Infected with Win32/Nugel.E and Bankfox a

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Infected with Win32/Nugel.E and Bankfox a25th June 2010, 11:53 pm

running on windows XP. Please help. Can't open anything on internet explorer, mozilla seems to be OK. Have porn sites popping up every other minute!
Thank you in advance.

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 12:44 am

Hi McLeonardRN,

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

If you follow these instructions, everything should go smoothly Smile...

.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click Infected with Win32/Nugel.E and Bankfox a Profil11

Infected with Win32/Nugel.E and Bankfox a Profil11

, then click Preferences. Make sure Always notify me of replies is set to Yes

With that out of the way:

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

Code:
netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %SYSTEMDRIVE%\*.exe %systemroot%\*. /mp /s c:\$recycle.bin\*.* /s HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys nvstor32.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll explorer.exe svchost.exe userinit.exe qmgr.dll ws2_32.dll proquota.exe imm32.dll kernel32.dll ndis.sys autochk.exe spoolsv.exe xmlprov.dll ntmssvc.dll mswsock.dll Beep.SYS ntfs.sys termsrv.dll sfcfiles.dll st3shark.sys ahcix86.sys srsvc.dll nvrd32.sys /md5stop %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 1:58 am

I was able to download the OTL, found it in applications, could not save to my desktop. When I can open it, will blink for one second and then either shut down or blocked???

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 2:04 am

Ok. Let's try this:

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

Save it to your Desktop.
Double click the RKill desktop icon.
It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
Please post its log in your next reply.
After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

After RKill runs, please immediately do the following:

Please download ComboFix Infected with Win32/Nugel.E and Bankfox a Combofix

Infected with Win32/Nugel.E and Bankfox a Combofix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Infected with Win32/Nugel.E and Bankfox a Query_RC

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Infected with Win32/Nugel.E and Bankfox a RC_successful

Infected with Win32/Nugel.E and Bankfox a RC_successful

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 2:10 am

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Melissa on 06/25/2010 at 22:09:45.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Melissa\Local Settings\Application Data\ptrfrnbdc\mdsafeptssd.exe

Rkill completed on 06/25/2010 at 22:09:49.

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 2:13 am

Perfect. That should allow you to run Combofix now.

combo fix text log26th June 2010, 2:56 am

Things seem better. here is the combo fix log. I thank you again in advance. This will (most likely) be the second time GeekPolice saved me. Please let me know how I can support your website....maybe a donation of some sort????

ComboFix 10-06-25.02 - Melissa 06/25/2010 22:37:04.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2912 [GMT -4:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Melissa\Application Data\Google\T-Scan
c:\documents and settings\Melissa\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Melissa\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Melissa\Application Data\Google\T-Scan\y.gif
c:\documents and settings\Melissa\Local Settings\Application Data\ptrfrnbdc
c:\documents and settings\Melissa\Local Settings\Application Data\ptrfrnbdc\mdsafeptssd.exe
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-14 11:26 . 2010-06-14 11:26 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\program files\iPod
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-13 13:05 . 2010-06-13 13:05 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-13 13:04 . 2010-06-13 13:04 -------- d-----w- c:\program files\Bonjour
2010-06-13 12:52 . 2010-06-13 12:52 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-10 04:27 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 02:47 . 2008-07-12 02:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-26 02:46 . 2009-08-19 16:00 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 13:19 . 2008-07-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-22 22:54 . 2009-12-28 01:33 -------- d-----w- c:\documents and settings\Melissa\Application Data\ZoomBrowser EX
2010-06-22 20:49 . 2009-12-28 01:32 -------- d-----w- c:\documents and settings\Melissa\Application Data\CameraWindowDC
2010-06-18 11:37 . 2008-09-04 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-14 01:00 . 2009-12-04 03:01 82408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-13 13:15 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\Melissa\Application Data\Apple Computer
2010-06-13 13:13 . 2009-12-04 00:57 -------- d-----w- c:\program files\iTunes
2010-06-13 13:13 . 2009-12-05 01:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-13 13:10 . 2009-12-04 00:56 -------- d-----w- c:\program files\QuickTime
2010-06-13 12:54 . 2010-04-01 18:09 -------- d-----w- c:\program files\Safari
2010-06-13 12:51 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-10 13:29 . 2010-01-23 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 03:14 . 2009-03-15 12:19 -------- d-----w- c:\program files\Roxio Creator 2009
2010-05-19 03:11 . 2008-04-02 13:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-19 03:11 . 2008-07-12 02:10 -------- d-----w- c:\program files\Windows Sidebar
2010-05-19 03:11 . 2009-03-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-15 11:17 . 2010-04-29 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\Melissa\Application Data\Office Genuine Advantage
2010-05-08 12:05 . 2008-04-19 23:40 -------- d-----w- c:\documents and settings\Melissa\Application Data\gtk-2.0
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 12:33 . 2009-12-05 01:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33 . 2009-12-05 01:52 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-14 21:24 . 2009-11-25 21:43 79488 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 17:39 . 2010-04-29 00:05 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 18:08 . 2010-04-01 18:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-01 02:47 . 2008-12-13 02:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDAV appUpdater"="c:\program files\PDA Verticals Corp\appUpdater\appUpdater.exe" [2008-09-30 274432]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-02 1838592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Melissa\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-4-11 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2051:UDP"= 2051:UDP:Windows Media Format SDK (iexplore.exe)
"2050:UDP"= 2050:UDP:Windows Media Format SDK (iexplore.exe)

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 6:13 AM 102448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.newyorklife.com/eRoomSetup/client.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\qojqdfgn.default\
FF - plugin: c:\documents and settings\Melissa\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-svhgxnul - c:\documents and settings\Melissa\Local Settings\Application Data\ptrfrnbdc\mdsafeptssd.exe
HKLM-Run-svhgxnul - c:\documents and settings\Melissa\Local Settings\Application Data\ptrfrnbdc\mdsafeptssd.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dfshim.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Picaboo\Picaboo\PicabooMain.exe
c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-25 22:51:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 02:51
ComboFix2.txt 2008-12-07 15:34
ComboFix3.txt 2008-12-07 15:29

Pre-Run: 189,222,105,088 bytes free
Post-Run: 189,282,131,968 bytes free

- - End Of File - - 9982D90760708780D710340BC7A6961C

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 3:12 am

Hi again

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the Code box below into it:

Code:


DDS::
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

combo fix with the notepad script26th June 2010, 12:47 pm

OK, here it is:

ComboFix 10-06-25.02 - Melissa 06/26/2010 8:33.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2874 [GMT -4:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Melissa\LOCALS~1\Temp\svchost.exe
c:\documents and settings\Melissa\Local Settings\Application Data\xwvtiiyja
c:\documents and settings\Melissa\Local Settings\Application Data\xwvtiiyja\icsxpkhtssd.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-14 11:26 . 2010-06-14 11:26 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\program files\iPod
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-13 13:05 . 2010-06-13 13:05 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-13 13:04 . 2010-06-13 13:04 -------- d-----w- c:\program files\Bonjour
2010-06-13 12:52 . 2010-06-13 12:52 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-10 04:27 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 12:31 . 2008-07-12 02:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-26 11:14 . 2009-08-19 16:00 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 13:19 . 2008-07-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-22 22:54 . 2009-12-28 01:33 -------- d-----w- c:\documents and settings\Melissa\Application Data\ZoomBrowser EX
2010-06-22 20:49 . 2009-12-28 01:32 -------- d-----w- c:\documents and settings\Melissa\Application Data\CameraWindowDC
2010-06-18 11:37 . 2008-09-04 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-14 01:00 . 2009-12-04 03:01 82408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-13 13:15 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\Melissa\Application Data\Apple Computer
2010-06-13 13:13 . 2009-12-04 00:57 -------- d-----w- c:\program files\iTunes
2010-06-13 13:13 . 2009-12-05 01:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-13 13:10 . 2009-12-04 00:56 -------- d-----w- c:\program files\QuickTime
2010-06-13 12:54 . 2010-04-01 18:09 -------- d-----w- c:\program files\Safari
2010-06-13 12:51 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-10 13:29 . 2010-01-23 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 03:14 . 2009-03-15 12:19 -------- d-----w- c:\program files\Roxio Creator 2009
2010-05-19 03:11 . 2008-04-02 13:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-19 03:11 . 2008-07-12 02:10 -------- d-----w- c:\program files\Windows Sidebar
2010-05-19 03:11 . 2009-03-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-15 11:17 . 2010-04-29 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\Melissa\Application Data\Office Genuine Advantage
2010-05-08 12:05 . 2008-04-19 23:40 -------- d-----w- c:\documents and settings\Melissa\Application Data\gtk-2.0
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 12:33 . 2009-12-05 01:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33 . 2009-12-05 01:52 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-14 21:24 . 2009-11-25 21:43 79488 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 17:39 . 2010-04-29 00:05 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 18:08 . 2010-04-01 18:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-01 02:47 . 2008-12-13 02:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDAV appUpdater"="c:\program files\PDA Verticals Corp\appUpdater\appUpdater.exe" [2008-09-30 274432]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-02 1838592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Melissa\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-4-11 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2051:UDP"= 2051:UDP:Windows Media Format SDK (iexplore.exe)
"2050:UDP"= 2050:UDP:Windows Media Format SDK (iexplore.exe)

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 6:13 AM 102448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.newyorklife.com/eRoomSetup/client.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\qojqdfgn.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Melissa\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-carkcqgr - c:\documents and settings\Melissa\Local Settings\Application Data\xwvtiiyja\icsxpkhtssd.exe
HKLM-Run-carkcqgr - c:\documents and settings\Melissa\Local Settings\Application Data\xwvtiiyja\icsxpkhtssd.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-06-26 08:41:16
ComboFix-quarantined-files.txt 2010-06-26 12:41
ComboFix2.txt 2010-06-26 02:51
ComboFix3.txt 2008-12-07 15:34
ComboFix4.txt 2008-12-07 15:29

Pre-Run: 189,272,649,728 bytes free
Post-Run: 189,277,499,392 bytes free

- - End Of File - - E92B525F3B5E24DEDF530D4AA70E919C

Re: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 4:18 pm

How are things running now?

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

ESET scanner27th June 2010, 2:23 am

Things seem to be running much better since the second combo fix. Here is the ESET scanner. I can not even begin to thank you enough for your help so far.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ac78e3800069154e9c01256e6267aacc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-26 06:16:54
# local_time=2010-06-26 02:16:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=107586
# found=0
# cleaned=0
# scan_time=3599

Re: Infected with Win32/Nugel.E and Bankfox a27th June 2010, 5:21 am

Hi again,

You're most welcome. I'm glad to help Smile...

. Are you currently logged in as the Administrator of the machine? Looking back at the combofix log it shows as a limited user.

Other than that, I don't see any more Malware. I'd just like to get a fresh combofix as Administrator to confirm

Re: Infected with Win32/Nugel.E and Bankfox a27th June 2010, 10:35 pm

I am the administrator. But I am having problems again. Should I run the combofix again (which I was having trouble opening btw)? or should I do something else first????

thanks

Re: Infected with Win32/Nugel.E and Bankfox a27th June 2010, 10:38 pm

I tried to download another version of combofix and cant run it, comes up as infected with a pop up window

very, very frustrating

Re: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 2:03 am

Was able to run combofix finally here it is again, Sad tearing

ComboFix 10-06-25.02 - Melissa 06/27/2010 21:51:19.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2913 [GMT -4:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Melissa\LOCALS~1\Temp\svchost.exe
c:\documents and settings\Melissa\Local Settings\Application Data\trrtgbxle
c:\documents and settings\Melissa\Local Settings\Application Data\trrtgbxle\gjbdxuotssd.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-26 17:14 . 2010-06-26 17:14 -------- d-----w- c:\program files\ESET
2010-06-14 11:26 . 2010-06-14 11:26 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\program files\iPod
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-13 13:05 . 2010-06-13 13:05 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-13 13:04 . 2010-06-13 13:04 -------- d-----w- c:\program files\Bonjour
2010-06-13 12:52 . 2010-06-13 12:52 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-10 04:27 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 01:50 . 2008-07-12 02:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-28 01:46 . 2009-08-19 16:00 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 13:19 . 2008-07-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-22 22:54 . 2009-12-28 01:33 -------- d-----w- c:\documents and settings\Melissa\Application Data\ZoomBrowser EX
2010-06-22 20:49 . 2009-12-28 01:32 -------- d-----w- c:\documents and settings\Melissa\Application Data\CameraWindowDC
2010-06-18 11:37 . 2008-09-04 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-14 01:00 . 2009-12-04 03:01 82408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-13 13:15 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\Melissa\Application Data\Apple Computer
2010-06-13 13:13 . 2009-12-04 00:57 -------- d-----w- c:\program files\iTunes
2010-06-13 13:13 . 2009-12-05 01:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-13 13:10 . 2009-12-04 00:56 -------- d-----w- c:\program files\QuickTime
2010-06-13 12:54 . 2010-04-01 18:09 -------- d-----w- c:\program files\Safari
2010-06-13 12:51 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-10 13:29 . 2010-01-23 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 03:14 . 2009-03-15 12:19 -------- d-----w- c:\program files\Roxio Creator 2009
2010-05-19 03:11 . 2008-04-02 13:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-19 03:11 . 2008-07-12 02:10 -------- d-----w- c:\program files\Windows Sidebar
2010-05-19 03:11 . 2009-03-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-15 11:17 . 2010-04-29 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\Melissa\Application Data\Office Genuine Advantage
2010-05-08 12:05 . 2008-04-19 23:40 -------- d-----w- c:\documents and settings\Melissa\Application Data\gtk-2.0
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 12:33 . 2009-12-05 01:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33 . 2009-12-05 01:52 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-14 21:24 . 2009-11-25 21:43 79488 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 17:39 . 2010-04-29 00:05 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 18:08 . 2010-04-01 18:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-01 02:47 . 2008-12-13 02:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-26_12.40.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-28 01:50 . 2010-06-28 01:50 16384 c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2010-06-28 01:50 . 2010-06-28 01:50 16384 c:\windows\Temp\Perflib_Perfdata_338.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDAV appUpdater"="c:\program files\PDA Verticals Corp\appUpdater\appUpdater.exe" [2008-09-30 274432]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-02 1838592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Melissa\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-4-11 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2051:UDP"= 2051:UDP:Windows Media Format SDK (iexplore.exe)
"2050:UDP"= 2050:UDP:Windows Media Format SDK (iexplore.exe)

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 6:13 AM 102448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.newyorklife.com/eRoomSetup/client.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\qojqdfgn.default\
FF - plugin: c:\documents and settings\Melissa\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-xpeujyeh - c:\documents and settings\Melissa\Local Settings\Application Data\trrtgbxle\gjbdxuotssd.exe
HKLM-Run-xpeujyeh - c:\documents and settings\Melissa\Local Settings\Application Data\trrtgbxle\gjbdxuotssd.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-06-27 21:59:44
ComboFix-quarantined-files.txt 2010-06-28 01:59
ComboFix2.txt 2010-06-26 12:41
ComboFix3.txt 2010-06-26 02:51
ComboFix4.txt 2008-12-07 15:34
ComboFix5.txt 2010-06-28 01:47

Pre-Run: 189,077,397,504 bytes free
Post-Run: 189,150,150,656 bytes free

- - End Of File - - 0F4C8D780B6D6CC12D45F73A12E72CAB

Re: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 4:51 am

Hi,

That's given me what I need. Awesome Smile...

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
Save this as CFscript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFscript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

combofix log28th June 2010, 9:52 am

Is there a reason this is not visible????

ComboFix 10-06-25.02 - Melissa 06/28/2010 5:39.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2912 [GMT -4]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melissa\Desktop\CFscript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-26 17:14 . 2010-06-26 17:14 -------- d-----w- c:\program files\ESET
2010-06-14 11:26 . 2010-06-14 11:26 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\program files\iPod
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-13 13:05 . 2010-06-13 13:05 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-13 13:04 . 2010-06-13 13:04 -------- d-----w- c:\program files\Bonjour
2010-06-13 12:52 . 2010-06-13 12:52 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-10 04:27 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 09:38 . 2008-07-12 02:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-28 01:46 . 2009-08-19 16:00 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 13:19 . 2008-07-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-22 22:54 . 2009-12-28 01:33 -------- d-----w- c:\documents and settings\Melissa\Application Data\ZoomBrowser EX
2010-06-22 20:49 . 2009-12-28 01:32 -------- d-----w- c:\documents and settings\Melissa\Application Data\CameraWindowDC
2010-06-18 11:37 . 2008-09-04 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-14 01:00 . 2009-12-04 03:01 82408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-13 13:15 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\Melissa\Application Data\Apple Computer
2010-06-13 13:13 . 2009-12-04 00:57 -------- d-----w- c:\program files\iTunes
2010-06-13 13:13 . 2009-12-05 01:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-13 13:10 . 2009-12-04 00:56 -------- d-----w- c:\program files\QuickTime
2010-06-13 12:54 . 2010-04-01 18:09 -------- d-----w- c:\program files\Safari
2010-06-13 12:51 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-10 13:29 . 2010-01-23 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 03:14 . 2009-03-15 12:19 -------- d-----w- c:\program files\Roxio Creator 2009
2010-05-19 03:11 . 2008-04-02 13:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-19 03:11 . 2008-07-12 02:10 -------- d-----w- c:\program files\Windows Sidebar
2010-05-19 03:11 . 2009-03-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-15 11:17 . 2010-04-29 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\Melissa\Application Data\Office Genuine Advantage
2010-05-08 12:05 . 2008-04-19 23:40 -------- d-----w- c:\documents and settings\Melissa\Application Data\gtk-2.0
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 12:33 . 2009-12-05 01:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33 . 2009-12-05 01:52 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-14 21:24 . 2009-11-25 21:43 79488 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 17:39 . 2010-04-29 00:05 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 18:08 . 2010-04-01 18:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-01 02:47 . 2008-12-13 02:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-26_12.40.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-28 09:38 . 2010-06-28 09:38 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2010-06-28 09:39 . 2010-06-28 09:39 16384 c:\windows\Temp\Perflib_Perfdata_360.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDAV appUpdater"="c:\program files\PDA Verticals Corp\appUpdater\appUpdater.exe" [2008-09-30 274432]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-02 1838592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Melissa\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-4-11 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2051:UDP"= 2051:UDP:Windows Media Format SDK (iexplore.exe)
"2050:UDP"= 2050:UDP:Windows Media Format SDK (iexplore.exe)

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 6:13 AM 102448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.newyorklife.com/eRoomSetup/client.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\qojqdfgn.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Melissa\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-06-28 05:47:32
ComboFix-quarantined-files.txt 2010-06-28 09:47
ComboFix2.txt 2010-06-28 01:59
ComboFix3.txt 2010-06-26 12:41
ComboFix4.txt 2010-06-26 02:51
ComboFix5.txt 2010-06-28 09:36

Pre-Run: 189,127,458,816 bytes free
Post-Run: 189,116,764,160 bytes free

- - End Of File - - 950C9141733657330A088401467A7A92

Last edited by MLeonardRN on 28th June 2010, 9:56 am; edited 2 times in total

Re: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 9:52 am

ComboFix 10-06-25.02 - Melissa 06/28/2010 5:39.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2912 [GMT -4:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melissa\Desktop\CFscript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-26 17:14 . 2010-06-26 17:14 -------- d-----w- c:\program files\ESET
2010-06-14 11:26 . 2010-06-14 11:26 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\program files\iPod
2010-06-13 13:13 . 2010-06-13 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-13 13:05 . 2010-06-13 13:05 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-13 13:04 . 2010-06-13 13:04 -------- d-----w- c:\program files\Bonjour
2010-06-13 12:52 . 2010-06-13 12:52 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-10 04:27 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 09:38 . 2008-07-12 02:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-28 01:46 . 2009-08-19 16:00 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 13:19 . 2008-07-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-22 22:54 . 2009-12-28 01:33 -------- d-----w- c:\documents and settings\Melissa\Application Data\ZoomBrowser EX
2010-06-22 20:49 . 2009-12-28 01:32 -------- d-----w- c:\documents and settings\Melissa\Application Data\CameraWindowDC
2010-06-18 11:37 . 2008-09-04 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-14 01:00 . 2009-12-04 03:01 82408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-13 13:15 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\Melissa\Application Data\Apple Computer
2010-06-13 13:13 . 2009-12-04 00:57 -------- d-----w- c:\program files\iTunes
2010-06-13 13:13 . 2009-12-05 01:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-13 13:10 . 2009-12-04 00:56 -------- d-----w- c:\program files\QuickTime
2010-06-13 12:54 . 2010-04-01 18:09 -------- d-----w- c:\program files\Safari
2010-06-13 12:51 . 2008-04-07 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-10 13:29 . 2010-01-23 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 03:14 . 2009-03-15 12:19 -------- d-----w- c:\program files\Roxio Creator 2009
2010-05-19 03:11 . 2008-04-02 13:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-19 03:11 . 2008-07-12 02:10 -------- d-----w- c:\program files\Windows Sidebar
2010-05-19 03:11 . 2009-03-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-15 11:17 . 2010-04-29 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-13 23:18 . 2010-05-13 23:18 -------- d-----w- c:\documents and settings\Melissa\Application Data\Office Genuine Advantage
2010-05-08 12:05 . 2008-04-19 23:40 -------- d-----w- c:\documents and settings\Melissa\Application Data\gtk-2.0
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 12:33 . 2009-12-05 01:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33 . 2009-12-05 01:52 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-14 21:24 . 2009-11-25 21:43 79488 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 17:39 . 2010-04-29 00:05 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 18:08 . 2010-04-01 18:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-01 02:47 . 2008-12-13 02:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-26_12.40.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-28 09:38 . 2010-06-28 09:38 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2010-06-28 09:39 . 2010-06-28 09:39 16384 c:\windows\Temp\Perflib_Perfdata_360.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDAV appUpdater"="c:\program files\PDA Verticals Corp\appUpdater\appUpdater.exe" [2008-09-30 274432]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-02 1838592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Melissa\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-4-11 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2051:UDP"= 2051:UDP:Windows Media Format SDK (iexplore.exe)
"2050:UDP"= 2050:UDP:Windows Media Format SDK (iexplore.exe)

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 6:13 AM 102448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.newyorklife.com/eRoomSetup/client.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\qojqdfgn.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Melissa\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-06-28 05:47:32
ComboFix-quarantined-files.txt 2010-06-28 09:47
ComboFix2.txt 2010-06-28 01:59
ComboFix3.txt 2010-06-26 12:41
ComboFix4.txt 2010-06-26 02:51
ComboFix5.txt 2010-06-28 09:36

Pre-Run: 189,127,458,816 bytes free
Post-Run: 189,116,764,160 bytes free

- - End Of File - - 950C9141733657330A088401467A7A92

Re: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 12:48 pm

Both those posts are blank. Are you trying to send logs?

Re: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 3:25 pm

They did not post initially for whatever reason, here they are up above your post.

Re: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 4:11 pm

Ok. How are things running now?

Re: Infected with Win32/Nugel.E and Bankfox a29th June 2010, 9:18 pm

still having problems. When I opened internet explorer, the text was really small and wouldn't adjust. Getting popups with applications that they are infected.

thanks

Re: Infected with Win32/Nugel.E and Bankfox a29th June 2010, 9:29 pm

Infected with Win32/Nugel.E and Bankfox a Bf_new

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.

Re: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 12:32 am

I am not able to run the malware bytes program

Re: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 12:38 am

do you get an error? what happens?

Re: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 2:06 am

a pop up window occurs, similar to trying to open windows documents, music, etc.

states
application cannot be executed. the file mbam.exe is infected do you want to activate your antivirus software now?

Re: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 2:13 am

Hi,

Try this first.

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

Save it to your Desktop.
Double click the RKill desktop icon.
It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
Please post its log in your next reply.
After it has run successfully, delete RKill.

Re: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 9:13 pm

I was able to run MBAM without Rkill
Here is the log.
I did run and restart my computer, still seem to have problems with internet explorer, text size, connection, etc....when mozilla seems to still be OK.
thanks for all your continued help

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 5:11:36 PM
mbam-log-2010-06-30 (17-11-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 244174
Time elapsed: 59 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pctuhnio (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melissa\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Re: Infected with Win32/Nugel.E and Bankfox a1st July 2010, 2:14 am

Ok. How are things running now?

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Re: Infected with Win32/Nugel.E and Bankfox a2nd July 2010, 3:32 pm

I cant run the Online ESEt scanner. SOmething pops up about proxy settings are not configured. I am not sure what this means, and not sure about how to fix or reset them.

Re: Infected with Win32/Nugel.E and Bankfox a2nd July 2010, 3:47 pm

McLeonardRN,

Try this:

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

Re: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:12 pm

OK here is the log, things definitely running better.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 5:11:36 PM
mbam-log-2010-06-30 (17-11-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 244174
Time elapsed: 59 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pctuhnio (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melissa\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Re: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:15 pm

That looks like the Malwarebytes log. I need the log from ESET please Smile...

Re: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:30 pm

oh, sorry, and never mind what I said before, as now it seems to be Baacckkk.

Re: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:32 pm

Argh! Alright, let's see what the ESET says and we'll go from there.

Re: Infected with Win32/Nugel.E and Bankfox a6th July 2010, 12:42 am

OK here is the right log this time! I will also say I ran the ESET scanner once before, everything was supposedly quarantined, I couldn't find the log to post, and then my computer was back to the same old tricks 1 day later.

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ac78e3800069154e9c01256e6267aacc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-05 11:51:16
# local_time=2010-07-05 07:51:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=118607
# found=1
# cleaned=1
# scan_time=5522
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\85CUYG56\ormey[1].jar a variant of Java/TrojanDownloader.Agent.NAL trojan (deleted - quarantined) 00000000000000000000000000000000 C

Re: Infected with Win32/Nugel.E and Bankfox a6th July 2010, 12:52 am

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Re: Infected with Win32/Nugel.E and Bankfox a7th July 2010, 1:46 am

Ok, ran it and it automatically rebooted. Nothing to post though, right???? anything else I should be doing???

thanks again

Re: Infected with Win32/Nugel.E and Bankfox a7th July 2010, 2:03 am

How are things running now? Any more issues?

Re: Infected with Win32/Nugel.E and Bankfox a8th July 2010, 9:20 pm

Hi Crush, I gave it a few days, and its back. I have already run Malware bytes. When I scan with Norton antivirus, it seems to run on the internet explorer history scan forever and I have to shut it down via task manager, so that is not running correctly either.
is there a way to remove this manually? I see some posts online about this. It is driving me crazy.
thanks for all your help

Re: Infected with Win32/Nugel.E and Bankfox a10th July 2010, 6:11 am

Hi,

Crush is having some computer issues and will be back ASAP to assist you.

Sorry for the inconvenience,
Sneakyone

Re: Infected with Win32/Nugel.E and Bankfox a13th July 2010, 3:07 am

Hi,

Sorry for the delay. Can you post the most recent log from Malwarebytes please?

Infected with Win32/Nugel.E and Bankfox a

descriptionInfected with Win32/Nugel.E and Bankfox a25th June 2010, 11:53 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 12:44 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 1:58 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 2:04 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 2:10 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 2:13 am

descriptioncombo fix text log26th June 2010, 2:56 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 3:12 am

descriptioncombo fix with the notepad script26th June 2010, 12:47 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a26th June 2010, 4:18 pm

descriptionESET scanner27th June 2010, 2:23 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a27th June 2010, 5:21 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a27th June 2010, 10:35 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a27th June 2010, 10:38 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 2:03 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 4:51 am

descriptioncombofix log28th June 2010, 9:52 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 9:52 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 12:48 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 3:25 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a28th June 2010, 4:11 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a29th June 2010, 9:18 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a29th June 2010, 9:29 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 12:32 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 12:38 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 2:06 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 2:13 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a30th June 2010, 9:13 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a1st July 2010, 2:14 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a2nd July 2010, 3:32 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a2nd July 2010, 3:47 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:12 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:15 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:30 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a5th July 2010, 8:32 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a6th July 2010, 12:42 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a6th July 2010, 12:52 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a7th July 2010, 1:46 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a7th July 2010, 2:03 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a8th July 2010, 9:20 pm

descriptionRe: Infected with Win32/Nugel.E and Bankfox a10th July 2010, 6:11 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a13th July 2010, 3:07 am

descriptionRe: Infected with Win32/Nugel.E and Bankfox a