Win32/Nuqel/Bankerfox

Hello,
I am in need of some assistance with removing a virus off my daughter's laptop. The virus is one that I've seen you assist others with in forums and I am hopeful that you will be able to aid me as well. My daughter seems to have downloaded a virus that the anitvirus program is calling Win32\Nuqel or Bankerfox. I do have a DDS log and Attach Text if that is needed...

Thank you

Post DDS please.

Thanks...here it is


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jean at 17:23:06.59 on Tue 03/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.509.125 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
D:\iTunesHelper.exe
C:\WINDOWS\svcho.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Jean\Application Data\U3\000015793C6112EB\LaunchPad.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
J:\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - No File
BHO: : {1f1118bf-1560-49b6-b518-fccfe53a1f08} - c:\windows\system32\gurczxv.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\windows\system32\iehelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {F02FABCB-92DD-475A-98AF-14217BD50746} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [system tool] c:\windows\sysguard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SigmaTel StacMon] c:\program files\sigmatel\c-major audio\stacmon.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "D:\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\2wirew~1.lnk - c:\program files\2wire wireless\client manager\CMTWO.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerp~1.lnk - c:\program files\powerpanel\program\PcfMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: LMIinit - LMIinit.dll
Notify: ykpmdohs - gurczxv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-10 201320]
R2 axsahahx;CD-ROM Monitor;c:\windows\system32\svchost.exe -k netsvcs [2003-8-12 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2005-2-10 258146]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-16 46112]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [2003-8-12 156288]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40488]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-8-12 71961]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2005-2-10 108400]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-25 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 33832]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2006-5-23 14924]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-8-20 1174664]
S3 wltwo48b;2Wire Wireless PC Card Driver;c:\windows\system32\drivers\wltwo48b.sys [2004-11-29 170496]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-28 15:21 --d----- c:\docume~1\jean\applic~1\pbllabim
2009-03-26 23:53 19,456 a------- c:\windows\svcho.exe
2009-03-26 23:53 19,456 a------- c:\windows\syssvc.exe
2009-03-26 23:23 10,752 a------- c:\windows\system32\iehelper.dll
2009-03-26 23:13 353,808 a------- c:\windows\sysguard.exe
2009-03-06 21:47 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-03-02 01:55 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-02 01:55 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-02 01:54 --d----- c:\program files\iPod
2009-03-02 01:54 -cd----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-02 01:44 32,000 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-08-23 12:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 17:24:25.43 ===============

Hello.
DDS shows the infection hiding in your registry, we'll have to go something more powerful out to deal with this one.

But first, I want to see what's installed.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Becuase it is my daughter's computer I've been doing everything via USB...I've got the program files saved to the desktop as her laptop will not connect to the internet.

I've tried several times to get the Hijack software to install, it begins to run then stops...please advise.

Hello.
It might be a rootkit blocking us, but I'll have to confirm with you.

Are you able to open Mcafee/update it?

If not, then there's a deeper problem.

Let me know.

It took awhile for the update to begin...once it did it stopped in the middle of the update. The machine froze and needed to be restarted.

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.