WiredWX Hobby Weather ToolsLog in

 


Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

2 posters

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyInfected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Hi,



I've a computer infected by Win32/Nuqel.E, BankerFox.A, and I see unlimited pop-ups, being interrupted on navigation by some alert windows...

I can download programs but it can not to be runned nor installed (I've tried).

I can't open MyComputer nor execute any program without read: "The file wscntfy.exe is infected" and so similar other messages.

I don't find any of the virus files that is suposed I'm infected of (I've searched on the internet any solution before of discover GeekPolice.

It seems anything runs :sad:

¿What can I do? Thanx a lot.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Hello.

Please download Ice Sword from HERE

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Belahzur wrote:
Hello.


3- Will IceSword open?




Yes, I could open it Smile...

What I have to do now?

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Anything will be tomorrow (it's 02h and I'm going to bed). I'll came again ready to follow next instructions.

Thanks.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Hello.

  • Now, on the left hand side tool, hit the Process button at the top of the list.
  • Just above the list, there is a log button, press that and save the log to your Desktop.
  • Next, hit the Startup on the left side list.
  • Press the log button again.
  • Post the two logs in your next reply.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Process:

System Idle Process
System
C:\Archivos de programa\DellTPad\ApntEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\stacsv.exe
C:\Archivos de programa\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Sigmatel\C-Major Audio\WDM\stsystra.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Archivos de programa\DellTPad\ApMsgFwd.exe
C:\Archivos de programa\Intel\Wireless\Bin\iFrmewrk.exe
C:\Archivos de programa\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Archivos de programa\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\WINDOWS\system32\smss.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Archivos de programa\Digital Line Detect\DLG.exe
C:\Archivos de programa\Launchy\Launchy.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Archivos de programa\OpenOffice.org 2.3\program\soffice.bin
C:\Archivos de programa\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\DellTPad\hidfind.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\Documents and Settings\Unique\Datos de programa\jbkisl\bmwosftav.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Archivos de programa\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Archivos de programa\Intel\Wireless\Bin\WLKEEPER.exe
C:\Archivos de programa\Canon\CAL\CALMAIN.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Archivos de programa\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Unique\Escritorio\IceSword122en\IceSword.exe

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Apoint
C:\Archivos de programa\DellTPad\Apoint.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /installquiet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVHotkey
rundll32.exe nvHotkey.dll,Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SigmatelSysTrayApp
%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelZeroConfig
"C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelWireless
"C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WavXMgr
C:\Archivos de programa\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecureUpgrade
C:\Archivos de programa\Wave Systems Corp\SecureUpgrade.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KADxMain
C:\WINDOWS\system32\KADxMain.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISUSScheduler
"C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RoxioDragToDisc
"C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PDVDDXSrv
"C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ECenter
C:\Dell\E-Center\EULALauncher.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acrobat Assistant 7.0
"C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
"C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
baqbwgmb
C:\Documents and Settings\Unique\Datos de programa\jbkisl\bmwosftav.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast5
C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
amva
C:\WINDOWS\system32\amvo.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
cdoosoft
C:\DOCUME~1\Unique\CONFIG~1\Temp\herss.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
baqbwgmb
C:\Documents and Settings\Unique\Datos de programa\jbkisl\bmwosftav.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
"C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acelerador de inicio de AutoCAD.lnk
C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe (Remark£ºAcelera el inicio de AutoCAD rellenando la caché de disco)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Adobe Acrobat Speed Launcher.lnk
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Adobe Gamma.lnk
C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Bluetooth Manager.lnk
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
desktop.ini


C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Digital Line Detect.lnk
C:\Archivos de programa\Digital Line Detect\DLG.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Launchy.lnk
C:\Archivos de programa\Launchy\Launchy.exe (Remark£º)

C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio
desktop.ini


C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio
OpenOffice.org 2.3.lnk
C:\Archivos de programa\OpenOffice.org 2.3\program\quickstart.exe (Remark£º)

C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio
Stardock ObjectDock.lnk
C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe (Remark£ºStardock ObjectDock)

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Hi again.

That were my two logs created by IceSword.

I have a notice I think it can be helpful. My Windows Defender automatically starts and done his daily scan about 20 minutes ago. It detected a "TrojanDownloader:Win32Renos.KQ" with a Severe alert level. The action taken was to removing it.

The PopUp madness stopped!

I think that's important for if It have changed any thing about the two present logs.

Anyway, would be fantastic continue following instructions to be sure that the computer is really clean and running normally.

Thanks a lot!

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Hello.


  • Open IceSword again.
  • Go into the Process list again, and right click on the following filename:

    bmwosftav.exe

  • Select Terminate Process.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Belahzur wrote:
Hello.


  • Open IceSword again.
  • Go into the Process list again, and right click on the following filename:

    bmwosftav.exe

  • Select Terminate Process.



I can't find this process (bmwosftav.exe) running right now on the computer.

Should I paste a new log from IceSword? Or download Malwarebytes' Anti-Malware and do what you wrote? Or...? Let me think

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Run MBAM, see if it will run now.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Cliking Finish


Belahzur wrote:


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


An error ocurred>> Error code: 732 (12029, 0)

Anyway MBAM has been automatically launched after clicking Accept and I'm doing the Quick Scan... and being patient

Next post will be the log, I hope :p

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
The MBAM log:



Malwarebytes' Anti-Malware 1.44
Versión de la Base de Datos: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

20/02/2010 1:34:28
mbam-log-2010-02-20 (01-34-28).txt

Tipo de examen : Examen Rápido
Objetos examinados: 128958
Tiempo transcurrido: 9 minute(s), 28 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 1
Valores del Registro Infectados: 2
Elementos de Datos del Registro Infectados: 1
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\6phx.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.


If any difficult about the language, I can change the MBAM language to english. I didn't think it before

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
No problem with language, I can read almost any log in any language - mainly because the filenames stay the same and are in the same location, so doesn't matter what the language.

You may have a flash drive infection.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
Belahzur wrote:
No problem with language, I can read almost any log in any language - mainly because the filenames stay the same and are in the same location, so doesn't matter what the language


That's what I thought. It's not english or spanish or... it's computing language Open Grin

Scanning. The next, the two logs.

descriptionInfected by Nuqel.E, BankerFox.A, unlimited pop-ups EmptyRe: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum