter's laptop. The virus is one that I've seen you assist others with in forums and I am hopeful that you will be able to aid me as well. My daughter seems to have downloaded a virus that the anitvirus program is calling Win32\Nuqel or Bankerfox. I do have a DDS log and Attach Text if that is needed...

Thank you

AQCC4
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-03-31
OS OS : Windows XP
Points Points : 28106
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by Belahzur on 31st March 2009, 11:15 pm

Post DDS please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by AQCC4 on 31st March 2009, 11:18 pm

Thanks...here it is


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jean at 17:23:06.59 on Tue 03/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.509.125 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
D:\iTunesHelper.exe
C:\WINDOWS\svcho.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Jean\Application Data\U3\000015793C6112EB\LaunchPad.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
J:\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - No File
BHO: : {1f1118bf-1560-49b6-b518-fccfe53a1f08} - c:\windows\system32\gurczxv.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\windows\system32\iehelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {F02FABCB-92DD-475A-98AF-14217BD50746} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [system tool] c:\windows\sysguard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SigmaTel StacMon] c:\program files\sigmatel\c-major audio\stacmon.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "D:\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\2wirew~1.lnk - c:\program files\2wire wireless\client manager\CMTWO.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerp~1.lnk - c:\program files\powerpanel\program\PcfMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: LMIinit - LMIinit.dll
Notify: ykpmdohs - gurczxv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-10 201320]
R2 axsahahx;CD-ROM Monitor;c:\windows\system32\svchost.exe -k netsvcs [2003-8-12 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2005-2-10 258146]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-16 46112]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [2003-8-12 156288]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40488]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-8-12 71961]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2005-2-10 108400]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-25 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 33832]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2006-5-23 14924]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-8-20 1174664]
S3 wltwo48b;2Wire Wireless PC Card Driver;c:\windows\system32\drivers\wltwo48b.sys [2004-11-29 170496]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-28 15:21 --d----- c:\docume~1\jean\applic~1\pbllabim
2009-03-26 23:53 19,456 a------- c:\windows\svcho.exe
2009-03-26 23:53 19,456 a------- c:\windows\syssvc.exe
2009-03-26 23:23 10,752 a------- c:\windows\system32\iehelper.dll
2009-03-26 23:13 353,808 a------- c:\windows\sysguard.exe
2009-03-06 21:47 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-03-02 01:55 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-02 01:55 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-02 01:54 --d----- c:\program files\iPod
2009-03-02 01:54 -cd----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-02 01:44 32,000 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-08-23 12:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 17:24:25.43 ===============

AQCC4
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-03-31
OS OS : Windows XP
Points Points : 28106
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by Belahzur on 31st March 2009, 11:20 pm

Hello.
DDS shows the infection hiding in your registry, we'll have to go something more powerful out to deal with this one.

But first, I want to see what's installed.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by AQCC4 on 31st March 2009, 11:54 pm

Becuase it is my daughter's computer I've been doing everything via USB...I've got the program files saved to the desktop as her laptop will not connect to the internet.

I've tried several times to get the Hijack software to install, it begins to run then stops...please advise.

AQCC4
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-03-31
OS OS : Windows XP
Points Points : 28106
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by Belahzur on 31st March 2009, 11:56 pm

Hello.
It might be a rootkit blocking us, but I'll have to confirm with you.

Are you able to open Mcafee/update it?

If not, then there's a deeper problem.

Let me know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by AQCC4 on 1st April 2009, 2:31 am

It took awhile for the update to begin...once it did it stopped in the middle of the update. The machine froze and needed to be restarted.

AQCC4
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-03-31
OS OS : Windows XP
Points Points : 28106
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel/Bankerfox

Post by Belahzur on 1st April 2009, 2:00 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum