BankerFox.A and Win32/Nuquel.E

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

BankerFox.A and Win32/Nuquel.E11th April 2009, 9:59 pm

Hi. My computer has viruses! My Spyware alrert indicates 34 serious treats have been found while scanning my files and registry. Attack from: 142.172.175.190, port 9508, Attached port: 40344, Threat: Win32/Nuqel.E, also, Attack from: 212.225.37.111, port 31060, Attacked port: 27059, Threat: BankerFox.A, also, Attack from: 237.152.246.171, port 31060, attacked port: , Attack from: 158.177.241.218, port 7535, attacked port 59707, BankerFox.A The list goes on and on.

I purchased McAfee VirusScan Plus 2009. I tried to install it; however, it tells me to remove PC-Cillin 2003 first. I cannot find this program on my computer (it must be hidden).

Please help.

Thank you!!!

Re: BankerFox.A and Win32/Nuquel.E11th April 2009, 11:04 pm

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
Link 1
Link 2
Double click DDS.scr to run
When complete, DDS.txt will open.
Save the report to your Desktop.
Copy and paste DDS.txt back here, I don't need to see attach.txt.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
BankerFox.A and Win32/Nuquel.E DXwU4

Re: BankerFox.A and Win32/Nuquel.E12th April 2009, 5:07 am

DDS (Ver_09-03-16.01) - FAT32x86
Run by Administrator at 21:57:38.98 on Sat 04/11/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_11
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.116 [GMT -7:00]

============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINNT\sysguard.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Search_URL = 00000003
mSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mSearch Bar = hxxp://www.earthlink.net/partner/more/msie/button/search.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\winnt\system32\iehelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [system tool] c:\winnt\sysguard.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [AtiPTA] atiptaxx.exe
mRun: [Microsoft IntelliType Pro] "c:\program files\microsoft hardware\keyboard\speedkey.exe"
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [Ideal] c:\winnt\system32\spool\drivers\w32x86\ideal.exe
mRun: [LoadQM] loadqm.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NeroCheck] c:\winnt\system32\NeroCheck.exe
mRun: [Lexmark X83 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X83.exe
mRun: [Lexmark X83 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X83.exe
mRun: [PrinTray] c:\winnt\system32\spool\drivers\w32x86\3\printray.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [Propel Accelerator] "c:\program files\earthlink totalaccess\accelerator\PropelAC.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
uExplorerRun: [svcho] c:\winnt\svcho.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38263.5665509259
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ActiveSync - WcesWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6lykp5fb.default\

============= SERVICES / DRIVERS ===============

R2 BsUDF;BsUDF;c:\winnt\system32\drivers\bsudf.sys [2003-1-14 305961]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\winnt\system32\drivers\usbscan.sys [2002-3-6 12592]
S3 usbu2a;UsbU2A;c:\winnt\system32\drivers\usbu2a.sys [2001-8-30 5108]
S4 Racdicfafpq;Racdicfafpq; [x]

=============== Created Last 30 ================

2009-04-11 21:57 16,384 a------- c:\winnt\system32\Perflib_Perfdata_31c.dat
2009-04-11 21:38 10,752 a------- c:\winnt\system32\iehelper.dll
2009-04-11 21:37 16,384 a------- c:\winnt\system32\Perflib_Perfdata_4cc.dat
2009-04-11 21:37 16,384 a------- c:\winnt\system32\Perflib_Perfdata_260.dat
2009-04-11 16:00 65,128 a------- c:\winnt\system32\drivers\avgntflt.sys
2009-04-10 12:14 --d----- c:\program files\EsetOnlineScanner
2009-04-10 07:10 102,664 a------- c:\winnt\system32\drivers\tmcomm.sys
2009-04-10 07:09 --d----- c:\documents and settings\administrator\.housecall6.6
2009-04-09 21:01 16,384 a------- c:\winnt\system32\Perflib_Perfdata_270.dat
2009-04-09 17:27 14,336 a------- c:\winnt\syssvc.exe
2009-04-09 12:39 315,920 -------- c:\winnt\sysguard.exe
2009-04-01 22:38 --d----- c:\docume~1\admini~1\applic~1\Intuit
2009-04-01 22:36 --d----- c:\program files\common files\AnswerWorks 5.0
2009-04-01 22:26 --d----- c:\docume~1\alluse~1.win\applic~1\Intuit
2009-04-01 22:02 71,440 -------- c:\winnt\system32\dllcache\browser.dll
2009-04-01 22:02 442,640 a------- c:\winnt\system32\ipnathlp.dll
2009-04-01 22:02 442,640 -------- c:\winnt\system32\dllcache\ipnathlp.dll
2009-04-01 22:02 255,248 -------- c:\winnt\system32\dllcache\h323.tsp
2009-04-01 22:02 167,184 -------- c:\winnt\system32\dllcache\wintrust.dll
2009-04-01 22:00 --d-h--- c:\winnt\msdownld.tmp
2009-03-19 05:33 16,384 a------- c:\winnt\system32\Perflib_Perfdata_540.dat

==================== Find3M ====================

2009-02-08 08:16 1,644,784 a------- c:\winnt\system32\WIN32K.SYS
2009-02-08 08:16 1,644,784 -------- c:\winnt\system32\dllcache\win32k.sys
2009-01-29 07:07 16,384 a------- c:\winnt\system32\Perflib_Perfdata_5dc.dat
2009-01-28 15:47 16,384 a------- c:\winnt\system32\Perflib_Perfdata_520.dat
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2001-05-04 19:00 21,952 ----h--- c:\program files\folder.htt
2001-05-04 19:00 271 ----h--- c:\program files\desktop.ini
2000-07-26 12:00 32,528 a------- c:\winnt\inf\wbfirdma.sys
1998-12-08 19:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 19:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 19:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 19:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 19:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 19:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 21:58:12.46 ===============

Re: BankerFox.A and Win32/Nuquel.E12th April 2009, 2:41 pm

Hello.

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it.
Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:services
Racdicfafpq

:files
c:\winnt\system32\iehelper.dll
c:\winnt\syssvc.exe
c:\winnt\sysguard.exe

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd42510-9b22-41cd-9dcd-8182a2d07c63}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system tool"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"svcho"=-
Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

BankerFox.A and Win32/Nuquel.E

descriptionBankerFox.A and Win32/Nuquel.E11th April 2009, 9:59 pm

descriptionRe: BankerFox.A and Win32/Nuquel.E11th April 2009, 11:04 pm

descriptionRe: BankerFox.A and Win32/Nuquel.E12th April 2009, 5:07 am

descriptionRe: BankerFox.A and Win32/Nuquel.E12th April 2009, 2:41 pm

descriptionRe: BankerFox.A and Win32/Nuquel.E