WiredWX Hobby Weather ToolsLog in

 


Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

2 posters

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Don't use MBAM yet, we aren't done with the avenger.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UAClhdvpjyylkjbaor.sys
c:\windows\system32\iehelper.dll
c:\windows\sysguard.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Will follow last post in a moment, have just managed t get bad machine on line so dealing direct now instead of via usb stick

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
The infection (the rootkit) is what was blocking internet access, so now it's disable, the net works.
We have to put a stop it to 100% before it can do anything else.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Forgot to tick disable rootkits found, but this is the text file.
Should I run again, I'll happily wait for your reply on this one , you are amazing !!

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UAClhdvpjyylkjbaor.sys" deleted successfully.

Error: file "c:\windows\system32\iehelper.dll" not found!
Deletion of file "c:\windows\system32\iehelper.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\sysguard.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Update and run MBAM now, lets that run and post the log when done.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Hi,
Ran Mbam, it came up with 11 infections, clicked on quarantine and the program hung, left it for around 40 mins, nothing. also cant get on internet again, it hangs while trying to get to home page.
Sorry its not great news.

Am running again to hopefully complete.

Last edited by vince on 27th April 2009, 10:52 pm; edited 1 time in total (Reason for editing : to save posting an extra)

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Ran again, hit remove and it say's quarantining, but again seems to have locked up , how long should I wait.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Okay, lets do another scan using this.


  • Download combofix from here
    Link 1
    Link 2
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (AVG8 and Ad-watch)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Nuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Nuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Combofix want to go on internet to download the windows recovery console. but I cant get on. again



Managed to get on am following instructions !!!

Last edited by vince on 27th April 2009, 11:45 pm; edited 1 time in total (Reason for editing : situation changed)

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
post1 , txt split to fit on message board

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.213 [GMT 1:00]
Running from: c:\documents and settings\Vince Sharpe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\VINCES~1\LOCALS~1\Temp\~WS2.tmp
c:\docume~1\VINCES~1\LOCALS~1\Temp\~WS3.tmp
c:\docume~1\VINCES~1\LOCALS~1\Temp\~WS4.tmp
c:\documents and settings\Vince Sharpe\Local Settings\Temp\~WS2.tmp
c:\documents and settings\Vince Sharpe\Local Settings\Temp\~WS3.tmp
c:\documents and settings\Vince Sharpe\Local Settings\Temp\~WS4.tmp
c:\windows\rs.txt
c:\windows\system32\UACasoyltodgictjmq.dll
c:\windows\system32\UACcftpuyxiusjwkrm.dll
c:\windows\system32\UACdolxmkmlonmtnsb.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmeadxcnhrvrxehc.dll
c:\windows\system32\UACnfdqlaheyeorbql.log
c:\windows\system32\UACpjddcfrqhkxnmrs.dat
c:\windows\system32\UACyifvgdbhfnetpyk.dll

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 20:59 . 2009-04-27 20:59 -------- d-----w c:\documents and settings\Vince Sharpe\Application Data\Malwarebytes
2009-04-27 20:37 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 20:37 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 20:12 . 2009-04-27 20:12 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 14:07 . 2009-04-27 17:39 -------- d-----w c:\program files\Enigma Software Group
2009-04-26 22:08 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-26 21:45 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-26 21:44 . 2009-04-26 21:44 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-26 21:43 . 2009-04-26 21:43 -------- d-----w c:\program files\Lavasoft
2009-04-26 21:43 . 2009-04-26 21:43 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-26 17:36 . 2009-04-27 22:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 14:29 . 2009-04-27 20:57 -------- d--h--w C:\$AVG8.VAULT$
2009-04-26 14:13 . 2009-04-26 14:13 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:13 . 2009-04-26 14:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:13 . 2009-04-26 14:13 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:13 . 2009-04-26 14:13 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:13 . 2009-04-26 14:13 -------- d-----w c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-04-26 14:13 . 2009-04-26 14:13 -------- d-----w c:\program files\AVG
2009-04-26 14:00 . 2009-04-26 17:20 -------- d-----w c:\documents and settings\Vince Sharpe\Application Data\AVGTOOLBAR
2009-04-26 13:59 . 2009-04-26 21:04 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-19 14:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 14:54 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-19 14:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-19 14:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-19 14:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-19 14:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-19 14:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 14:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 14:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 14:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-19 14:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-10 23:04 . 2006-08-29 14:56 32377 ----a-w c:\windows\system32\drivers\prodigy.sys
2009-04-10 23:03 . 2009-04-10 23:04 -------- d-----w c:\program files\NSS
2009-04-10 09:55 . 2008-04-13 18:45 26112 -c--a-w c:\windows\system32\dllcache\usbser.sys
2009-04-10 09:55 . 2008-04-13 18:45 26112 ----a-w c:\windows\system32\drivers\usbser.sys
2009-04-10 09:01 . 2009-04-10 09:54 -------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2009-04-10 09:00 . 2008-08-26 08:26 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys
2009-04-10 09:00 . 2009-04-10 09:00 -------- d-----w c:\program files\PC Connectivity Solution
2009-04-10 08:41 . 2009-04-10 08:41 -------- d-----w c:\documents and settings\All Users\Application Data\Nokia
2009-04-10 08:22 . 2008-02-01 14:17 8320 ----a-w c:\windows\system32\drivers\nmwcdnsuc.sys
2009-04-10 08:22 . 2008-02-01 14:17 138112 ----a-w c:\windows\system32\drivers\nmwcdnsu.sys
2009-04-10 08:19 . 2009-04-10 23:17 -------- d-----w c:\documents and settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 05:57 . 2004-08-12 12:24 -------- d-----w c:\program files\Google
2009-04-25 17:12 . 2009-03-04 23:07 -------- d-----w c:\program files\SopCast
2009-04-10 09:53 . 2009-04-10 09:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-04-10 09:53 . 2009-04-10 09:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-10 09:02 . 2005-08-28 18:42 -------- d-----w c:\program files\Nokia
2009-04-10 09:00 . 2009-02-13 14:44 -------- d-----w c:\program files\DIFX
2009-04-10 08:59 . 2004-08-12 10:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 18:11 . 2004-08-12 11:28 42224 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-27 17:52 . 2009-03-27 17:52 -------- d-----w c:\program files\3Com
2009-03-26 12:36 . 2009-03-26 12:36 -------- d-----w c:\program files\MSBuild
2009-03-22 11:10 . 2009-03-22 11:09 -------- d-----w c:\program files\iTunes
2009-03-22 11:09 . 2009-03-22 11:09 -------- d-----w c:\program files\iPod
2009-03-22 11:09 . 2008-11-28 17:47 -------- d-----w c:\program files\Common Files\Apple
2009-03-22 11:06 . 2009-03-22 11:06 -------- d-----w c:\program files\Bonjour
2009-03-22 11:06 . 2008-11-28 17:49 -------- d-----w c:\program files\QuickTime
2009-03-14 20:47 . 2009-03-14 20:47 -------- d-----w c:\program files\Uniblue
2009-03-14 20:37 . 2009-03-14 20:37 -------- d-----w c:\program files\Reference Assemblies
2009-03-06 14:22 . 2004-08-11 18:09 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-11 18:09 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-12 11:17 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 18:09 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 18:09 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 18:09 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 18:08 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 18:09 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-11 18:09 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-11 18:09 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 18:09 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-11 18:09 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"SonyPowerCfg"="c:\program files\sony\vaio power management\SPMgr.exe" [2004-06-29 180224]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 176128]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2006-04-04 147456]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 09:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-07-09 122880]
"DataLayer"="c:\program files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 819712]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"VAIO Update 2"="c:\program files\sony\vaio update 2\VAIOUpdt.exe" [2004-06-29 147456]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-6 113664]
Audio Filter.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2005-4-6 2707456]
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2008-9-24 110647]
web'n'walk Manager.lnk - c:\program files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe [2007-11-7 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:13 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= SSMSFltr.dll
"mixer1"= SSMSFltr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Check-Up.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk
backup=c:\windows\pss\AOL Broadband Check-Up.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\sony\\sonicstage\\Omgjbox.exe"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Acrobat Elements\\Acrobat Elements.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\sony\\vaio media 3.1\\Vc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1161085292\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1161085292\\ee\\aim6.exe"=
"c:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Post 2 rest of txt.

R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2007-07-09 95744]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2007-06-26 51968]
R3 GTPTSER;GT PT SER;c:\windows\system32\DRIVERS\gtptser.sys [2007-03-30 8064]
R3 hcw66xxx;WinTV HVR-900H;c:\windows\system32\Drivers\hcw66xxx.sys [2008-02-27 418304]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2001-08-17 8320]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2002-06-28 17251]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2001-07-24 7520]
R3 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-07-08 118877]
R3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-07-08 278528]
R3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);c:\windows\system32\DRIVERS\zd1211u.sys [2005-03-28 274432]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
S2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [2006-07-19 435200]
S2 GtDetectSc;GtDetectSc;c:\program files\T-Mobile\web'n'walk Manager\GtDetectSc.exe [2007-11-05 204915]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2002-08-20 71961]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31f4d1b4-c231-11d9-8305-000e3589c2ae}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{338af8c2-eb13-11dd-863f-00038a000015}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a28d093-ab60-11d9-82bc-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de1f4ba0-25b4-11de-8684-00038a000015}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5968DB3-3160-4DA8-AF6D-019FE3ED863E} - c:\program files\IEToolbar\Cashback Guardian\CashbackGuardian.dll
HKCU-Run-NBJ - d:\programs-vince\Ahead\Nero BackItUp\NBJ.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-PDService.exe - c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
SSODL-UpdateCheck-{9B3074A1-D449-4209-8103-D14D03B90280} - c:\windows\system32\mstmdm.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://club.vaio.sony.co.uk/clubvaio/gb/en/home
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 00:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\SSMSFltr.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\system32\igfxext.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\sony\HotKey Utility\HKWnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\wanmpsvc.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Cyberlink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\Cyberlink\PowerCinema\Kernel\TV\CLSched.exe
.
**************************************************************************
.
Completion time: 2009-04-27 1:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 00:08

Pre-Run: 6,653,755,392 bytes free
Post-Run: 7,850,221,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

321 --- E O F --- 2009-04-25 00:18

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31f4d1b4-c231-11d9-8305-000e3589c2ae}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{338af8c2-eb13-11dd-863f-00038a000015}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de1f4ba0-25b4-11de-8684-00038a000015}]


  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Nuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 CF_Cleanup

This will also reset your restore points.

Please update AVG now and let me know how the machine is running.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Hi, Have updated avg8.5 and reactivated.
I am posing this using the previous bad machine, so yes it looks good and fixed.
It's a little slow to load up, I suppose thats due to all the rubbish thats been pulled , squashed and dumped on it over the last few days.
There are no restore points in system restore, not sure whether they were supposed to come back or not. i did regularly create them but they are not there any more.
Machine is working though so I'm one happy guy.
Many many thanks Belahzur,
I will sing your praises to everyone I know.
Its quite odd that you have helpedme so much yet I have no idea who you are. I suppose thats the anonymous world of the net.
Good luck in whatever your doing.
Many many thanks again.
( if your happy with the outcome that is )

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Hello.
The slowness could be due to number of stuff running at startup, because they run as a process too.
If you want, we can stop some of the un-needed junk from running.

Sadly, I will never show myself, or my real name. This is a public forum, we are fighting against the bad guys. I've seen the dark side of the internet, I know what they are capable of, it's very easy to track someone using the internet nowadays.

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
Many thanks again,
Have done some unticking in msconfig to improve things a little.
Great work thanks

descriptionNuqel.E bankerfox has disabled internet access and my anti spyware cant update - Page 2 EmptyRe: Nuqel.E bankerfox has disabled internet access and my anti spyware cant update

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum