Bankerfox.a and Win32/Nuqel.E virus

[Thunder Bird]

A friend of mine has had her laptop infected with Bankerfox.a and Win32/Nuqel.E virus.

Unfortunately there was no anti virus program installed on her laptop.

I have managed to stop the repeated pop ups but only by putting XP into the "safe mode" and using "system restore" to a date earlier than when the infection occurred.

Prior to using the "safe mode" I was unable to run any programs as it was reported on each occasion that the file was infected and the pop ups were occurring approximately every 5 seconds.

I have now reached a point I can access some of the internet but if I type Avast, AVG or PrevX the Internet Explorer disappears as soon as I press return.

I installed Firefox but the same thing occurred as with Internet Explorer.

I have tried installing "Malwarebytes", "Avast" and "HiJackThis" from the normal boot up screen and from the "Safe Mode" but have been prevented from doing so.

I then installed these programs on a USB memory stick (using another computer) but when I tried to run them on the infected laptop their install window disappeared from the screen as soon as it appeared when I tried to install them.

I did manage to get Trend Micro HouseCall loaded and it reported finding TROJ GEN.R42C2LC and TROJ Generic.L03 both of which I have not removed because of warnings about removing other needed files.

Trend Micro also reported lastmon.dll (TROJ gEN.R2EE1HU) which I removed.

I have checked and there is no proxy allocated in Internet Explorer.

Thunder Bird.

[Pondus]

Have you tried this, can be run from USB, no install

Hitman Pro 3 - Second Opinion Malware Scanner  http://www.surfright.nl/en/hitmanpro
Hitman Pro in Force Breach Mode  http://hitmanpro.wordpress.com/2010/03/16/hitman-pro-in-force-breach-mode/

SUPERAntiSpyware Portable Scanner  http://www.superantispyware.com/portablescanner.html

[YoKenny]

Please go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.

In Account Related Settings select Hide email address from public? to prevent scammers and spammers harvesting your internode.on.net email address.

[Thunder Bird]

Thank you Pondus
I loaded the two programs on a USB stick.

I then run SUPER AntiSpyware Portable Scanner first which found approx 60 odd infections 30 of which were tracking cookies. I quarantined the lot but were do I find the quarantine file ?

After this I run Hitman Pro 3 which found 5 malware and two trojans.

I then installed Avast and run a boot time scan resulting in 11 items being placed in the chest.

Following this I run Malwarebytes which found 2 Rogue.Secure and 1 Trojan.Dropper

The interesting thing (for me) was that while Malwarebytes was scanning why would Avast during this scan report finding 4 viruses (which were relegated to the chest) seeing that I had only just completed a boot time scan with Avast?

One that pops up 7 times is kqflcncmhl[1].exe

Note.

The KQFLCNCMHL[1].EXE was first seen on Dec 25 2010 in the following geographical regions of the Prevx community:

    * The United States on Dec 25 2010
    * The United Kingdom on Dec 25 2010
    * Australia on Dec 25 2010


Thunder Bird.
 

[Pondus]

I quarantined the lot but were do I find the quarantine file ?

The log files should be found under settings


I now recomend that you let Essexboy have a look inside to see if there is more in there

Follow this guide form our expert malware remover Essexboy and post the log`s here in this tread
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)



Essexboy is usually in the forum from 8:00pm to 11:59pm uk time

[DavidR]

@ Thunder Bird
Avast doesn't scan its chest, as it is a protected area, the files are encrypted and the file names are changed.

Whilst MBAM is running a scan, guess what avast as a resident on-access scanner will be monitoring the MBAM activity. So when it tries to open a file for scanning avast will scan it first, so it is entirely possible for this to happen.

What is strange is the detection on the files again, presumably in the same original location and file names ?

Though that too isn't impossible as there is likely to be an underlying hidden (rootkit) or undetected malware instance restoring/recreating the files. So that is why it is going to take more tools to hunt down these hidden elements.

[Thunder Bird]

Thank you DavidR

Here are the steps I took.

1. I first run SUPER AntiSpyware Portable Scanner which found approx 60 odd infections 30 of which were tracking cookies.

2. I then run Hitman Pro 3 which found 5 malware and two trojans.

3. Installed Avast and run a boot time scan resulting in 11 items being placed in the chest.  (Note kqflcncmhl[1].exe was not detected during boot time scan.)

4. With no other programs running (except Avast) I then run Malwarebytes which found 2 Rogue.Secure and 1 Trojan.Dropper.

It was during this Malwarebytes scan that Avast reported finding FOUR more new viruses.

Prior to this the Avast chest contained 11 items after the Malwarebytes scan the Avast chest contained 15 items.
 
See capture 3 attachment.

The four new items that were not found during the Avast boot time scan are :

A0044371
kqflcncmhl[1].exe (in two locations)
388223305.exe

Curious why these 4 items were not found by Avast during the boot time scan.

Since then I have run another Malwarebytes scan and both Malwarebytes and Avast reported finding zero threats.

Could it be that during the Malwarebytes scan it draws Avast's attention to these threats.

It does tend to point out that initially Avast does not detect kqflcncmhl[1].exe until the Malwarebytes scan is run ?

Thunder Bird.

[DavidR]

You are pretty much repeating what you said in your previous post.

So the points in my post are essentially the same.

Something hidden/undetected is recreating files. The boot time scan won't find the recreated files as essentially they won't be created until windows restarts.

There is a possibility that MBAM has detected that hidden process which would stop the recreation of the files and that is all that I can think of.

I still think this needs further analysis using the tool that Pondus mentioned so that essexboy can check it out.

[Pondus]

It was during this Malwarebytes scan that Avast reported finding FOUR more new viruses.

It is possible that malwarebytes was scanning a area not covered by the avast boot scan, then avast file shield would detect it since avast file shield is whatching every file move on the comp

[Thunder Bird]

Something hidden/undetected is recreating files. The boot time scan won't find the recreated files as essentially they won't be created until windows restarts.

If that is the case why weren't these files recreated when I installed Avast (Windows needs to be running to install Avast) ?

Also from memory I think Avast required a reboot after the installation.

This is obviously the case before the boot time scan was carried out.

Thunder Bird.

[Thunder Bird]

It is possible that malwarebytes was scanning a area not covered by the avast boot scan, then avast file shield would detect it since avast file shield is watching every file move on the comp

Is it possible that this unscanned area could be a weakness for Avast in so much that it could be exploited by virus writers ?

Also something I did not mention before.

When I did the boot time scan I elected to put everything in the chest with no exceptions.

Thunder Bird.

[Pondus]

Is it possible that this unscanned area could be a weakness for Avast in so much that it could be exploited by virus writers ?

Nope......it is scanning all areas where malware that is running active would hide. the guys at avast know what they are doing, they work with malware 24/7



Run OTL and post the log`s and let Essexboy have a look inside......