BankerFox.A and Nugel Trojan-Dropper

We have a computer infected with BankerFox. A Trojan and Nugel.exe. Kept getting pop ups to purchase AV Suite which is a fake website.
It took over our Avast and most everything on the computer. We uninstalled Avast Security Suite and downloaded it again.
Booted in safe mode and cleaned the virus with Avast.

We have used Malwarebytes(updated)
Avast Security Suite(updated)(disabled while running Kapersky)
Kapersky free version
Smitfraudfix(registry cleaner)

They all say they find viruses/spyware and clean them except for the smitfraud found nothing.
What else can we do to guarantee our computer is totally clean?

Thank you,
Dan and Mary

So did the other scanners find something or not…??
If you are on a 32bit system run a boot time scan with avast…!
asyn

Boot scan is completed, all it found was the smitfraudfix which we downloaded and installed ourselves to clean our registry.

We did uninstall smitfraudfix before the boot scan and thought these may be left over remnants? Avast deleted the smitfraudfix files it found on the boot scan.

After the Avast boot scan deleted the files we performed a final quick scan with Avast which found no viruses.

Updated Malwarebytes again, scanned and it found no malware.

Does this mean we may be rid of the BankerFox.A and Nugel.exe? :slight_smile:

Any suggestions would be most appreciated, we have been working on this for 2 days now.

Thanks a million,
Dan and Mary

i think that did it but if you like an second opion try superantispyware and see it that finds anything else that might malwarebytes have missed.

http://filehippo.com/download_superantispyware/

Seems you successfully cleaned you system…! :slight_smile:
asyn

Thank you all very much, we will also try the superantispyware just to be sure!

Dan and Mary

You’re welcome…!
asyn

I just saw this forum. I also became infected with BankerFox this morning. I was protected by Avast freeware which has served me excellently for 3 years.

This AV Security trojan has blocked access to add/remove programs in my control panel and also nothing happens when I hit control/alt/delete.

I bought Avast 5.0, installed, registered it successfully, but I am blocked also from opening it to run scan of the system.

I contacted Avast Tech Support 4 hours ago and have a ticket number. I have yet to receive a reply.

Any ideas ?

  1. you should have started your own topic
  2. have you tried Malwarebytes ?

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
run quick scan and click on the remove selected button to quarantine anything found
post the scan log here

Thanks, I’ll try it. I am new here and this was the first time I ever used these forums.

your wellcome… :wink:

Pondus

I have downloaded Anti-Malware 1.46, but I am blocked from opening or running it.

I see essexboy is online, he is the expert with this so just wait

Hi lets get the show on the road - If the OTH/OTL combo do not work then go to plan B

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

http://oldtimer.geekstogo.com/OTH/OTH_Main.gif

Then select Start OTL. OTL will now run

[*]Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
Select Scan.txt that you downloaded

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*]Click the Internet Explorer button, post these logs in your Virus Removal topic.

PLAN B

Please download RKill.com to your desktop
Double click the programme to run it
Please be patient while the program looks for various malware programs and ends them.
When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by rogue malware when it terminates programs that may potentially remove it.
If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate

Then run OTL

I tried Plan A & B. No luck - still blocked. When I try to open OTH, I get an immediate infected file notice. Same with RKill.

Ok there is more than one way to skin a cat

Do you have access to another computer with a cd burner ? You should be able to access the internet with the Reatogo system

Please print these instruction out so that you know what you are doing

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD

[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :slight_smile:

[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Drag and drop this attached scan.txt into the Custom scans and fixes box
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

Well… give them some time :slight_smile:

Which is your operational system?
There are some solutions posted here: http://www.softwaretipsandtricks.com/forum/windows-xp/13705-missing-add-remove-programs-option.html
Also http://www.kellys-korner-xp.com/xp_tweaks.htm and http://www.easydesksoftware.com/regtrick.htm

Essexboy & Tech

Thanks for your help. I had to bail out earlier to take care of a business emergency.

Anyway, a colleague of mine who also is a webmaster for several sites has agreed to fix this for me. His skills far exceed mine in this area. Also, his menu of remedies is very similar to yours and he is very familiar with the BankerFox.A problem since he has resolved this for many people.

Thanks again.

Good luck

Start computer in Safe Mode (pressing F8 key) and set an avast boot-time scan (if yoy havent tried this already). Restart computer and let scan run. Move to chest any files brought up in scan.

Then follow directions from Essexboy and see how plan will run

edit - sorry didn’t see second page. Good luck folks.