WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


bankerfox.a and win32/nugel.e viruses

3 posters

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses15th July 2010, 5:53 pm

more_horiz
Actually, leave booting from disc for now, I've still got some old(er) tricks to use.

Please download Ice Sword from HERE

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
bankerfox.a and win32/nugel.e viruses - Page 2 DXwU4
bankerfox.a and win32/nugel.e viruses - Page 2 VvYDg

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses15th July 2010, 11:56 pm

more_horiz
I copied the file to my desktop from a flash drive. I right clicked on the icon and selected extract all files, It brought up the extraction wizard windowwhich i selected "next" twice and i get an error message of
"no files to extract."

I doubled clicked on the icon and it gives me an error message of "The compressed (zipped) folder is invalid or corrupted."

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses17th July 2010, 9:40 pm

more_horiz
What's the next trick up your sleeve?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses18th July 2010, 8:07 pm

more_horiz
Hi, Smile...

Please download exeHelper from one of the two links.
Link 1
Link 2

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then try OTL.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses18th July 2010, 8:55 pm

more_horiz
exeHelper by Raktor
Build 20100414
Run at 15:47:50 on 07/18/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Is this what you are looking for?

I tried to run otl but got same error message, "otl.exe is not a valid win32 application."

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses18th July 2010, 9:02 pm

more_horiz
ETA: You know all this started when i purchased a belkin wireless router n-150 to replace my linksys that i thought was broken. Thr belkin router would not work correctly with my dell inspiron laptop (now infected computer). After about four calls to their cust serv and many changes to the laptop to accomodate the router i plugged up my old linksys and the router was working. So i took back the belkin to walmart and a bout a day later i was infected.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses18th July 2010, 9:23 pm

more_horiz
Although i did get the error message from trying to start otl...my desktop is now blank with the ot helper box....i selected start otl but haven't noticed anything occurring yet.

how long should it take otl to run if it is running?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses18th July 2010, 10:37 pm

more_horiz
Hi, Smile...

Please hold CTRL+ALT+DEL and go to Task Manager.

Once in task manager please hit 'New Task' and type 'Explorer.exe' then your desktop should pop back up.

If so, please do this:

Please download ComboFix bankerfox.a and win32/nugel.e viruses - Page 2 Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

bankerfox.a and win32/nugel.e viruses - Page 2 Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
bankerfox.a and win32/nugel.e viruses - Page 2 RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses18th July 2010, 11:46 pm

more_horiz
error message for the name i'm typing in the run box

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 12:01 am

more_horiz
Hi, Smile...

Try typing %windir%\explorer.exe

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 1:04 am

more_horiz
that worked but it brought me to the my documents window, is that right?

when do i run commy.exe?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 1:10 am

more_horiz
Hi, Smile...

Please run it now.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 2:19 am

more_horiz
Ok here it is.....


ComboFix 10-07-16.02 - Bubba Clemons 07/18/2010 20:39:50.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.191 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BUBBAC~1\LOCALS~1\Temp\svchost.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\pthreadVC.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-pvgxhhpi - c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo\kfyuxwytssd.exe
HKLM-Run-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-pvgxhhpi - c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo\kfyuxwytssd.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-18 21:13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 02:13

Pre-Run: 2,367,614,976 bytes free
Post-Run: 5,424,795,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0824F890580C347C2DDA7ACC7C34DA51

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 6:33 am

more_horiz
Hi, Smile...

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    Folder::
    c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    bankerfox.a and win32/nugel.e viruses - Page 2 Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==========

bankerfox.a and win32/nugel.e viruses - Page 2 Mbamicontw5 Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 3:20 pm

more_horiz
On the malware site, the link said page not found....will this download fit on a 1gb flash drive?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 4:39 pm

more_horiz
Here is #2....


ComboFix 10-07-18.03 - Bubba Clemons 07/19/2010 10:19:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.164 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-19 10:37:43
ComboFix-quarantined-files.txt 2010-07-19 15:37
ComboFix2.txt 2010-07-19 02:13

Pre-Run: 5,435,686,912 bytes free
Post-Run: 5,414,174,720 bytes free

- - End Of File - - 42DD658FFFF0FBCA54D4287B6BE62E3F

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 7:33 pm

more_horiz
Hi, Smile...

That CFScript didn't work right, could you please do it again.

As for Malwarebytes, yes it will fit on a flash drive.

Here is the updated set of instructions:

bankerfox.a and win32/nugel.e viruses - Page 2 Bf_new Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 8:34 pm

more_horiz
Herre are the results from the combofix log.....I have downloaded the malware form the site suggested but will be away from the computer for a few days. When i get back i will run load the malware and post those results.

CRC

ComboFix 10-07-19.01 - Bubba Clemons 07/19/2010 15:04:09.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.120 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-07 11:26 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-19_15.30.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-19 19:50 . 2010-07-19 19:50 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-19 15:27:43
ComboFix-quarantined-files.txt 2010-07-19 20:27
ComboFix2.txt 2010-07-19 15:37
ComboFix3.txt 2010-07-19 02:13

Pre-Run: 5,421,723,648 bytes free
Post-Run: 5,401,247,744 bytes free

- - End Of File - - CFE517975B75356BEB2D8692DCF68A5C

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses19th July 2010, 9:56 pm

more_horiz
Hi, Smile...

Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: E:\CFscript.txt


The reason the CFScript isn't working is because it is not in the same place as ComboFix.

Please save the CFScript to C:\documents and settings\Bubba Clemons\Desktop\CFScript.txt


............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 6:16 pm

more_horiz
Ok...i am back and i ran combo fix again, here are the results......

ComboFix 10-07-23.04 - Bubba Clemons 07/24/2010 12:36:58.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.107 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Bubba Clemons\Desktop\CFscript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bubba Clemons\Local Settings\Application Data\uytxiyaxo

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 12:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(4740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 13:04:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 18:04
ComboFix2.txt 2010-07-24 17:29
ComboFix3.txt 2010-07-19 20:27
ComboFix4.txt 2010-07-19 15:37
ComboFix5.txt 2010-07-24 17:35

Pre-Run: 5,333,143,552 bytes free
Post-Run: 5,340,016,640 bytes free

- - End Of File - - D24B6BAB24A909E770E3813699984279

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 6:50 pm

more_horiz
results fromthe malware byte scan....

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 1:44:10 PM
mbam-log-2010-07-24 (13-44-10).txt

Scan type: Quick scan
Objects scanned: 150709
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 7:28 pm

more_horiz
Hi, Smile...

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 7:35 pm

more_horiz
I get an error message saying,

"An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING(12007,0,WinHttpSendRequest)

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 7:38 pm

more_horiz
Hi,

Could you please re-run ComboFix. Smile...

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 8:13 pm

more_horiz
Here you go...


ComboFix 10-07-23.04 - Bubba Clemons 07/24/2010 14:49:40.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.221 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\Bubba Clemons\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-25 12:56 . 2010-06-25 12:54 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:17 . 2010-04-26 02:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-26 02:07 . 2010-04-26 02:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-19_15.30.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 17:50 . 2010-07-24 17:50 16384 c:\windows\temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride =
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-07-24 15:06:49
ComboFix-quarantined-files.txt 2010-07-24 20:06
ComboFix2.txt 2010-07-24 18:04
ComboFix3.txt 2010-07-24 17:29
ComboFix4.txt 2010-07-19 20:27
ComboFix5.txt 2010-07-24 19:48

Pre-Run: 5,347,381,248 bytes free
Post-Run: 5,330,059,264 bytes free

- - End Of File - - 470B5C9B84867F103110FD68B620028C

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses24th July 2010, 10:56 pm

more_horiz
Hi, Smile...

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\documents and settings\All Users\SPL*.tmp

    DDS::
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    bankerfox.a and win32/nugel.e viruses - Page 2 Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 2:19 am

more_horiz
OK.....


ComboFix 10-07-24.01 - Bubba Clemons 07/24/2010 20:42:03.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.175 [GMT -5:00]
Running from: c:\documents and settings\Bubba Clemons\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Bubba Clemons\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\Bubba Clemons\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 18:29 . 2010-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 18:29 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 16:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 19:54 . 2010-07-10 19:54 -------- d--h--w- c:\windows\PIF
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\MSBuild
2010-07-06 14:19 . 2010-07-06 14:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-06 14:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-06 14:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 14:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-06 14:16 . 2010-07-06 14:18 -------- d-----w- C:\afa241a5b34af12c39432e9dd1765d2d
2010-07-06 05:02 . 2010-07-06 05:22 -------- d-----w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\Deployment
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-sh--w- c:\documents and settings\Bubba Clemons\IECompatCache
2010-06-25 12:54 . 2010-06-25 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:53 . 2007-11-24 23:16 -------- d-----w- c:\program files\lx_cats
2010-07-08 01:46 . 2010-05-23 20:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 14:41 . 2006-01-05 12:39 45408 ----a-w- c:\documents and settings\Bubba Clemons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 05:26 . 2006-04-05 23:10 56 --sh--r- c:\windows\system32\130AF31ACE.sys
2010-07-06 05:26 . 2006-04-05 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-30 21:58 . 2008-07-01 16:39 46 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences.dat
2010-06-30 21:58 . 2009-09-02 20:40 99 ----a-w- c:\documents and settings\Bubba Clemons\jagex_runescape_preferences2.dat
2010-06-24 21:17 . 2010-06-24 21:17 -------- d-----w- c:\program files\Belkin
2010-06-22 21:38 . 2010-06-22 21:38 303443 ----a-w- c:\documents and settings\All Users\SPLB.tmp
2010-06-04 01:59 . 2010-06-04 01:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 01:29 . 2010-06-04 01:29 324140 ----a-w- c:\documents and settings\All Users\SPL1D.tmp
2010-05-07 20:50 . 2010-05-07 20:50 0 ----a-w- c:\documents and settings\Bubba Clemons\jagex__preferences3.dat
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 02:09 . 2010-04-26 02:09 44872 ---ha-w- c:\windows\system32\mlfcache.dat
2006-12-24 21:00 . 2006-12-24 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 20:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Lexmark 3400 Series\\lxcymon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcypswx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 2:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/11/2008 2:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/11/2008 2:19 PM 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/23/2007 6:58 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Bubba Clemons\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 21:13:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 02:12
ComboFix2.txt 2010-07-24 20:06
ComboFix3.txt 2010-07-24 18:04
ComboFix4.txt 2010-07-24 17:29
ComboFix5.txt 2010-07-25 01:38

Pre-Run: 5,336,645,632 bytes free
Post-Run: 5,315,829,760 bytes free

- - End Of File - - 98737A240EACF766858CBADF0E41138B

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 2:56 am

more_horiz
Hi, Smile...

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 3:54 am

more_horiz
Help me understand what all these steps are doing. Are they working?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 4:24 am

more_horiz
Hi, Smile...

Yes, they provide the diagnostics, and the removal power to ensure that you will become malware free.

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 5:00 am

more_horiz
Its almost through scanning...Which programs of all these we tried will i be deleting and which will i need to keep including the logs?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 5:09 am

more_horiz
I will give you intructions on cleaning the tools up at the end. Smile...

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 5:30 am

more_horiz
Let me correct myself...the complete scan has started and it looks like it will be a while...We'll continue this tomorrow

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses25th July 2010, 4:20 pm

more_horiz
Alright, I await your logs. Smile...

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses26th July 2010, 12:26 am

more_horiz
Ok believe it or not it just now finished the complete scan but, when i select "cure" the only further choices it gives is delete, rename or move in a small box. What should i do?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses26th July 2010, 12:27 am

more_horiz
Hi, Smile...

Please choose delete. Right On!

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses26th July 2010, 1:25 am

more_horiz
Ok when i'm finished and saved the report to the desktop...how do i exit out of the enhanced protection mode and access the file on the desktop?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses26th July 2010, 1:43 am

more_horiz
Figured it out...


3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
popcaploader.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Deleted.;
A0772954.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807;Trojan.Fakealert.17268;Incurable.Incurable.Deleted.;
A0775077.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP811;Trojan.Click.1487;Deleted.;



Getting closer?

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses26th July 2010, 5:10 am

more_horiz
Hi, Smile...

One last check. Right On!

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

............................................................................................

I'm livin' life in the fast lane.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses27th July 2010, 2:31 am

more_horiz
The internet explorer closes the page because of the activex....it sees it as a malicious add-on.

descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses27th July 2010, 3:09 am

more_horiz
Hi.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

    • ............................................................................................

    I'm livin' life in the fast lane.

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses27th July 2010, 10:52 pm

    more_horiz
    Here it is....



    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, July 27, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, July 27, 2010 00:40:46
    Records in database: 4199703
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 121912
    Threats found: 1
    Infected objects found: 3
    Suspicious objects found: 0
    Scan duration: 06:38:38


    File name / Threat / Threats count
    C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d Infected: Trojan.Java.ClassLoader.as 3

    Selected area has been scanned.

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses28th July 2010, 4:02 am

    more_horiz
    Hi.

    Please run OTL.exe.

    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


      :Files
      C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d

      :commands
      [emptytemp]
      [resethosts]
      [reboot]


    • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ............................................................................................

    I'm livin' life in the fast lane.

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses28th July 2010, 2:12 pm

    more_horiz
    I'm not sure if i foll your directions correctly....I double clicked on otl and got the same error message as before "not a win32 application"
    Is this the same otl that i tried downloading early on in this removal process?

    ETA: Is the .exe referring to the file name? I'm confused Whoa!

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses28th July 2010, 6:28 pm

    more_horiz
    Hi.

    Odd, could you please download a fresh copy from here: http://oldtimer.geekstogo.com/OTL.exe

    And run this first:

    Please download exeHelper from one of the two links.
    Link 1
    Link 2

    • Double-click on exeHelper.com or exeHelper.scr to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    After you run exeHelper, please run the fix.

    ............................................................................................

    I'm livin' life in the fast lane.

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses28th July 2010, 6:39 pm

    more_horiz
    Log results from exehelper....

    exeHelper by Raktor
    Build 20100414
    Run at 15:47:50 on 07/18/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 13:37:58 on 07/28/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses28th July 2010, 8:57 pm

    more_horiz
    Results from otl...

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\27\4e1c045b-65bd777d moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 169917 bytes

    User: All Users

    User: Bubba Clemons
    ->Temp folder emptied: 107303430 bytes
    ->Temporary Internet Files folder emptied: 21206981 bytes
    ->Java cache emptied: 78134516 bytes
    ->Google Chrome cache emptied: 7991238 bytes
    ->Apple Safari cache emptied: 2369536 bytes
    ->Flash cache emptied: 2708801 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Johanna
    ->Temp folder emptied: 54022 bytes
    ->Temporary Internet Files folder emptied: 36868195 bytes
    ->Flash cache emptied: 853 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Maddie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 16185 bytes
    ->Flash cache emptied: 38804 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Will
    ->Temp folder emptied: 31107434 bytes
    ->Temporary Internet Files folder emptied: 418898 bytes
    ->Java cache emptied: 6101551 bytes
    ->Flash cache emptied: 62746 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
    RecycleBin emptied: 380738 bytes

    Total Files Cleaned = 281.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.9.1 log created on 07282010_134245

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF24D0.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF24DD.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2571.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF257E.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF25B0.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF25BD.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2628.tmp not found!
    File\Folder C:\Documents and Settings\Bubba Clemons\Local Settings\Temp\~DF2635.tmp not found!
    C:\Documents and Settings\Bubba Clemons\Local Settings\Temporary Internet Files\Content.IE5\04QOHGWJ\bankerfoxa-and-win32-nugele-viruses-t22587-60[1].htm moved successfully.
    File move failed. C:\Documents and Settings\Will\Local Settings\Temp\hsperfdata_Will\3332 scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses28th July 2010, 9:09 pm

    more_horiz
    Hi.

    How is your computer running now?

    ............................................................................................

    I'm livin' life in the fast lane.

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses29th July 2010, 4:41 am

    more_horiz
    It seems to be running fine...

    I do have a wireless connection problem, i have been using the ethernet cable for connection during the last stages of our problem solving. This was an issue that began before the virus attacks. I will go the the appropriate forum to work that issue out.

    Otherwise what is next?

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses29th July 2010, 5:02 am

    more_horiz
    Hi.

    Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

    Updating System Restore
    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE.


    You now have a clean restore point.

    To get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do a calculation of temporary/old files, and then display a dialogue box.
    • Select the More Options Tab.
    • At the bottom will be a System Restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done.


    ========

    Removing the tools
    Now, to remove all of the tools we used and the files and folders they created, please do the following:

    Download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    ============

    Service Pack upgrade
    Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

    More info about SP3: Here

    =====

    Update Programs
    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    =========

    Here are some prevention tips I have provided:

    1. Don't download files from untrusted websites or websites that seem suspious.

    2. Don't use torrents they are a good way to get lots of malware.

    3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

    4. Disable autorun XP or Vista/7

    5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

    6. Don't ever click on the links inside of a popup.

    7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

    8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

    9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

    10. Always keep your Java and Adobe updated.

    11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

    12. Always have a Firewall and a Antivirus.

    Thanks for choosing GeekPolice, see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

    For more information please visit Here

    ............................................................................................

    I'm livin' life in the fast lane.

    descriptionbankerfox.a and win32/nugel.e viruses - Page 2 EmptyRe: bankerfox.a and win32/nugel.e viruses

    more_horiz
    privacy_tip Permissions in this forum:
    You cannot reply to topics in this forum