Win32/Nuqel.E & Bankerfox

I'm fairly sure I've got nuqel.e and bankerfox. The fake Antivirus Systme Pro alert pop ups are occuring all the time.

Windows says the system is infected and won't let me run any programs. I have Malwarebytes but I can't run it because it gets a windows security alert bubble and a security warming pop up that says "file mbam.exe is infected. Do you want to activate your antivirucs softwear now?". If I say "yes" to this pop up it takes me to the Win-Guard 2009 website to purchase softwear.

I also have something called Antivirus System Pro coming up when the Windows security bubble is clicked. It is also bringing up the IE browser for the sites like adult.org. and viagra.com

Adobe and Java should have all been up to date. I'm running windows XP. I can run HijackThis but I can not get the log file because the same security pop up warning of an infected file won't allow wordpad to open. I tried screen capping but the same problem happened.

I've currently disconnected the computer from the internet by unplugging the cable.

Please help.

Last edited by Glacon on 6th November 2009, 6:42 am; edited 2 times in total (Reason for editing : more information added)

Please download ComboFix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Sorry for the tardy response. I tried to follow the instructions but I couldn't.

I downloaded combofix and renamed it to commy.exe when the save to screen came up. I then stopped avast, pasted the above line into the run box and hit enter. When I did this a security balloon came up saying commy.exe was infected. There were also pop up boxes that said n.pif, rundll32.exe and pev.cfxxe were infected.

I tried double clicking on the icon but that did nothing. Trying to go through the run box again after a reboot I got a screen with an agreement for comboxfix which I accepted but the security balloons and pop up boxes came up again and the combofix stopped working. Also my computer made a high pitched beeping noise. I tried downloading it again after a reboot but the same thing happened.

Your computer is infected with a dangerous infection:
http://www.helpmyos.com/malware-threat-removal-f6/virut-information-t879.htm

We have hit a dead end. Please tell me when you have completed a reformat and reinstall.

I am sorry for the bad news. I do not understand why these mean people make such harsh viruses, and I wish there was a way to clean your system without everything being damaged. But, the problem is, cleaning the system, most files will be damaged. It is like trying to clean up a city that just had a tornado or hurricane run through it. Takes rebuilding, and time to set back up.

That is really bad news indeed but thank you for trying to help. I assume this means it's pointless to try and save any files on that computer or create any of the back ups in the beginning of the reformat tutorial? Also my other problem is that when I got this computer it did not come with an OS disk or any motherboard driver disks.

We can try to cure it, can't be sure it will work, but it is worth a try:

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis
  
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  
• When finished, a message will be displayed at the bottom advising if any viruses were found.
  
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found.
  If so, click it, then click the next icon right below and select Move incurable.
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit when you have finished.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

Thank you for suggesting a cure. I understand that it's risky but I'd rather try it than just give up.

Just one question:
Would it be better to download DrWeb-CureIt on a different machine, then burn it to CD and move it from the CD to the desktop of the infected machine then run it?

If you would like to try that, feel free to.

I tried downloading directly onto the infected machine first. I couldn't get it to run - the security pop up box came up with the file infected warning. I rebooted and tried it again. This time it did work. I did the express scan. It said the host files needed fȋxed. I said yes. At the end of the scan it said no virus had been found. I then did the driver scan and it also came with the message that there were no virus on the machine. On the menu it would not give me the option to generate a report.

I got a pop up offering me a free trial version of professional edition DrWeb-CureIt as well as one saying that no suspicious or infected files had been found on the computer. I am still getting the Antivirus System Pro pop ups warning that attacks using nuquel.e and bankerfox.a are occuring. I also get the spywear pop up, Internet Explore opening to porno.org, viagra.com, etc., and Windows Security balloons saying that files are infected and can not be run.

At this point it's upsetting that I can't get my doc, pdf, and jpeg files off the machine without them being infected but I think this is probably the time to accept that they are lost and there is nothing left but to do the reformat and reinstall as per the other instructions you linked to.

My concern now is can I plug the monitor, keyboard (microsoft DIN6 connection), mouse (microsoft - usb connection), speakers (jack connector), and printer (HP 1000 usb connection) that are on the infected machine into a clean system without fear of spreading the infection?

Thank you very much to taking the time to try and help me. I really appreciate it.

Those devices are fine to transfer. It is just your hard drive (or flash drive or external drive) that are vulnerable.

Are you saying you will go with the reformat and reinstall?

I'm glad those are fine.

I will do the reformat and reinstall as soon as I can. I never got any disks with it. All the information for the OS and motherboard drivers is on the G drive (this is supposed to be a seperate partition but I don't know if it's a physically seprate drive) according to the specs that came with the computer. I am wondering if this is going to cause enough problems that I'll end up writing this tower off as an expensive lesson.

I had an external drive and a flash drive on the infected machine. The external drive was unplugged minutes before it became apparent I had problem but I don't know if it was infected or not. I tried moving a clean copy of malwarebytes over on the flashdrive so I suspect it's almost certain that it's infected. Can you recommend any way to safely check them?

I know this is very strange but before I began the reformate/reinstal I thought I'd try everything once more just in case. I got Malwarebytes to run and it's currently doing a quick scan. If I can get a log I will post it. The trick seemed to be opening Malwarebytes during the start up sequence so whatever is causing the infection hadn't activated itself yet. When it did come up it didn't seem to cause any problems with Malwarebytes.

Last edited by Glacon on 9th November 2009, 4:59 am; edited 2 times in total (Reason for editing : more information added)

I'm not sure if it's relevant but to get at the log I had to double click the file icon where I'd saved in multiple times because the file would open then disappear very quickly. It was only after about six attempts that the file would stay open long enough for me to copy the text. I also can't open malwarebytes now that I've closed it. I tried rebooting and opening it quickly like the first time but it didn't work. I also still can't run HijackThis. Maybe this is a sign that the reformat and reinstall is still the fastest way to deal with the problem.



Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

08/11/2009 10:50:08 PM
mbam-log-2009-11-08 (22-50-08).txt

Scan type: Quick Scan
Objects scanned: 103315
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edit: Apologies for not following the instructions asap but I have to be away for a few days but will follow the instructions once I am back with the infected machine. Thanks.

Last edited by Glacon on 11th November 2009, 5:56 am; edited 3 times in total (Reason for editing : note)

Please delete any copies of ComboFix on your system, download the new copy, then attach external/flash drives back on to the computer. Then, run ComboFix.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to blackpudding.bat before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Navigate to Start --> Run, and enter the following command exactly as shown:
  
  "%userprofile%\desktop\blackpudding.bat" /killall
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Sorry for the slow response. I've been away for a few days. When I booted the machine up it froze and I had to reboot it three times before it would finish. Once it had successfully booted up the usual antivirus system pro warnings and security pop ups did not come up as they have been which was unexpected.

ComboFix 09-11-14.01 - Laura 13/11/2009 22:17..2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1001 [GMT -6]
Running from: c:\documents and settings\Laura\desktop\blackpudding.bat
Command switches used :: c:\documents and settings\Laura\desktop\blackpudding.bat /killall
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt

.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-13 23:53 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-11-13 23:53 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-11-13 23:53 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-11-13 23:53 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-11-13 23:53 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-11-13 23:48 . 2009-08-29 01:24 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2009-11-13 23:48 . 2009-08-30 00:16 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
2009-11-13 23:48 . 2009-11-13 23:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-13 23:48 . 2009-11-13 23:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-13 23:48 . 2009-11-13 23:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-13 23:48 . 2009-11-13 23:48 -------- d-----w- c:\program files\Symantec
2009-11-13 23:47 . 2009-08-26 22:13 900464 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\OCS\hsplayer.dll
2009-11-13 23:47 . 2009-09-01 08:27 892272 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CLT\cltLMSx.dll
2009-11-13 23:47 . 2009-11-13 23:47 -------- d-----w- c:\windows\system32\drivers\NIS
2009-11-13 23:47 . 2009-11-13 23:47 -------- d-----w- c:\program files\Windows Sidebar
2009-11-13 23:47 . 2009-11-13 23:47 -------- d-----w- c:\program files\Norton Internet Security
2009-11-13 23:47 . 2009-11-13 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-13 23:44 . 2009-11-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-13 23:44 . 2009-11-13 23:44 -------- d-----w- c:\program files\NortonInstaller
2009-11-08 02:29 . 2009-11-08 02:47 -------- d-----w- c:\documents and settings\Laura\DoctorWeb
2009-11-06 06:08 . 2009-11-06 06:08 -------- d-----w- c:\documents and settings\Laura\Application Data\Malwarebytes
2009-11-06 05:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 05:59 . 2009-11-06 06:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 05:59 . 2009-11-06 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 05:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 02:09 . 2009-11-14 00:08 -------- d-----w- c:\documents and settings\Laura\Local Settings\Application Data\jhfwpj
2009-11-03 16:05 . 2009-11-03 16:05 -------- d-----w- c:\program files\Common Files\Apple
2009-11-03 16:04 . 2009-11-03 16:05 -------- d-----w- c:\program files\QuickTime
2009-10-31 00:15 . 2009-10-31 00:15 -------- d-----w- c:\documents and settings\Laura\Application Data\Leadertech
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 17:42 . 2009-03-18 07:18 281008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-20 16:15 . 2007-10-02 19:22 -------- d-----w- c:\program files\Common Files\Real
2009-09-20 16:14 . 2009-09-20 16:14 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-20 16:14 . 2007-10-02 19:23 -------- d-----w- c:\program files\Real
2009-09-17 05:55 . 2006-08-13 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-17 05:54 . 2009-09-17 05:23 -------- d-----w- c:\program files\Maxtor
2009-09-17 05:29 . 2009-09-17 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Maxtor
2009-09-11 14:18 . 1980-01-01 07:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:00 . 2009-11-13 23:52 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091113.003\NAVENG.SYS
2009-08-29 09:00 . 2009-11-13 23:52 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091113.003\NAVENG32.DLL
2009-08-29 09:00 . 2009-11-13 23:52 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091113.003\NAVEX32A.DLL
2009-08-29 09:00 . 2009-11-13 23:52 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091113.003\NAVEX15.SYS
2009-08-29 09:00 . 2009-11-13 23:52 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091113.003\ERASER.SYS
2009-08-29 09:00 . 2009-11-13 23:52 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091113.003\EECTRL.SYS
2009-08-29 08:08 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 1980-01-01 07:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-10-03 15:24 . 2007-10-03 15:24 28 -c--a-w- c:\program files\deviceinfo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1202869041\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1202869041\\ee\\aim6.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1100000.088\SymDS.sys [13/11/2009 5:47 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1100000.088\SymEFA.sys [13/11/2009 5:47 PM 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091013.001\BHDrvx86.sys [13/11/2009 5:52 PM 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1100000.088\ccHPx86.sys [13/11/2009 5:47 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1100000.088\Ironx86.sys [13/11/2009 5:47 PM 114736]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [13/11/2009 5:47 PM 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [14/02/2008 9:09 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [13/11/2009 5:52 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [13/11/2009 5:53 PM 329592]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [30/03/2009 11:39 PM 17432]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [20/06/2009 1:06 PM 39048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-11-14 c:\windows\Tasks\User_Feed_Synchronization-{E8F84106-5EAC-4AFB-AD14-31AFCBD99018}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.sylvanlake.com/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
AddRemove-HijackThis - c:\documents and settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\Y7JXUB4U\HijackThis.exe



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(568)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
.
**************************************************************************
.
Completion time: 2009-11-13 22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 04:31

Pre-Run: 15,520,403,456 bytes free
Post-Run: 16,114,020,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - BCAB83B21C1A18FCBD3296385AC08098

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes' Anti-Malware 1.41
Database version: 3171
Windows 5.1.2600 Service Pack 3

14/11/2009 12:42:33 PM
mbam-log-2009-11-14 (12-42-33).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 258828
Time elapsed: 1 hour(s), 38 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please run Panda ActiveScan online scan.

• Click the big green Scan now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• Once the scan is completed, please hit the notepad icon next to the text Export to:
  
• Save it to a convenient location such as your Desktop
  
• Post the contents of the ActiveScan.txt in your next reply

I'm glad of the note on the run time otherwise I would have been a lot more worried when it took hours to do the scan. Thanks for keeping going with this.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-11-15 01:12:37
PROTECTIONS: 0
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\laura\cookies\laura@atdmt[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{5d527826-05bd-4a83-8416-28acdda14001}\rp562\a0119678.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

When I tried to run this the first time Norton's Sonar protection setting caught it as a virus and removed it so I had to download it again and disable Norton before running it. I hope this isn't a problem. Here's the log.

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton Internet Security
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM 32-bit Runtime Environment for Java 2, v1.4.2
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

I'm sorry I just realized that it was probably stupid to run it with Norton completely disabled. I reran it with just the Sonar protection setting turned off. Here's that log just in case it makes a different. Sorry about that.

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton Internet Security
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM 32-bit Runtime Environment for Java 2, v1.4.2
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

No big deal. Norton always detects that tool. It is not a bad tool, I trained with the author of it.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

I figured I should probably ignore Norton since you wouldn't want to make more work for youself. *g* I almost feel like I'll be jinxing it to say I'm grateful it's fȋxed. Thank you very much for the help. I'm happy to donate. I assume that I should run one of the antispyware programs in conjunction with Norton? On the subject of Norton what do you think of its internet security suite? Last question, should I remove Combox Fix, DrWeb-CureIt, and Security Check?

Norton seems to be ok. Sometimes it has its problems, but it will help prevent malware and remove it. It is not bad, but not everyone likes it.

You can safely ignore the antispyware message up there.

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.