nucleardiscover network shield message

Viruses and worms
1

Hi all

I hope you can help - we are using avast free version and are receiving a network shield malicious url blocked, w.nucleardiscover.com:888:888 related to process C:\Users\olvic\AppData\Roaming\cnqsm.exe

We have run a quick scan (found nothing) and a full scan which also found nothing except around 50 files relating to Mozilla Firefox that were apparently “error: archive is password protected”.

Can anyone help?

Thanks

2
C:\Users\olvic\AppData\Roaming\cnqsm.exe
can you upload that file to www.virustotal.com and test with 43 malware scanners when you have the result, copy the url in the address bar and post it here for us to see
3

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here…usually around 08:00pm - 11:59pm uk time

4

Thanks Pondus - that’s the thing, I cant even find this file in Explorer, as attached.

Its probably me not displaying certain files/folders but I can’t find the option in Windows 7.

Sorry if its something easy… :frowning:

5

How to show hidden files in Windows 7
http://www.bleepingcomputer.com/tutorials/tutorial151.html

6

Thanks again - ok have found file, and will upload log once I have it from virustotal (getting connection reset message on that site at the moment…)

7

Many thanks for your help Pondus - couldn’t get onto virustotasl but I did download MalwareBytes and it found the trojan and has quarantined it and deleted it successfully (along with 34 other files, a memory process, a memory module and a couple of registry keys) as per attached log.

Problem solved, many thanks again. :slight_smile:

8

alternative to VirusTotal

Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/

i still recomend you run OTL and post the log so essexboy can check if everything is okay when he arrive here tomorrow

9

Thanks - yes Jotti seems to have no problems for me. And I have OTL and ASWMBR on my desktop ready for next time.

Sorry, proper newb. Consider me evangelised… just running OTL now, will post the log as you suggest for completeness.

10

OTL Logs attached as suggested.

11

there is probably lots of traffic at Virustotal to night as i cant get the website to load also

anyway check back late tomorrow for essexboys verdict… dont delete the file in Malwarebytes quarantine, essexboy may want to have it

12

No a lot there do you still get alerts ?

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2011/08/22 20:21:10 | 000,000,146 | ---- | C] () -- C:\Users\olvic\AppData\Roaming\3v92w6d11.bat

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

13

Thanks Essexboy - no I’m all good now, no more alerts but Pondus suggested I post my logs anyway (in case of any residual damage I guess)

14

No problem run OTL and hit the cleanup button ;D