Win32/Nuqel.E How to get rid of this.

[honda2010]

Box popped up and says  INFILTRATION ALERT:your computer is being attacked by an internet virus. it could ba a password-stealing attack, a trojan-dropper or similar.

DETAILS:
Attack from: 234.150.41.4, port 14622
Attacked port: 14969
Threat: Win32/Nuqel.E

I need help resolving this. Laptop has Avast Internet Security on it and I also have SuperAntiSpyware and Malwarebytes installed. It was saying everything was infected and couldnt run anything but now I can for some reason. All these security warnings poping up wanting me to purchase antivirus software. But not poping up anymore for some reason and dunno why. Its running Win XP PRO with SP 3.

Is there anything to download and run that will remove this virus? Thanks for any help.

[polonus]

Hi Honda2010,

The URL is in many blacklists:

md5:7ef605fc8dba5425d6965fbd4c8fbe1f:150
md5:e46a96233bd182bd9f19a6b6f7566fe4:150.41
md5:f60f296d02f0418cd138c4281e22a2e7:150.41.4
md5:549d841c3704e2b6a273a258dd0b6f17:15041
md5:e5d7b391af20ad1ef7e15d786c24cd50:150414
md5:289dff07669d7a23de0ef88d2f7129e7:234
md5:01667efec95fc60fa66343504e558d39:234.150
md5:d5f4891750403a7eb50cf08d9b618cba:234.150.41
md5:f8066e7c89183e40985e52ccf6563445:234.150.41.4
md5:019d2c3f847429fda26536bdb5f5cddf:234150
md5:5d8295478e43ced0a602cb249b4b4fc9:23415041
md5:3c699ed23357907dec423eb1c06ab02c:234150414
md5:a87ff679a2f3e71d9181a67b7542122c:4
md5:3416a75f4cea9109507cacd8e2f2aefc:41
md5:968af66e9319f525fb50f4d12816b20d:41.4
md5:66808e327dc79d135ba18e051673d906:414

In case you have sufficient expertise in dealing with program files, system processes, .dll files and registry entries. Follow instructions here:
http://deletemalware.blogspot.com/2010/04/remove-infiltration-alert-win32nuqele.html
and here:
http://deletemalware.blogspot.com/2010/04/how-to-remove-antivirus-suite-fake.html

The associated files to be deleted are listed below:

    * %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string].exe
    * %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]tssd.exe
%WINDOWS%\sysguard.exe
%WINDOWS%\system32\iehelper.dll

The related registry entries to be removed are as follows:

    * HKEY_CURRENT_USER\Software\AvSuite
    * HKEY_LOCAL_MACHINE\Software\AvSuite
    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” =”1″
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = ““
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random string]“
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random string]“
    *HKEY_CURRENT_USER\Software\AvScan
    *HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
    *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
    *HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “system tool”

polonus

[Pondus]

stupid question, but did you update Malwarebytes and run it ?

[honda2010]

stupid question, but did you update Malwarebytes and run it ?

No I didnt would this remove it? It was sayig everything was infected that you click on but now its letting me get into stuff. Should I try this? I dont know about your first post as I'm not no expert with computers. Thanks!

[Pondus]

No I didnt would this remove it?

There is a very good chanse it will, so try...

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

[honda2010]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4546

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/5/2010 1:50:10 AM
mbam-log-2010-09-05 (01-50-10).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 276893
Time elapsed: 1 hour(s), 32 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\itankxjb (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My Avast Internet Security found this.

C:/System Volume Information\_restore then a bunch of numbers and letters.exe Severity is High. Status Threat:Win32:FakeAlert-PH [Trj] It was moved to chest successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/05/2010 at 02:26 AM

Application Version : 4.34.1000

Core Rules Database Version : 5457
Trace Rules Database Version: 3269

Scan type       : Quick Scan
Total Scan Time : 00:12:02

Memory items scanned      : 646
Memory threats detected   : 0
Registry items scanned    : 441
Registry threats detected : 0
File items scanned        : 7522
File threats detected     : 0

[honda2010]

Is there something I can scan with to post a log so someone can verify that my wifes laptop is clean now? I have a DDS log but it wont let me save a GMER log for some reason. We use this for banking and her college and I need it so its safe to use. Its been down since last Thursday and need to get it going. Its all working fine now as normal but need to verify its clean. Any help is appreciated. Thanks!

[Pondus]

Is there something I can scan with to post a log so someone can verify that my wifes laptop is clean now?

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

[honda2010]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4567

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/8/2010 1:40:50 AM
mbam-log-2010-09-08 (01-40-50).txt

Scan type: Quick scan
Objects scanned: 152546
Time elapsed: 9 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I done the OTL the first time and I delete it all and re enabled my disc drive that i prviously disabled to run dds logs so I redownloaded the OTL and ran it again and its not giving me the Extras.Txt but gave the the other OTL.Txt.

[essexboy]

Hi there are no indications of a keylogger on your system, and I can see no apparent malware activity.  If you wish I can run another programme to give you peace of mind 

[honda2010]

Thats fine I will run whatever to make sure its clean. Just let me know what to run and I will do my best to run and post it. It seems to be fined now but just like to make sure. Thanks!

[honda2010]

Just a FYI. I done a full scan with my AIS and it found nothing. Then I done a Boot Scan with my AIS and it found this and deleted successfully.

File C:\hp\bin\endprocess.exe infected by win32:killapp-w [PUP]

C:\System Volume Information\restore[A80475B6-CF6D-4B3A-BD21-B167DB5304]\RP60\A0022234.exe Infected by win32:killapp-w [PUP]

It deleted them successfully.

[Pondus]

more win32:killapp

http://forum.avast.com/index.php?topic=63687.0
http://forum.avast.com/index.php?topic=60681.0

[YoKenny]

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

IE8 is much better than IE7:
Stay Safer Online
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx

Increased performance
Internet Explorer 8 includes many performance improvements that contribute to a faster, more responsive web browsing experience in the areas that matter most. Internet Explorer 8 starts quickly, loads pages fast and instantly gets you started on what you want to do next by using a powerful new tab page.

http://www.microsoft.com/windows/internet-explorer/features/faster.aspx

Enhanced tabbed browsing
Have you ever opened a large number of tabs only to find yourself overwhelmed when you go back to review them? Internet Explorer 8 introduces Tab Groups, which make tabbed browsing easier. When one tab is opened from another, the new tab is placed next to the originating tab and color coded, so that you can quickly see which tabs have related content.

http://www.microsoft.com/windows/internet-explorer/features/easier.aspx

[essexboy]

OK lets use the big hammer to ensure nothing is lurking

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.