Infected with Win32/Nugel.E and Bankfox a

a pop up window occurs, similar to trying to open windows documents, music, etc.

states
application cannot be executed. the file mbam.exe is infected do you want to activate your antivirus software now?

Hi,

Try this first.

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.
  

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

After RKill runs, please immediately do the following: Try running MBAM

I was able to run MBAM without Rkill
Here is the log.
I did run and restart my computer, still seem to have problems with internet explorer, text size, connection, etc....when mozilla seems to still be OK.
thanks for all your continued help

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 5:11:36 PM
mbam-log-2010-06-30 (17-11-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 244174
Time elapsed: 59 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pctuhnio (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melissa\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Ok. How are things running now?

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

I cant run the Online ESEt scanner. SOmething pops up about proxy settings are not configured. I am not sure what this means, and not sure about how to fix or reset them.

McLeonardRN,

Try this:

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

OK here is the log, things definitely running better.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 5:11:36 PM
mbam-log-2010-06-30 (17-11-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 244174
Time elapsed: 59 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pctuhnio (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melissa\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

That looks like the Malwarebytes log. I need the log from ESET please

oh, sorry, and never mind what I said before, as now it seems to be Baacckkk.

Argh! Alright, let's see what the ESET says and we'll go from there.

OK here is the right log this time! I will also say I ran the ESET scanner once before, everything was supposedly quarantined, I couldn't find the log to post, and then my computer was back to the same old tricks 1 day later.


ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ac78e3800069154e9c01256e6267aacc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-05 11:51:16
# local_time=2010-07-05 07:51:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=118607
# found=1
# cleaned=1
# scan_time=5522
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\85CUYG56\ormey[1].jar a variant of Java/TrojanDownloader.Agent.NAL trojan (deleted - quarantined) 00000000000000000000000000000000 C

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Ok, ran it and it automatically rebooted. Nothing to post though, right???? anything else I should be doing???

thanks again

How are things running now? Any more issues?

Hi Crush, I gave it a few days, and its back. I have already run Malware bytes. When I scan with Norton antivirus, it seems to run on the internet explorer history scan forever and I have to shut it down via task manager, so that is not running correctly either.
is there a way to remove this manually? I see some posts online about this. It is driving me crazy.
thanks for all your help

Hi,

Crush is having some computer issues and will be back ASAP to assist you.

Sorry for the inconvenience,
Sneakyone

Hi,

Sorry for the delay. Can you post the most recent log from Malwarebytes please?