BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

View previous topic View next topic Go down

BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic7.BSO

Post by blueeyesfl1 on 6th April 2009, 2:29 pm

Hi, here is what I have seen on my AGV Virus scan,. Here is the Hijackthis log. Can anyone help?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:00 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\DOCUME~1\Jennifer\LOCALS~1\Temp\clclean.0001
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jennifer\My Documents\Hijack(GP)This.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {06CC4EF7-9280-42F4-83DF-534CD9B78791} - c:\windows\system32\oplywrw.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: bsmtawav - C:\WINDOWS\SYSTEM32\oplywrw.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe

--
End of file - 12681 bytes

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 2:35 pm

Hello.

Before we begin, I want to see what's installed.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 3:56 pm

I had to uninstall the Spybot program for now. I was unable to open it (which is one of the effects from this virus)

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Groove Playback Engine
Abundante (remove only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 6.0
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.3
Amelie's Cafe
AOLIcon
Apple Software Update
AVG 7.5
Banctec Service Agreement
Beetle Bug 3
Big Fish Games Client
Boggle
Brain Challenge
Brainiversity (remove only)
Broadcom Management Programs
Bubble Town
Burger Island (remove only)
Cake Mania 2 (remove only)
Can You See What I See?
Canon PIXMA iP6000D
Canon PIXMA iP6000D Memory Card Utility
Canon Utilities Easy-PhotoPrint
Chocolatier: Decadence by Design
C-K Kids
Color Trail (remove only)
Conexant HDA D110 MDC V.92 Modem
Conga Bugs
Cooking Academy
County Fair
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
DellSupport
Digital Content Portal
Digital Line Detect
Digital Photo Navigator 1.5
Documentation & Support Launcher
Dynex All-in-1 Card Reader
Easy-WebPrint
EducateU
ELIcon
Farm Craft
FishCo
Games, Music, & Photos Launcher
Gamevance
GemMaster Mystic
Google Gears
Google Talk (remove only)
Google Updater
Hexalot (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Internet Service Offers Launcher
Java(TM) 6 Update 11
Jigsaw World
Liong: The Lost Amulets
Lottso! Deluxe (remove only)
Magic Farm
Malwarebytes' Anti-Malware
Megastore Madness
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Monster Mash
Move Networks Player for Internet Explorer
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Parking Dash
Penguins` Journey
Perfect Sudoku
Photo Viewer
PowerCinema NE for Everio
PowerProducer
Puzzle Park
QBeez 2 (remove only)
QBeez(TM) 2
QuickSet
QuickTime
Ranch Rush
RealPlayer
Secret Agent(tm) Barbie(tm)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spa Mania
Sparkle (remove only)
SpywareBlaster 4.1
Supermarket Mania
Sweep!
Synaptics Pointing Device Driver
Turbo Fiesta
Turbo Pizza (remove only)
Turbo Subs (remove only)
Update for Office 2007 (KB946691)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
Viewpoint Media Player
Wal-Mart Music Downloads Store
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WordPerfect Office 12
Youda Farmer

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 4:04 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Gamevance
  • Java(TM) 6 Update 11
  • Viewpoint Media Player
  • WildTangent Web Driver

We have to go deeper because there's a malicious driver running and we have to find it before we can kill it.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 4:13 pm

I hope this is what you were looking for? Please let me know if I did something wrong.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/7/2007 9:04:58 PM
System Uptime: 4/6/2009 11:47:08 AM (1 hours ago)

Motherboard: Dell Inc. | | 0FF049
Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1664/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 5.246 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Groove Playback Engine
Abundante (remove only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 6.0
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.3
Amelie's Cafe
AOLIcon
Apple Software Update
AVG 7.5
Banctec Service Agreement
Beetle Bug 3
Big Fish Games Client
Boggle
Brain Challenge
Brainiversity (remove only)
Broadcom Management Programs
Bubble Town
Burger Island (remove only)
C-K Kids
Cake Mania 2 (remove only)
Can You See What I See?
Canon PIXMA iP6000D
Canon PIXMA iP6000D Memory Card Utility
Canon Utilities Easy-PhotoPrint
Chocolatier: Decadence by Design
Color Trail (remove only)
Conexant HDA D110 MDC V.92 Modem
Conga Bugs
Cooking Academy
County Fair
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Digital Photo Navigator 1.5
Documentation & Support Launcher
Dynex All-in-1 Card Reader
Easy-WebPrint
EducateU
ELIcon
Farm Craft
FishCo
Games, Music, & Photos Launcher
GemMaster Mystic
Google Gears
Google Talk (remove only)
Google Updater
Hexalot (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Internet Service Offers Launcher
Jigsaw World
KODAK EASYSHARE Gallery Upload ActiveX Control
Liong: The Lost Amulets
Lottso! Deluxe (remove only)
Magic Farm
Malwarebytes' Anti-Malware
Megastore Madness
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Monster Mash
Move Networks Player for Internet Explorer
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Parking Dash
Penguins` Journey
Perfect Sudoku
Photo Viewer
PowerCinema NE for Everio
PowerProducer
Puzzle Park
QBeez 2 (remove only)
QBeez(TM) 2
QuickSet
QuickTime
Ranch Rush
RealPlayer
Secret Agent(tm) Barbie(tm)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spa Mania
Sparkle (remove only)
SpywareBlaster 4.1
Supermarket Mania
Sweep!
Synaptics Pointing Device Driver
Turbo Fiesta
Turbo Pizza (remove only)
Turbo Subs (remove only)
Update for Office 2007 (KB946691)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
Wal-Mart Music Downloads Store
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WordPerfect Office 12
Youda Farmer

==== Event Viewer Messages From Past Week ========

4/3/2009 10:53:25 PM, error: Service Control Manager [7000] - The NICCONFIGSVC service failed to start due to the following error: The system cannot find the file specified.
4/3/2009 10:35:52 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DENNIS-6E4416A5 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E207371B-37D. The master browser is stopping or an election is being forced.
4/3/2009 10:30:14 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
4/3/2009 10:29:43 PM, error: SRService [104] - The System Restore initialization process failed.
4/3/2009 10:15:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/3/2009 10:08:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Avg7Core Avg7RsW Avg7RsXP Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
4/3/2009 10:08:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/3/2009 10:08:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/3/2009 10:08:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/3/2009 10:08:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/3/2009 10:08:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/3/2009 7:41:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic volume' (STORAGE\RemovableMedia\7&317c34e0&0&RM) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic volume' (STORAGE\RemovableMedia\7&e5064d2&0&RM) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic volume' (STORAGE\RemovableMedia\7&22e71b95&0&RM) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic volume' (STORAGE\RemovableMedia\7&1e0e28fd&0&RM) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic USB MS Reader USB Device' (USBSTOR\Disk&Ven_Generic&Prod_USB_MS_Reader&Rev_1.03\058F312D81B1&3) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic USB SM Reader USB Device' (USBSTOR\Disk&Ven_Generic&Prod_USB_SM_Reader&Rev_1.02\058F312D81B1&2) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic USB CF Reader USB Device' (USBSTOR\Disk&Ven_Generic&Prod_USB_CF_Reader&Rev_1.01\058F312D81B1&1) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Generic USB SD Reader USB Device' (USBSTOR\Disk&Ven_Generic&Prod_USB_SD_Reader&Rev_1.00\058F312D81B1&0) disappeared from the system without first being prepared for removal.
4/1/2009 9:23:13 PM, error: PlugPlayManager [12] - The device 'Multimedia Card Reader' (USB\Vid_058f&Pid_6362\058F312D81B1) disappeared from the system without first being prepared for removal.
3/30/2009 10:40:43 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Conga Bugs\CrashReport.exe. Reference error message: The operation completed successfully. .
3/30/2009 10:40:43 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
3/30/2009 10:40:43 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
4/6/2009 12:07:55 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 4:14 pm

Hello.
Wrong log, that is attach.txt, I need to see DDS.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 4:16 pm

sorry, is this the one?


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jennifer at 12:10:48.95 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.242 [GMT -4:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\DOCUME~1\Jennifer\LOCALS~1\Temp\clclean.0001
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Jennifer\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Jennifer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: : {06cc4ef7-9280-42f4-83df-534cd9b78791} - c:\windows\system32\oplywrw.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\jennifer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDUiP6000DMon] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DMon.exe
mRun: [PDUiP6000DTskbr] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DTskbr.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRunOnce: [gvu] cmd.exe /c rd /s /q "c:\program files\Gamevance"
mRunOnce: [gvu2] cmd.exe /c reg delete HKCU\Software\gvtl /f
mRunOnce: [gvu3] cmd.exe /c reg delete HKCU\Software\AppDataLow\gvtl /f
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\jennifer\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Search - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - [You must be registered and logged in to see this link.]
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: bsmtawav - oplywrw.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\8p6mu8yb.default\
FF - plugin: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\8p6mu8yb.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\jennifer\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-7-23 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-7-23 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-7-23 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-7-23 10760]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-7-23 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-7-23 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-7-23 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-7-23 4960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 oswybpad;SFF Storage Protocol for SDBusSupport;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
S3 fsbl;F-Secure BlackLight Engine Driver;c:\program files\embarq online security\anti-virus\fsbl2800.sys [2007-5-30 18944]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-6 33176]

=============== Created Last 30 ================

2009-04-06 11:38 --d----- c:\docume~1\jennifer\applic~1\cwtrjgju
2009-04-05 23:30 --d----- c:\program files\Wonderburg
2009-04-03 22:37 --d----- c:\program files\SpywareBlaster
2009-04-03 22:05 --d----- c:\windows\Mozilla
2009-04-03 22:03 --d----- c:\program files\Spybot - Search & Destroy
2009-04-03 22:03 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-03 21:46 --d----- c:\docume~1\jennifer\applic~1\Uniblue
2009-04-03 20:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 20:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 20:36 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:36 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-03 15:23 16,896 a------- c:\windows\syssvc.exe
2009-04-03 15:23 16,896 a------- c:\windows\svcho.exe
2009-04-03 13:47 10,752 a------- c:\windows\system32\iehelper.dll
2009-04-03 13:37 354,320 a------- c:\windows\sysguard.exe
2009-04-02 22:30 --d----- c:\docume~1\jennifer\applic~1\Shape games
2009-04-01 21:13 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-01 21:13 1,409 a------- c:\windows\QTFont.for
2009-03-31 22:24 --d----- c:\docume~1\alluse~1\applic~1\Black Blob Studios
2009-03-31 22:20 --d----- c:\program files\Puzzle Park
2009-03-30 21:37 --d----- c:\docume~1\jennifer\applic~1\monkey money
2009-03-29 21:58 --d----- c:\program files\Spa Mania
2009-03-22 20:53 --d----- c:\docume~1\alluse~1\applic~1\FarmFrenzy-PizzaParty
2009-03-12 22:38 --d----- c:\docume~1\jennifer\applic~1\Boolat Games
2009-03-12 22:26 --d----- c:\program files\Amelie's Cafe

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 00:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-02-27 10:48 0 a------- c:\program files\temp01
2007-01-27 18:38 104 ---shr-- c:\windows\system32\88F13563D7.sys
2007-02-22 18:33 88 ---shr-- c:\windows\system32\D76335F188.sys
2007-02-22 18:33 7,518 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-26 13:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 12:12:04.17 ===============

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 4:22 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Before doing anything, we need to rename Combofix as seen below.

    1. If you are using Firefox, make sure that your download settings are as follows:

  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. During the download, rename Combofix to Combo-Fix as follows:

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG7)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 5:02 pm

ok, I did all that. I *think* it said it was finished and that it was robooting the computer. Then I got a blue screen that said Windows shut down computer to prevent further damage. I then restarted and here I am. I looked for the C:\combofix.txt
and this is what I found? Is this what you need?

ComboFix 09-04-04.01 - Jennifer 2009-04-06 12:46:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.638 [GMT -4:00]
Running from: C:\Documents and Settings\Jennifer\Desktop\Combo-Fix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 5:09 pm

Is that all there was?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 5:10 pm

yes, should I re-run it?

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 5:18 pm

Yes please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 5:40 pm

crossing fingers this is what I should have?

ComboFix 09-04-04.01 - Jennifer 2009-04-06 13:20:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.306 [GMT -4:00]
Running from: c:\documents and settings\Jennifer\Desktop\Combo-Fix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\oplywrw.dll
.
---- Previous Run -------
.
c:\windows\svcho.exe
c:\windows\sysguard.exe
c:\windows\syssvc.exe
c:\windows\system32\drivers\UACehdpaftd.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\oplywrw.dll
c:\windows\system32\UACdfcssjtc.log
c:\windows\system32\UACfdnsargp.dll
c:\windows\system32\UACgxtjntxs.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACivubgaoo.dll
c:\windows\system32\UAClfbivhyo.log
c:\windows\system32\UACmnomsxqe.dat
c:\windows\system32\UACoeuwemia.log
c:\windows\system32\UACtqmmndos.dll
c:\windows\system32\UACyodqcnkm.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_OSWYBPAD
-------\Service_oswybpad
-------\Legacy_OSWYBPAD
-------\Service_oswybpad


((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 12:11 . 2009-04-06 12:11 d--h----- c:\windows\PIF
2009-04-06 11:38 . 2009-04-06 11:38 d-------- c:\documents and settings\Jennifer\Application Data\cwtrjgju
2009-04-06 10:22 . 2009-04-06 10:22 d-------- c:\program files\NOS
2009-04-06 10:22 . 2009-04-06 10:22 d-------- c:\documents and settings\All Users\Application Data\NOS
2009-04-05 23:30 . 2009-04-05 23:30 d-------- c:\program files\Wonderburg
2009-04-05 21:33 . 2009-04-05 21:33 d-------- c:\documents and settings\NetworkService\Application Data\cwtrjgju
2009-04-03 22:37 . 2009-04-03 22:37 d-------- c:\program files\SpywareBlaster
2009-04-03 22:09 . 2009-04-03 22:09 d-------- c:\documents and settings\Administrator\Application Data\Uniblue
2009-04-03 22:05 . 2009-04-03 22:05 d-------- c:\windows\Mozilla
2009-04-03 22:03 . 2009-04-06 11:45 d-------- c:\program files\Spybot - Search & Destroy
2009-04-03 22:03 . 2009-04-06 11:43 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-03 21:46 . 2009-04-03 21:46 d-------- c:\documents and settings\Jennifer\Application Data\Uniblue
2009-04-03 20:36 . 2009-04-03 20:36 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:36 . 2009-04-03 20:36 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 20:36 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 20:36 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-02 22:30 . 2009-04-02 22:30 d-------- c:\documents and settings\Jennifer\Application Data\Shape games
2009-04-01 21:13 . 2009-04-01 21:13 54,156 --ah----- c:\windows\QTFont.qfn
2009-04-01 21:13 . 2009-04-01 21:13 1,409 --a------ c:\windows\QTFont.for
2009-03-31 22:24 . 2009-03-31 22:24 d-------- c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-03-31 22:20 . 2009-03-31 22:20 d-------- c:\program files\Puzzle Park
2009-03-30 21:37 . 2009-03-30 21:37 d-------- c:\documents and settings\Jennifer\Application Data\monkey money
2009-03-29 21:58 . 2009-03-29 21:58 d-------- c:\program files\Spa Mania
2009-03-22 20:53 . 2009-03-22 21:04 d-------- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-03-12 22:38 . 2009-03-12 22:38 d-------- c:\documents and settings\Jennifer\Application Data\Boolat Games
2009-03-12 22:26 . 2009-03-12 22:26 d-------- c:\program files\Amelie's Cafe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 16:09 --------- d-----w c:\program files\WildTangent
2009-04-06 16:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-06 14:08 --------- d-----w c:\program files\Java
2009-04-06 12:52 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-04-06 03:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-06 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-04 01:48 --------- d-----w c:\program files\MySpace
2009-04-03 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-31 01:36 --------- d-----w c:\documents and settings\Jennifer\Application Data\PlayFirst
2009-03-31 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-12 14:38 --------- d--h--w c:\documents and settings\Jennifer\Application Data\Move Networks
2009-03-05 18:13 --------- d-----w c:\program files\Chocolatier - Decadence by Design
2009-02-27 02:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-27 02:44 --------- d-----w c:\program files\CyberLink
2009-02-27 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\Cyberlink
2009-02-27 02:40 --------- d-----w c:\program files\Digital Photo Navigator 1.5
2009-02-26 12:49 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-22 03:57 --------- d-----w c:\documents and settings\Jennifer\Application Data\Dreamsdwell Stories
2009-02-13 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\GameTantra
2009-02-12 17:08 --------- d-----w c:\program files\Conga Bugs
2009-02-09 11:36 --------- d-----w c:\documents and settings\Jennifer\Application Data\AVG7
2008-02-27 14:48 0 ----a-w c:\program files\temp01
2007-01-27 22:38 104 --sh--r c:\windows\system32\88F13563D7.sys
2007-02-22 22:33 88 --sh--r c:\windows\system32\D76335F188.sys
2007-02-22 22:33 7,518 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-26 17:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Google Update"="c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-21 133104]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"PDUiP6000DMon"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 57344]
"PDUiP6000DTskbr"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 69632]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 185896]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-03-03 c:\windows\system32\CTMBHA.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
PowerReg Scheduler.exe [2008-03-17 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-05-01 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
S3 fsbl;F-Secure BlackLight Engine Driver;c:\program files\EMBARQ Online Security\Anti-Virus\fsbl2800.sys [2007-05-30 18944]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-04-06 33176]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-04-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:37]

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1921419468-1673391390-1562102967-1005.job
- c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-21 15:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{06CC4EF7-9280-42F4-83DF-534CD9B78791} - c:\windows\system32\oplywrw.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\8p6mu8yb.default\
FF - plugin: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\8p6mu8yb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-06 13:31:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\Jennifer\LOCALS~1\temp\clclean.0001
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-04-06 13:37:59 - machine was rebooted [Jennifer]
ComboFix-quarantined-files.txt 2009-04-06 17:36:40

Pre-Run: 22,579,703,808 bytes free
Post-Run: 22,522,023,936 bytes free

217 --- E O F --- 2009-04-01 02:16:05

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 5:47 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

DirLook::
c:\documents and settings\Jennifer\Application Data\cwtrjgju
c:\documents and settings\NetworkService\Application Data\cwtrjgju

Folder::
c:\program files\WildTangent
c:\documents and settings\All Users\Application Data\Viewpoint

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 6:05 pm

hi, here is the log.

ComboFix 09-04-04.01 - Jennifer 2009-04-06 13:52:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.325 [GMT -4:00]
Running from: c:\documents and settings\Jennifer\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jennifer\Desktop\CFscript.txt
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\WildTangent
c:\program files\WildTangent\Apps\GameChannel\Games\6293BC00-4EB8-4C65-8548-53E2FC3BF937\def.dat
c:\program files\WildTangent\LicenseStores\WT\60C5C02A-D223-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\wt.sto

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 12:11 . 2009-04-06 12:11 d--h----- c:\windows\PIF
2009-04-06 11:38 . 2009-04-06 11:38 d-------- c:\documents and settings\Jennifer\Application Data\cwtrjgju
2009-04-06 10:22 . 2009-04-06 10:22 d-------- c:\program files\NOS
2009-04-06 10:22 . 2009-04-06 10:22 d-------- c:\documents and settings\All Users\Application Data\NOS
2009-04-05 23:30 . 2009-04-05 23:30 d-------- c:\program files\Wonderburg
2009-04-05 21:33 . 2009-04-05 21:33 d-------- c:\documents and settings\NetworkService\Application Data\cwtrjgju
2009-04-03 22:37 . 2009-04-03 22:37 d-------- c:\program files\SpywareBlaster
2009-04-03 22:09 . 2009-04-03 22:09 d-------- c:\documents and settings\Administrator\Application Data\Uniblue
2009-04-03 22:05 . 2009-04-03 22:05 d-------- c:\windows\Mozilla
2009-04-03 22:03 . 2009-04-06 11:45 d-------- c:\program files\Spybot - Search & Destroy
2009-04-03 22:03 . 2009-04-06 11:43 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-03 21:46 . 2009-04-03 21:46 d-------- c:\documents and settings\Jennifer\Application Data\Uniblue
2009-04-03 20:36 . 2009-04-03 20:36 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:36 . 2009-04-03 20:36 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 20:36 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 20:36 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-02 22:30 . 2009-04-02 22:30 d-------- c:\documents and settings\Jennifer\Application Data\Shape games
2009-04-01 21:13 . 2009-04-01 21:13 54,156 --ah----- c:\windows\QTFont.qfn
2009-04-01 21:13 . 2009-04-01 21:13 1,409 --a------ c:\windows\QTFont.for
2009-03-31 22:24 . 2009-03-31 22:24 d-------- c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-03-31 22:20 . 2009-03-31 22:20 d-------- c:\program files\Puzzle Park
2009-03-30 21:37 . 2009-03-30 21:37 d-------- c:\documents and settings\Jennifer\Application Data\monkey money
2009-03-29 21:58 . 2009-03-29 21:58 d-------- c:\program files\Spa Mania
2009-03-22 20:53 . 2009-03-22 21:04 d-------- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-03-12 22:38 . 2009-03-12 22:38 d-------- c:\documents and settings\Jennifer\Application Data\Boolat Games
2009-03-12 22:26 . 2009-03-12 22:26 d-------- c:\program files\Amelie's Cafe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 14:08 --------- d-----w c:\program files\Java
2009-04-06 12:52 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-04-06 03:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-06 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-04 01:48 --------- d-----w c:\program files\MySpace
2009-04-03 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-31 01:36 --------- d-----w c:\documents and settings\Jennifer\Application Data\PlayFirst
2009-03-31 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-12 14:38 --------- d--h--w c:\documents and settings\Jennifer\Application Data\Move Networks
2009-03-05 18:13 --------- d-----w c:\program files\Chocolatier - Decadence by Design
2009-02-27 02:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-27 02:44 --------- d-----w c:\program files\CyberLink
2009-02-27 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\Cyberlink
2009-02-27 02:40 --------- d-----w c:\program files\Digital Photo Navigator 1.5
2009-02-26 12:49 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-22 03:57 --------- d-----w c:\documents and settings\Jennifer\Application Data\Dreamsdwell Stories
2009-02-13 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\GameTantra
2009-02-12 17:08 --------- d-----w c:\program files\Conga Bugs
2009-02-09 11:36 --------- d-----w c:\documents and settings\Jennifer\Application Data\AVG7
2008-02-27 14:48 0 ----a-w c:\program files\temp01
2007-01-27 22:38 104 --sh--r c:\windows\system32\88F13563D7.sys
2007-02-22 22:33 88 --sh--r c:\windows\system32\D76335F188.sys
2007-02-22 22:33 7,518 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-26 17:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Jennifer\Application Data\cwtrjgju ----

2009-04-06 11:39 65536 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\cert8.db
2009-04-06 11:39 2048 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\cookies.sqlite
2009-04-06 11:38 96243 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\xpti.dat
2009-04-06 11:38 8058 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\pluginreg.dat
2009-04-06 11:38 569 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\localstore.rdf
2009-04-06 11:38 4096 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\formhistory.sqlite
2009-04-06 11:38 367 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\prefs.js
2009-04-06 11:38 207 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\compatibility.ini
2009-04-06 11:38 2048 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\webappsstore.sqlite
2009-04-06 11:38 2048 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\permissions.sqlite
2009-04-06 11:38 16384 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\secmod.db
2009-04-06 11:38 16384 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\key3.db
2009-04-06 11:38 131072 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\places.sqlite
2009-04-06 11:38 127820 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\compreg.dat
2009-04-06 11:38 111 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\profiles.ini
2009-04-06 11:38 0 --a------ c:\documents and settings\Jennifer\Application Data\cwtrjgju\Profiles\gtjwiiqj.default\places.sqlite-journal

---- Directory of c:\documents and settings\NetworkService\Application Data\cwtrjgju ----

2009-04-05 22:58 2048 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\cookies.sqlite
2009-04-05 22:56 2048 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\webappsstore.sqlite
2009-04-05 22:51 96173 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\xpti.dat
2009-04-05 22:51 8600 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\pluginreg.dat
2009-04-05 22:51 367 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\prefs.js
2009-04-05 22:51 207 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\compatibility.ini
2009-04-05 22:51 131072 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\places.sqlite
2009-04-05 22:51 127885 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\compreg.dat
2009-04-05 22:51 0 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\places.sqlite-journal
2009-04-05 21:34 65536 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\cert8.db
2009-04-05 21:33 569 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\localstore.rdf
2009-04-05 21:33 4096 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\formhistory.sqlite
2009-04-05 21:33 2048 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\permissions.sqlite
2009-04-05 21:33 16384 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\secmod.db
2009-04-05 21:33 16384 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\Profiles\pu16spy2.default\key3.db
2009-04-05 21:33 111 --a------ c:\documents and settings\NetworkService\Application Data\cwtrjgju\profiles.ini

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 6:06 pm

the rest

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Google Update"="c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-21 133104]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"PDUiP6000DMon"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 57344]
"PDUiP6000DTskbr"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 69632]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 185896]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-03-03 c:\windows\system32\CTMBHA.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
PowerReg Scheduler.exe [2008-03-17 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-05-01 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
S3 fsbl;F-Secure BlackLight Engine Driver;c:\program files\EMBARQ Online Security\Anti-Virus\fsbl2800.sys [2007-05-30 18944]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-04-06 33176]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-04-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:37]

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1921419468-1673391390-1562102967-1005.job
- c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-21 15:19]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\8p6mu8yb.default\
FF - plugin: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\8p6mu8yb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-06 13:56:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Jennifer\LOCALS~1\temp\clclean.0001
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-06 14:02:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 18:01:21
ComboFix2.txt 2009-04-06 17:38:00

Pre-Run: 22,496,227,328 bytes free
Post-Run: 22,500,974,592 bytes free

228 --- E O F --- 2009-04-01 02:16:05

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 6:07 pm

Hello.
This looks fine now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.
Let me know how the machine is running now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by blueeyesfl1 on 6th April 2009, 6:10 pm

Oh Thank you so much!!

It seems to be back to normal now. Is Agv the best "free" virus protection out there? Should I re-install Spybot?

blueeyesfl1
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-04-06
OS OS : XP
Points Points : 28068
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BankerFox.A Win32/Nuqel.E virus and Trojan horse PSW.Generic

Post by Belahzur on 6th April 2009, 6:12 pm

Their rep isn't the best, but it will keep most of the really bad malware off your machine.

You can re-install Spybot.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum