Win32/Nuqel.E and Bankerfox.A

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 4:23 am

rebooting made it come back so i ran rkill again and here is the log. I will try to run combofix again and see what happens.

This log file is located at C:\rkill.log.
Processes terminated by Rkill or while it was running:
Otherwise you can close this log when you wish.
Please post this only if requested to by the person helping you.

Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Please post this only if requested to by the person helping you.
Please post this only if requested to by the person helping you.
Ran as Ian on 07/20/2010 at 23:20:54.

Otherwise you can close this log when you wish.

Otherwise you can close this log when you wish.
Ran as Ian on 07/20/2010 at 23:20:54.
Otherwise you can close this log when you wish.
Otherwise you can close this log when you wish.
Ran as Ian on 07/20/2010 at 23:20:54.

Ran as Ian on 07/20/2010 at 23:20:54.
Processes terminated by Rkill or while it was running:

Ran as Ian on 07/20/2010 at 23:20:54.

Ran as Ian on 07/20/2010 at 23:20:54.

Processes terminated by Rkill or while it was running:
Processes terminated by Rkill or while it was running:
Processes terminated by Rkill or while it was running:

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 4:34 am

combofix started to run and gave me the disclamer, i clicked yes then it closed and gave me the same error from before.

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 5:41 am

Win32/Nuqel.E and Bankerfox.A - Page 1 Bf_new

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 6:47 am

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/21/2010 1:37:23 AM
mbam-log-2010-07-21 (01-37-23).txt

Scan type: Quick scan
Objects scanned: 161876
Time elapsed: 26 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bopnxhgs (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bopnxhgs (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a0a2fb12-45b7-4c87-9128-197ef0c0112d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a0a2fb12-45b7-4c87-9128-197ef0c0112d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af723207-ce0c-46f4-be51-91ad4d3a2a7a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c4c4e819-fdf3-4b2a-bae1-1518d70316e4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c4c4e819-fdf3-4b2a-bae1-1518d70316e4}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\ian\Local Settings\Temp\wz6247\IK.Multimedia.AmpliTube.Fender.v1.1.VST.RTAS.Incl.KeyGen-DYNAMiCS\KeyGen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\ian\Local Settings\Application Data\bpjuvqknk\bgmbpivtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 8:53 am

Flush DNS Cache

You have DNS Cache Poisoning, which is a form of attack that causes your Internet browsing to be redirected to a rogue DNS server. Read more here

Click Start > Run, type in cmd and hit OK.
Enter in this exactly: ipconfig /flushdns
Exit Command Prompt.

Now, please try ComboFix, and see if it works.

Re: Win32/Nuqel.E and Bankerfox.A22nd July 2010, 2:25 am

flushed dns but combofix still will not run.

Re: Win32/Nuqel.E and Bankerfox.A22nd July 2010, 7:02 am

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try it again.

Re: Win32/Nuqel.E and Bankerfox.A23rd July 2010, 9:21 pm

ok i will try that.

Re: Win32/Nuqel.E and Bankerfox.A24th July 2010, 1:50 am

ComboFix 10-07-23.02 - Ian 07/23/2010 20:37:18.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.317 [GMT -5:00]
Running from: c:\documents and settings\ian\My Documents\Downloads\ComboFix.exe
.
The following files were disabled during the run:
c:\windows\system32\bootetup.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\bbarsis\g2mdlhlpx.exe
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\chrome.manifest
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\chrome\content\_cfg.js
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\chrome\content\overlay.xul
c:\documents and settings\ian\Local Settings\Application Data\{08F594CB-D41B-4B10-91B2-65FDEA23FC01}\install.rdf
c:\windows\aheyivoq.dll
c:\windows\ajemejesuxitoke.dll
c:\windows\axuxilexexexivu.dll
c:\windows\ofabavuk.dll
c:\windows\system32\ernel32.dll
c:\windows\system32\msvcsv60.dll
c:\windows\uqoyucuc.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-20 14:39 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\o31m93w7u.dll
2010-07-20 14:28 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C79u1m.dll
2010-07-20 04:03 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\uOCE93kU9.dll
2010-07-20 02:18 . 2010-07-20 04:22 2811 ----a-w- c:\windows\Isifobubobo.dat
2010-07-20 02:18 . 2010-07-20 02:18 0 ----a-w- c:\windows\Dvemanesu.bin
2010-07-20 02:17 . 2010-07-21 06:37 -------- d-----w- c:\documents and settings\ian\Local Settings\Application Data\bpjuvqknk
2010-07-20 02:17 . 2010-07-24 01:42 767488 ----a-w- c:\windows\system32\drivers\xfdkcrk.sys
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 21:08 . 2010-07-21 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 11:35 . 2010-07-22 11:35 47616 ----a-w- c:\windows\system32\bootetup.dll.vir
2010-07-20 13:55 . 2010-06-21 00:38 -------- d-----w- c:\documents and settings\ian\Application Data\uTorrent
2010-07-04 02:45 . 2010-05-30 03:25 -------- d-----w- c:\program files\SopCast
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-21 01:19 . 2010-06-21 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ARPPRODUCTICON.exe
2010-05-30 05:51 . 2010-05-30 05:51 40960 ----a-w- c:\windows\charkrnl.dll.vir
2010-05-30 05:51 . 2010-05-30 05:51 4 ----a-w- c:\documents and settings\LocalService\Application Data\czyiwa.dat
2010-05-30 05:49 . 2008-07-09 14:39 -------- d-----w- c:\program files\Google
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Bing Bar Installer
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Microsoft
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\MSN Toolbar
2010-05-30 03:11 . 2010-05-30 03:11 40960 ---ha-w- c:\windows\system32\charkrnl.dll
2010-05-30 02:48 . 2010-05-30 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-05-28 05:00 . 2010-05-28 05:00 503808 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcp71.dll
2010-05-28 05:00 . 2010-05-28 05:00 348160 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcr71.dll
2010-05-28 05:00 . 2010-05-28 05:00 499712 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\jmc.dll
2010-05-07 22:22 . 2009-12-25 21:04 68648 ----a-w- c:\documents and settings\ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 20:39 . 2010-07-21 05:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-07-21 05:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 04:18 . 2009-10-04 03:44 32 ----a-w- c:\windows\msocreg32.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-07 149280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-06-13 525592]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-08-27 124184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-2-1 6144]
WinZip Quick Pick.lnk - c:\program files\Winzip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [10/10/2007 9:58 AM 43640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 8:23 PM 135664]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 11:59 AM 1047880]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 11:07 PM 113152]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/20/2010 8:22 PM 14424]
S3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 3:18 PM 20352]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 3:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 3:36 PM 142976]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 11:18 AM 10064]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - xfdkcrk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-24 c:\windows\Tasks\f00fa74b.job
- c:\documents and settings\ian\Application Data\f00fa74b.exe [2010-06-23 02:39]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009Core.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009UA.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: bmnet.dll
DPF: {7D12A6AE-8F73-4FFF-824B-41EEE98AB37B} - hxxp://10.102.72.66/hrs/download/Setup.cab
DPF: {D7967FA2-F1F9-420D-A49E-9249309056A2} - hxxps://216.163.10.130/hrs/download/Setup.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://nstr.triadhospitalsinc.com/vpns/scripts/nsload.ocx
FF - ProfilePath - c:\documents and settings\ian\Application Data\Mozilla\Firefox\Profiles\w5z8jv77.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\ian\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sta - lkvkp.dll
HKLM-Run-Nqawoqoziyi - c:\windows\axuxilexexexivu.dll
HKU-Default-RunOnce-3014026 - c:\documents and settings\NetworkService\Local Settings\Application Data\30286208.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xfdkcrk]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-07-23 20:45:42
ComboFix-quarantined-files.txt 2010-07-24 01:45

Pre-Run: 6,333,202,432 bytes free
Post-Run: 8,091,729,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 14A68B26E7ABD5FDD980B42585A2E8BF

Re: Win32/Nuqel.E and Bankerfox.A24th July 2010, 3:01 am

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Download the CFScript from the attachment below. Save it to your Desktop.
Drag the downloaded CFScript.txt in to ComboFix
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Win32/Nuqel.E and Bankerfox.A24th July 2010, 4:19 am

ComboFix 10-07-23.02 - Ian 07/23/2010 22:58:52.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.263 [GMT -5:00]
Running from: c:\documents and settings\ian\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\ian\My Documents\Downloads\CFscript.txt

FILE ::
"c:\windows\Dvemanesu.bin"
"c:\windows\Isifobubobo.dat"
"c:\windows\system32\charkrnl.dll"
"c:\windows\system32\drivers\xfdkcrk.sys"
"c:\windows\system32\Spool\prtprocs\w32x86\C79u1m.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\o31m93w7u.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\uOCE93kU9.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ian\Local Settings\Application Data\bpjuvqknk
c:\windows\Dvemanesu.bin
c:\windows\Isifobubobo.dat
c:\windows\system32\charkrnl.dll
c:\windows\system32\drivers\xfdkcrk.sys
c:\windows\system32\Spool\prtprocs\w32x86\C79u1m.dll
c:\windows\system32\Spool\prtprocs\w32x86\o31m93w7u.dll
c:\windows\system32\Spool\prtprocs\w32x86\uOCE93kU9.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_xfdkcrk
-------\Service_xfdkcrk

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 04:06 . 2010-07-24 04:06 50176 ----a-w- c:\windows\system32\ernel32.dll
2010-07-24 04:06 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c9sKUO3.dll
2010-07-24 02:00 . 2010-07-24 02:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-22 11:35 . 2010-07-22 11:35 47616 ----a-w- c:\windows\system32\bootetup.dll
2010-07-21 06:41 . 2010-06-23 02:39 50176 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\yW5uO.dll
2010-07-21 05:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 05:45 . 2010-07-23 21:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 05:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-20 02:15 . 2010-07-20 02:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 13:55 . 2010-06-21 00:38 -------- d-----w- c:\documents and settings\ian\Application Data\uTorrent
2010-07-04 02:45 . 2010-05-30 03:25 -------- d-----w- c:\program files\SopCast
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-23 02:39 . 2010-06-23 02:39 50176 ----a-w- c:\documents and settings\ian\Application Data\f00fa74b.exe
2010-06-21 01:19 . 2010-06-21 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2010-06-21 01:11 . 2010-06-21 01:11 25214 ----a-r- c:\documents and settings\ian\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ARPPRODUCTICON.exe
2010-05-30 05:51 . 2010-05-30 05:51 40960 ----a-w- c:\windows\charkrnl.dll
2010-05-30 05:51 . 2010-05-30 05:51 4 ----a-w- c:\documents and settings\LocalService\Application Data\czyiwa.dat
2010-05-30 05:49 . 2008-07-09 14:39 -------- d-----w- c:\program files\Google
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Bing Bar Installer
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\Microsoft
2010-05-30 05:46 . 2010-05-30 05:46 -------- d-----w- c:\program files\MSN Toolbar
2010-05-30 02:48 . 2010-05-30 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-05-28 05:00 . 2010-05-28 05:00 503808 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcp71.dll
2010-05-28 05:00 . 2010-05-28 05:00 348160 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\msvcr71.dll
2010-05-28 05:00 . 2010-05-28 05:00 499712 ----a-w- c:\documents and settings\ian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-396609c6-n\jmc.dll
2010-05-07 22:22 . 2009-12-25 21:04 68648 ----a-w- c:\documents and settings\ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 04:18 . 2009-10-04 03:44 32 ----a-w- c:\windows\msocreg32.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-07-24_01.42.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 04:05 . 2010-07-24 04:05 16384 c:\windows\temp\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-07 149280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-06-13 525592]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-08-27 124184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-2-1 6144]
WinZip Quick Pick.lnk - c:\program files\Winzip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 11:59 AM 1047880]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [10/10/2007 9:58 AM 43640]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 3:18 PM 20352]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 11:18 AM 10064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 8:23 PM 135664]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 11:07 PM 113152]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/20/2010 8:22 PM 14424]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 3:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 3:36 PM 142976]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-24 c:\windows\Tasks\f00fa74b.job
- c:\documents and settings\ian\Application Data\f00fa74b.exe [2010-06-23 02:39]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 01:23]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009Core.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090899367-2975912428-2353060782-1009UA.job
- c:\documents and settings\ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 00:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: bmnet.dll
DPF: {7D12A6AE-8F73-4FFF-824B-41EEE98AB37B} - hxxp://10.102.72.66/hrs/download/Setup.cab
DPF: {D7967FA2-F1F9-420D-A49E-9249309056A2} - hxxps://216.163.10.130/hrs/download/Setup.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://nstr.triadhospitalsinc.com/vpns/scripts/nsload.ocx
FF - ProfilePath - c:\documents and settings\ian\Application Data\Mozilla\Firefox\Profiles\w5z8jv77.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\ian\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x820C5EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8513f28
\Driver\ACPI -> ACPI.sys @ 0xf8386cb8
\Driver\atapi -> atapi.sys @ 0xf8238852
\Driver\iaStor -> iaStor.sys @ 0xf816eb58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf806ebb0
PacketIndicateHandler -> NDIS.sys @ 0xf807ba21
SendHandler -> NDIS.sys @ 0xf805987b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1420)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(1024)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\AGRSMMSG.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-23 23:16:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 04:16
ComboFix2.txt 2010-07-24 01:45

Pre-Run: 8,075,800,576 bytes free
Post-Run: 7,963,373,568 bytes free

- - End Of File - - 48F5193B742BA92FB5742B1D37C2A42E

Re: Win32/Nuqel.E and Bankerfox.A25th July 2010, 2:24 am

so what should i do now?

Re: Win32/Nuqel.E and Bankerfox.A25th July 2010, 10:16 am

Download Bootkit Remover to your Desktop.

You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
It will show a Black screen with some data on it.
Right click on the screen and click Select All.
Press Enter
Open a Notepad and press CTRL V
Post the output back here.

Re: Win32/Nuqel.E and Bankerfox.A25th July 2010, 10:37 pm

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 8:15 am

Looks like the MBR is slightly damaged. We'll fix it, just in case.

Please open Notepad and enter in the following:

@echo off
start remover.exe fix \.\PhysicalDrive0
exit

Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:44 pm

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

CreateFile() ERROR 2
ERROR: Can't open physical disk device.

Done;
Press any key to quit...

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:48 pm

.\debug.cpp(238) : Debug log started at 26.07.2010 - 17:43:49
.\boot_cleaner.cpp(675) : Bootkit Remover
.\boot_cleaner.cpp(676) : (c) 2009 eSage Lab
.\boot_cleaner.cpp(677) : www.esagelab.com
.\boot_cleaner.cpp(681) : Program version: 1.1.0.0
.\boot_cleaner.cpp(688) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x0020d000 "\WINDOWS\system32\ntkrnlpa.exe"
.\debug.cpp(256) : 0x806e4000 0x00020d00 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xf8972000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xf8882000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xf8343000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xf8974000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xf8332000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xf8472000 0x0000a000 "isapnp.sys"
.\debug.cpp(256) : 0xf8482000 0x00010000 "ohci1394.sys"
.\debug.cpp(256) : 0xf8492000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
.\debug.cpp(256) : 0xf8886000 0x00003000 "compbatt.sys"
.\debug.cpp(256) : 0xf888a000 0x00004000 "\WINDOWS\system32\DRIVERS\BATTC.SYS"
.\debug.cpp(256) : 0xf8a3a000 0x00001000 "pciide.sys"
.\debug.cpp(256) : 0xf86f2000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xf8314000 0x0001e000 "pcmcia.sys"
.\debug.cpp(256) : 0xf84a2000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xf82f5000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xf8976000 0x00002000 "dmload.sys"
.\debug.cpp(256) : 0xf82cf000 0x00026000 "dmio.sys"
.\debug.cpp(256) : 0xf86fa000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xf888e000 0x00003000 "ACPIEC.sys"
.\debug.cpp(256) : 0xf8a3b000 0x00001000 "\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS"
.\debug.cpp(256) : 0xf84b2000 0x0000d000 "VolSnap.sys"
.\debug.cpp(256) : 0xf82b7000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xf81e1000 0x000d6000 "iaStor.sys"
.\debug.cpp(256) : 0xf84c2000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xf84d2000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xf81c1000 0x00020000 "fltmgr.sys"
.\debug.cpp(256) : 0xf81af000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xf8198000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xf810b000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xf80de000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xf80c4000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xf8572000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0xf7acc000 0x0011e000 "\SystemRoot\system32\DRIVERS\ialmnt5.sys"
.\debug.cpp(256) : 0xf7ab8000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xf7a90000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
.\debug.cpp(256) : 0xf78ef000 0x001a1000 "\SystemRoot\system32\DRIVERS\NETw3x32.sys"
.\debug.cpp(256) : 0xf8802000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xf78cb000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xf880a000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0xf8562000 0x0000c000 "\SystemRoot\system32\DRIVERS\bcm4sbxp.sys"
.\debug.cpp(256) : 0xf78b7000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xf8582000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0xf8812000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xf881a000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xf8592000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xf85a2000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xf85b2000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xf7894000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xf8822000 0x00006000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
.\debug.cpp(256) : 0xf8034000 0x00003000 "\SystemRoot\system32\DRIVERS\cpqbttn.sys"
.\debug.cpp(256) : 0xf7c7a000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
.\debug.cpp(256) : 0xf882a000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
.\debug.cpp(256) : 0xf8030000 0x00004000 "\SystemRoot\system32\DRIVERS\CmBatt.sys"
.\debug.cpp(256) : 0xf802c000 0x00003000 "\SystemRoot\system32\DRIVERS\wmiacpi.sys"
.\debug.cpp(256) : 0xf7876000 0x0001e000 "\SystemRoot\system32\DRIVERS\dne2000.sys"
.\debug.cpp(256) : 0xf7c6a000 0x0000a000 "\SystemRoot\system32\DRIVERS\dsNcAdpt.sys"
.\debug.cpp(256) : 0xf89f2000 0x00002000 "\SystemRoot\system32\DRIVERS\serscan.sys"
.\debug.cpp(256) : 0xf8baf000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xf89f4000 0x00002000 "\SystemRoot\System32\Drivers\RootMdm.sys"
.\debug.cpp(256) : 0xf8832000 0x00008000 "\SystemRoot\System32\Drivers\Modem.SYS"
.\debug.cpp(256) : 0xf7c5a000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xf8024000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xf785f000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xf7c4a000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xf7c3a000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xf883a000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xf784e000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xf85d2000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xf87d2000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xf87da000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xf7245000 0x0000a000 "\SystemRoot\system32\DRIVERS\net6im51.sys"
.\debug.cpp(256) : 0xf87e2000 0x00007000 "\SystemRoot\system32\DRIVERS\RimSerial.sys"
.\debug.cpp(256) : 0xf87ea000 0x00005000 "\SystemRoot\system32\DRIVERS\swivspnt.sys"
.\debug.cpp(256) : 0xf371e000 0x00030000 "\SystemRoot\system32\DRIVERS\rdpdr.sys"
.\debug.cpp(256) : 0xf7235000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xf897c000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xf3698000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xf6684000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xf6680000 0x00004000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
.\debug.cpp(256) : 0xf7225000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xa9225000 0x0002f000 "\SystemRoot\system32\drivers\ADIHdAud.sys"
.\debug.cpp(256) : 0xa9201000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0xf46f4000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0xa91db000 0x00026000 "\SystemRoot\system32\drivers\AEAudio.sys"
.\debug.cpp(256) : 0xa90c9000 0x00112000 "\SystemRoot\system32\DRIVERS\AGRSM.sys"
.\debug.cpp(256) : 0xf89b0000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xa5cdb000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xa4c60000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xa5c2f000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xa4c5e000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xf686f000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xa4c5c000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xa4c5a000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xf6867000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xf685f000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xa5d39000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xa4b82000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xa4b29000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xf4802000 0x00005000 "\SystemRoot\System32\Drivers\tcpipBM.SYS"
.\debug.cpp(256) : 0xa4b03000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xa4adb000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xa5d25000 0x00003000 "\SystemRoot\System32\drivers\ws2ifsl.sys"
.\debug.cpp(256) : 0xa4ab9000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xa5ccb000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xa4c58000 0x00002000 "\SystemRoot\system32\DRIVERS\eabfiltr.sys"
.\debug.cpp(256) : 0xa4a8e000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xa4a1e000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xa5cbb000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xa49be000 0x00060000 "\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"
.\debug.cpp(256) : 0xa5c5b000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xa48e8000 0x000d6000 "\SystemRoot\System32\Drivers\dump_iaStor.sys"
.\debug.cpp(256) : 0xbf800000 0x001c4000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xa5208000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xa5704000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbf9c4000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xf8ad5000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xf46b4000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xbf9e5000 0x00022000 "\SystemRoot\System32\ialmdnt5.dll"
.\debug.cpp(256) : 0xbf9d6000 0x0000f000 "\SystemRoot\System32\ialmrnt5.dll"
.\debug.cpp(256) : 0xbfa07000 0x0003b000 "\SystemRoot\System32\ialmdev5.DLL"
.\debug.cpp(256) : 0xbfa42000 0x000f0000 "\SystemRoot\System32\ialmdd5.DLL"
.\debug.cpp(256) : 0xbffa0000 0x00046000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xf4601000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
.\debug.cpp(256) : 0xa4790000 0x00090000 "\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys"
.\debug.cpp(256) : 0xa46c1000 0x00057000 "\SystemRoot\system32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xa4660000 0x00011000 "\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS"
.\debug.cpp(256) : 0xa4537000 0x00011000 "\??\C:\Program Files\Symantec\SYMEVENT.SYS"
.\debug.cpp(256) : 0xf8ad1000 0x00001000 "\??\C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys"
.\debug.cpp(256) : 0xa44f9000 0x0003e000 "\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys"
.\debug.cpp(256) : 0xa43b7000 0x00142000 "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091129.002\NAVEX15.sys"
.\debug.cpp(256) : 0xa43a3000 0x00014000 "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091129.002\NAVENG.sys"
.\debug.cpp(256) : 0xa40e6000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
.\debug.cpp(256) : 0xa417b000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
.\debug.cpp(256) : 0xa3746000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xa35b3000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:49 pm

\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination="\Device\CdRom0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination="\Device\Ndis"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination="\Device\Video0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0004#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000004e"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0001#{953ad796-1f97-4aac-b0c3-24ea46dfc091}"
.\debug.cpp(400) : Destination="\Device\00000059"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM12"
.\debug.cpp(400) : Destination="\Device\swivspser3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\EABFiltr"
.\debug.cpp(400) : Destination="\Device\EABFiltr"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomTSSTcorp_CD#DVDW_TS-L632D_______________HH15____#5&14c67f6c&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination="\Device\Ide\IdeDeviceP0T0L0-3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&fe74385&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination="\Device\USBPDO-3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
.\debug.cpp(400) : Destination="\Device\Video1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0000#{953ad796-1f97-4aac-b0c3-24ea46dfc091}"
.\debug.cpp(400) : Destination="\Device\00000058"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000048"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANBH#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000046"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
.\debug.cpp(400) : Destination="\Device\DmControl\DmIoDaemon"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination="\Device\Ip"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymEvent"
.\debug.cpp(400) : Destination="\Device\SymEvent"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
.\debug.cpp(400) : Destination="\Device\Video2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0002#{ba9afdaa-aa82-45be-be4b-348ba04f1a92}"
.\debug.cpp(400) : Destination="\Device\0000005a"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Net6IM"
.\debug.cpp(400) : Destination="\Device\Net6IM"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CVPNDRVA"
.\debug.cpp(400) : Destination="\Device\CVPNDRVA"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{57708EE9-A291-4F90-B078-B8CFCAC38AE2}"
.\debug.cpp(400) : Destination="\Device\{57708EE9-A291-4F90-B078-B8CFCAC38AE2}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
.\debug.cpp(400) : Destination="\Device\IPSEC"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000004d"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
.\debug.cpp(400) : Destination="\Device\Video3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0004#{ba9afdaa-aa82-45be-be4b-348ba04f1a92}"
.\debug.cpp(400) : Destination="\Device\0000005c"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000047"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0D#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\0000006f"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A0A2FB12-45B7-4C87-9128-197EF0C0112D}"
.\debug.cpp(400) : Destination="\Device\{A0A2FB12-45B7-4C87-9128-197EF0C0112D}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8D69AA1B-B3C5-44D5-9668-B80FA3C517D0}"
.\debug.cpp(400) : Destination="\Device\{8D69AA1B-B3C5-44D5-9668-B80FA3C517D0}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{FA648130-05A9-45C6-8F8F-7E4CE5333000}"
.\debug.cpp(400) : Destination="\Device\{FA648130-05A9-45C6-8F8F-7E4CE5333000}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
.\debug.cpp(400) : Destination="\Device\NDProxy"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY5"
.\debug.cpp(400) : Destination="\Device\Video4"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#5&1e8dc1e5&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
.\debug.cpp(400) : Destination="\Device\0000009a"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET6_FILTERMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000055"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DSNCADP"
.\debug.cpp(400) : Destination="\Device\DSNCADP"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#IMAGE#0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination="\Device\0000000c"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DNI_DNEMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000006"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MODEM#0000#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination="\Device\00000043"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
.\debug.cpp(400) : Destination="\Device\RdpDrDvMgr"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8F6787C5-CDE4-4100-BE0C-1B3D26FFA0FD}"
.\debug.cpp(400) : Destination="\Device\{8F6787C5-CDE4-4100-BE0C-1B3D26FFA0FD}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CC&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0011"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#1#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}"
.\debug.cpp(400) : Destination="\Device\0000006b"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CompositeBattery"
.\debug.cpp(400) : Destination="\Device\CompositeBattery"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ0_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000075"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination="\Device\WMIDataDevice"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CED8A540-52D9-4A0B-A91E-EA9ED77942A6}"
.\debug.cpp(400) : Destination="\Device\{CED8A540-52D9-4A0B-A91E-EA9ED77942A6}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET6_FILTERMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000053"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_104C&DEV_803A&SUBSYS_30A2103C&REV_00#4&2ec23395&0&31F0#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0017"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination="\Device\NamedPipe"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination="\Device\KSENUM#00000002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM3"
.\debug.cpp(400) : Destination="\Device\AgereModem5"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVEX15"
.\debug.cpp(400) : Destination="\Device\NAVEX15"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination="\Device\PSched"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&28738126&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination="\Device\00000096"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination="\Device\Mup"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination="\Device\IPNAT"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Sierra Wireless AirCard HSDPA Modem"
.\debug.cpp(400) : Destination="\Device\00000044"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
.\debug.cpp(400) : Destination="\Device\GEARAspiWDMDevice"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ1_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000076"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination="\Device\USBFDO-0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\bmksa"
.\debug.cpp(400) : Destination="\Device\bmksa"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination="\Device\Tcp"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET6_FILTERMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000054"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination="\FileSystem\Filters\FltMgrMsg"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{20c982f3-743b-11db-9c5d-806d6172696f}"
.\debug.cpp(400) : Destination="\Device\CdRom0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{524FEB52-47DB-4E3E-BEB8-3115E520F541}"
.\debug.cpp(400) : Destination="\Device\{524FEB52-47DB-4E3E-BEB8-3115E520F541}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination="\Device\USBFDO-1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Agere Systems HDA Modem"
.\debug.cpp(400) : Destination="\Device\000000b8"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination="\Device\VideoPdo0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000050"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser0"
.\debug.cpp(400) : Destination="\Device\swivspser0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination="\DosDevices\LPT1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\EraserCtrlDrv"
.\debug.cpp(400) : Destination="\Device\EraserCtrlDrv"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination="\Device\USBFDO-2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C8&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0007"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000004b"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser1"
.\debug.cpp(400) : Destination="\Device\swivspser1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM7"
.\debug.cpp(400) : Destination="\??\Root#PORTS#0000#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination="\Device\Harddisk0\DR0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
.\debug.cpp(400) : Destination="\Device\sysaudio"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination="\Device\FsWrap"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination="\Device\USBFDO-3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CA&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0009"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000004a"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET6_FILTERMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000052"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser2"
.\debug.cpp(400) : Destination="\Device\swivspser2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM8"
.\debug.cpp(400) : Destination="\??\Root#PORTS#0001#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination="\Device\CdRom0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureC40DC40DOffset7E00LengthDF96EA200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination="\Device\HarddiskVolume1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVAP"
.\debug.cpp(400) : Destination="\Device\NAVAP"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
.\debug.cpp(400) : Destination="\Device\USBFDO-4"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser3"
.\debug.cpp(400) : Destination="\Device\swivspser3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM9"
.\debug.cpp(400) : Destination="\Device\swivspser0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ2_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000077"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&28738126&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000096"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#2#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}"
.\debug.cpp(400) : Destination="\Device\0000006c"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\0000007b"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination="\GLOBAL??"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{AF723207-CE0C-46F4-BE51-91AD4D3A2A7A}"
.\debug.cpp(400) : Destination="\Device\{AF723207-CE0C-46F4-BE51-91AD4D3A2A7A}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{29318163-FB0C-4245-9E91-E517431E70E6}"
.\debug.cpp(400) : Destination="\Device\{29318163-FB0C-4245-9E91-E517431E70E6}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVENG"
.\debug.cpp(400) : Destination="\Device\NAVENG"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskST96812AS_______________________________7.24____#4&240338f0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination="\Device\Ide\IAAStorageDevice-0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&21716c3c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination="\Device\USBPDO-1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MODEM#0001#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination="\Device\00000044"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Pcmcia0"
.\debug.cpp(400) : Destination="\Device\Pcmcia0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DE02DE63-9920-4B39-921E-61AC7690252F}"
.\debug.cpp(400) : Destination="\Device\{DE02DE63-9920-4B39-921E-61AC7690252F}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVAPEL"
.\debug.cpp(400) : Destination="\Device\NAVAPEL"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination="\Device\KSENUM#00000002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\bmknet"
.\debug.cpp(400) : Destination="\Device\bmknet"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#6&2ed097c1&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination="\Device\Parallel0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3a248226&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination="\Device\USBPDO-2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{52FB8A8E-33CC-4D85-89A3-C85B5C7C99B1}"
.\debug.cpp(400) : Destination="\Device\{52FB8A8E-33CC-4D85-89A3-C85B5C7C99B1}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_02&VEN_11C1&DEV_3026&SUBSYS_103C30A2&REV_1007#4&599da60&0&0101#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination="\Device\000000b8"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{56907941-3afe-11d4-ae2c-00a0cc242d2c}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{20c982f2-743b-11db-9c5d-806d6172696f}"
.\debug.cpp(400) : Destination="\Device\HarddiskVolume1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{77497CE0-A0E1-4D74-8731-BB129D536D3C}"
.\debug.cpp(400) : Destination="\Device\{77497CE0-A0E1-4D74-8731-BB129D536D3C}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#HPQ0006&Col02#3&563a312&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination="\Device\000000b5"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{06736BFF-A0E1-4F40-8542-40230ABE5988}"
.\debug.cpp(400) : Destination="\Device\{06736BFF-A0E1-4F40-8542-40230ABE5988}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A6AA9A40-A968-47B7-A5EE-0011DF405E8B}"
.\debug.cpp(400) : Destination="\Device\{A6AA9A40-A968-47B7-A5EE-0011DF405E8B}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DsdaFilter"
.\debug.cpp(400) : Destination="\Device\DsdaFilter"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27A6&SUBSYS_30A2103C&REV_03#3&b1bfb68&0&11#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{673F78BE-2C02-4DA1-89D3-22E4623AE0AB}"
.\debug.cpp(400) : Destination="\Device\{673F78BE-2C02-4DA1-89D3-22E4623AE0AB}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DNI_DNEMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000005"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DSNCADPT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000000a"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ3_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000078"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination="\Device\KSENUM#00000002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CB&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0010"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DNI_DNEMP#0004#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000008"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000045"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_14#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) :

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:51 pm

Destination="\Device\00000053"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_104C&DEV_803A&SUBSYS_30A2103C&REV_00#4&2ec23395&0&31F0#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0017"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination="\Device\NamedPipe"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination="\Device\KSENUM#00000002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM3"
.\debug.cpp(400) : Destination="\Device\AgereModem5"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVEX15"
.\debug.cpp(400) : Destination="\Device\NAVEX15"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination="\Device\PSched"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&28738126&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination="\Device\00000096"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination="\Device\Mup"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination="\Device\IPNAT"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Sierra Wireless AirCard HSDPA Modem"
.\debug.cpp(400) : Destination="\Device\00000044"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
.\debug.cpp(400) : Destination="\Device\GEARAspiWDMDevice"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ1_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000076"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination="\Device\USBFDO-0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\bmksa"
.\debug.cpp(400) : Destination="\Device\bmksa"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination="\Device\Tcp"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET6_FILTERMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000054"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination="\FileSystem\Filters\FltMgrMsg"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{20c982f3-743b-11db-9c5d-806d6172696f}"
.\debug.cpp(400) : Destination="\Device\CdRom0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{524FEB52-47DB-4E3E-BEB8-3115E520F541}"
.\debug.cpp(400) : Destination="\Device\{524FEB52-47DB-4E3E-BEB8-3115E520F541}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination="\Device\USBFDO-1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Agere Systems HDA Modem"
.\debug.cpp(400) : Destination="\Device\000000b8"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination="\Device\VideoPdo0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000050"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser0"
.\debug.cpp(400) : Destination="\Device\swivspser0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination="\DosDevices\LPT1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\EraserCtrlDrv"
.\debug.cpp(400) : Destination="\Device\EraserCtrlDrv"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination="\Device\USBFDO-2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C8&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0007"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000004b"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser1"
.\debug.cpp(400) : Destination="\Device\swivspser1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM7"
.\debug.cpp(400) : Destination="\??\Root#PORTS#0000#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination="\Device\Harddisk0\DR0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
.\debug.cpp(400) : Destination="\Device\sysaudio"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination="\Device\FsWrap"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination="\Device\USBFDO-3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CA&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0009"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000004a"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET6_FILTERMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000052"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser2"
.\debug.cpp(400) : Destination="\Device\swivspser2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM8"
.\debug.cpp(400) : Destination="\??\Root#PORTS#0001#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination="\Device\CdRom0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureC40DC40DOffset7E00LengthDF96EA200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination="\Device\HarddiskVolume1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVAP"
.\debug.cpp(400) : Destination="\Device\NAVAP"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
.\debug.cpp(400) : Destination="\Device\USBFDO-4"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\swivspser3"
.\debug.cpp(400) : Destination="\Device\swivspser3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM9"
.\debug.cpp(400) : Destination="\Device\swivspser0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ2_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000077"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&28738126&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000096"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#2#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}"
.\debug.cpp(400) : Destination="\Device\0000006c"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\0000007b"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination="\GLOBAL??"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{AF723207-CE0C-46F4-BE51-91AD4D3A2A7A}"
.\debug.cpp(400) : Destination="\Device\{AF723207-CE0C-46F4-BE51-91AD4D3A2A7A}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{29318163-FB0C-4245-9E91-E517431E70E6}"
.\debug.cpp(400) : Destination="\Device\{29318163-FB0C-4245-9E91-E517431E70E6}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVENG"
.\debug.cpp(400) : Destination="\Device\NAVENG"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskST96812AS_______________________________7.24____#4&240338f0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination="\Device\Ide\IAAStorageDevice-0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&21716c3c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination="\Device\USBPDO-1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MODEM#0001#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination="\Device\00000044"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Pcmcia0"
.\debug.cpp(400) : Destination="\Device\Pcmcia0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DE02DE63-9920-4B39-921E-61AC7690252F}"
.\debug.cpp(400) : Destination="\Device\{DE02DE63-9920-4B39-921E-61AC7690252F}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVAPEL"
.\debug.cpp(400) : Destination="\Device\NAVAPEL"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination="\Device\KSENUM#00000002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\bmknet"
.\debug.cpp(400) : Destination="\Device\bmknet"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#6&2ed097c1&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination="\Device\Parallel0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3a248226&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination="\Device\USBPDO-2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{52FB8A8E-33CC-4D85-89A3-C85B5C7C99B1}"
.\debug.cpp(400) : Destination="\Device\{52FB8A8E-33CC-4D85-89A3-C85B5C7C99B1}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_02&VEN_11C1&DEV_3026&SUBSYS_103C30A2&REV_1007#4&599da60&0&0101#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination="\Device\000000b8"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{56907941-3afe-11d4-ae2c-00a0cc242d2c}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{20c982f2-743b-11db-9c5d-806d6172696f}"
.\debug.cpp(400) : Destination="\Device\HarddiskVolume1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{77497CE0-A0E1-4D74-8731-BB129D536D3C}"
.\debug.cpp(400) : Destination="\Device\{77497CE0-A0E1-4D74-8731-BB129D536D3C}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#HPQ0006&Col02#3&563a312&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination="\Device\000000b5"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
.\debug.cpp(400) : Destination="\Device\00000061"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{06736BFF-A0E1-4F40-8542-40230ABE5988}"
.\debug.cpp(400) : Destination="\Device\{06736BFF-A0E1-4F40-8542-40230ABE5988}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A6AA9A40-A968-47B7-A5EE-0011DF405E8B}"
.\debug.cpp(400) : Destination="\Device\{A6AA9A40-A968-47B7-A5EE-0011DF405E8B}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DsdaFilter"
.\debug.cpp(400) : Destination="\Device\DsdaFilter"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27A6&SUBSYS_30A2103C&REV_03#3&b1bfb68&0&11#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{673F78BE-2C02-4DA1-89D3-22E4623AE0AB}"
.\debug.cpp(400) : Destination="\Device\{673F78BE-2C02-4DA1-89D3-22E4623AE0AB}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_11D4&DEV_1981&SUBSYS_103C30A2&REV_1002#4&599da60&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination="\Device\000000b7"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DNI_DNEMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000005"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DSNCADPT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\0000000a"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ3_#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination="\Device\00000078"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination="\Device\KSENUM#00000002"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CB&SUBSYS_30A2103C&REV_01#3&b1bfb68&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0010"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DNI_DNEMP#0004#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000008"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\00000045"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_14#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) :

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:56 pm

Destination="\Device\ParTechInc1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
.\debug.cpp(400) : Destination="\Device\DmLoader"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&289a596f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination="\Device\USBPDO-0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_14#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination="\Device\00000067"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination="\Device\ParTechInc2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
.\debug.cpp(400) : Destination="\Device\LanmanRedirector"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination="\FileSystem\Filters\FltMgr"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination="\Device\FtControl"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination="\Device\HarddiskVolume1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination="\Device\MailSlot"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_4222&SUBSYS_135B103C&REV_02#4&4878531&0&00E1#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0019"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14E4&DEV_170C&SUBSYS_30A2103C&REV_02#4&2ec23395&0&70F0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0018"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination="\DosDevices\COM1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0005#{ba9afdaa-aa82-45be-be4b-348ba04f1a92}"
.\debug.cpp(400) : Destination="\Device\0000005d"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination=""

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#HPQ0006&Col01#3&563a312&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination="\Device\000000b4"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
.\debug.cpp(400) : Destination="\Device\Ndisuio"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#SYN010D#4&28738126&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination="\Device\00000097"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination="\Device\00000060"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
.\debug.cpp(400) : Destination="\Device\Ide\iaStor0"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination="\Device\Null"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AGRSM_xface"
.\debug.cpp(400) : Destination="\Device\AGRSM_xface"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0001#{34699dc2-f125-4490-ae54-e7db91946f9e}"
.\debug.cpp(400) : Destination="\Device\00000059"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Standard Modem"
.\debug.cpp(400) : Destination="\Device\00000043"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E7B8305E-179E-47E4-BA6F-7E966CD930AC}"
.\debug.cpp(400) : Destination="\Device\{E7B8305E-179E-47E4-BA6F-7E966CD930AC}"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#HPQ0006&Col02#3&563a312&0&0001#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination="\Device\000000b5"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination="\Device\0000005f"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_02&VEN_11C1&DEV_3026&SUBSYS_103C30A2&REV_1007#4&599da60&0&0101#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination="\Device\000000b8"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27A2&SUBSYS_30A2103C&REV_03#3&b1bfb68&0&10#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination="\Device\NTPNP_PCI0001"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#PORTS#0000#{34699dc2-f125-4490-ae54-e7db91946f9e}"
.\debug.cpp(400) : Destination="\Device\00000058"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM10"
.\debug.cpp(400) : Destination="\Device\swivspser1"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomTSSTcorp_CD#DVDW_TS-L632D_______________HH15____#5&14c67f6c&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination="\Device\Ide\IdeDeviceP0T0L0-3"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM11"
.\debug.cpp(400) : Destination="\Device\swivspser2"

.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
.\debug.cpp(400) : Destination="\Device\DmControl\DmInfo"

.\debug.cpp(451) : **********************************************
.\boot_cleaner.cpp(1077) : System volume is \\.\C:
.\boot_cleaner.cpp(1113) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
.\boot_cleaner.cpp(424) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
.\boot_cleaner.cpp(1151) :
.\boot_cleaner.cpp(1152) : Size Device Name MBR Status
.\boot_cleaner.cpp(1153) : --------------------------------------------
.\boot_cleaner.cpp(1197) : 55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
.\boot_cleaner.cpp(1203) :
.\boot_cleaner.cpp(1242) : Done;

Re: Win32/Nuqel.E and Bankerfox.A27th July 2010, 4:45 am

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Re: Win32/Nuqel.E and Bankerfox.A29th July 2010, 8:31 am

i cant get the eset log because the virus came back. should i run rkill again?

Re: Win32/Nuqel.E and Bankerfox.A29th July 2010, 6:50 pm

Sure.

Re: Win32/Nuqel.E and Bankerfox.A30th July 2010, 2:33 am

i did but it dident find anything. it only found the rkill proses

Re: Win32/Nuqel.E and Bankerfox.A30th July 2010, 5:08 am

Did ESET online scan find anything?

Re: Win32/Nuqel.E and Bankerfox.A5th August 2010, 3:01 am

it dident find anything and the virus came back after running this program. sorry on the late reply as i was away for a few days.

Re: Win32/Nuqel.E and Bankerfox.A5th August 2010, 11:03 pm

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Re: Win32/Nuqel.E and Bankerfox.A10th August 2010, 7:23 pm

Are you still with us?

Please reply and let us know the progress!

Re: Win32/Nuqel.E and Bankerfox.A15th August 2010, 2:03 am

i am back my computers power suplu took a dive bit i have a new one i will download the programs and post the results.

Re: Win32/Nuqel.E and Bankerfox.A15th August 2010, 8:35 pm

Re: Win32/Nuqel.E and Bankerfox.A18th August 2010, 6:08 am

Still with us? Please let me know how things are going!

Win32/Nuqel.E and Bankerfox.A

descriptionRe: Win32/Nuqel.E and Bankerfox.A21st July 2010, 4:23 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A21st July 2010, 4:34 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A21st July 2010, 5:41 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A21st July 2010, 6:47 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A21st July 2010, 8:53 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A22nd July 2010, 2:25 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A22nd July 2010, 7:02 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A23rd July 2010, 9:21 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A24th July 2010, 1:50 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A24th July 2010, 3:01 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A24th July 2010, 4:19 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A25th July 2010, 2:24 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A25th July 2010, 10:16 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A25th July 2010, 10:37 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A26th July 2010, 8:15 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:44 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:48 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:49 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:51 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:56 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A27th July 2010, 4:45 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A29th July 2010, 8:31 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A29th July 2010, 6:50 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A30th July 2010, 2:33 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A30th July 2010, 5:08 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A5th August 2010, 3:01 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A5th August 2010, 11:03 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A10th August 2010, 7:23 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A15th August 2010, 2:03 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A15th August 2010, 8:35 pm

descriptionRe: Win32/Nuqel.E and Bankerfox.A18th August 2010, 6:08 am

descriptionRe: Win32/Nuqel.E and Bankerfox.A

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 4:23 am

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 4:34 am

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 5:41 am

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 6:47 am

Re: Win32/Nuqel.E and Bankerfox.A21st July 2010, 8:53 am

Re: Win32/Nuqel.E and Bankerfox.A22nd July 2010, 2:25 am

Re: Win32/Nuqel.E and Bankerfox.A22nd July 2010, 7:02 am

Re: Win32/Nuqel.E and Bankerfox.A23rd July 2010, 9:21 pm

Re: Win32/Nuqel.E and Bankerfox.A24th July 2010, 1:50 am

Re: Win32/Nuqel.E and Bankerfox.A24th July 2010, 3:01 am

Re: Win32/Nuqel.E and Bankerfox.A24th July 2010, 4:19 am

Re: Win32/Nuqel.E and Bankerfox.A25th July 2010, 2:24 am

Re: Win32/Nuqel.E and Bankerfox.A25th July 2010, 10:16 am

Re: Win32/Nuqel.E and Bankerfox.A25th July 2010, 10:37 pm

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 8:15 am

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:44 pm

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:48 pm

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:49 pm

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:51 pm

Re: Win32/Nuqel.E and Bankerfox.A26th July 2010, 5:56 pm

Re: Win32/Nuqel.E and Bankerfox.A27th July 2010, 4:45 am

Re: Win32/Nuqel.E and Bankerfox.A29th July 2010, 8:31 am

Re: Win32/Nuqel.E and Bankerfox.A29th July 2010, 6:50 pm

Re: Win32/Nuqel.E and Bankerfox.A30th July 2010, 2:33 am

Re: Win32/Nuqel.E and Bankerfox.A30th July 2010, 5:08 am

Re: Win32/Nuqel.E and Bankerfox.A5th August 2010, 3:01 am

Re: Win32/Nuqel.E and Bankerfox.A5th August 2010, 11:03 pm

Re: Win32/Nuqel.E and Bankerfox.A10th August 2010, 7:23 pm

Re: Win32/Nuqel.E and Bankerfox.A15th August 2010, 2:03 am

Re: Win32/Nuqel.E and Bankerfox.A15th August 2010, 8:35 pm

Re: Win32/Nuqel.E and Bankerfox.A18th August 2010, 6:08 am

Re: Win32/Nuqel.E and Bankerfox.A