Win32/Nuqel.E How to get rid of this.

Box popped up and says INFILTRATION ALERT:your computer is being attacked by an internet virus. it could ba a password-stealing attack, a trojan-dropper or similar.

DETAILS:
Attack from: 234.150.41.4, port 14622
Attacked port: 14969
Threat: Win32/Nuqel.E

I need help resolving this. Laptop has Avast Internet Security on it and I also have SuperAntiSpyware and Malwarebytes installed. It was saying everything was infected and couldnt run anything but now I can for some reason. All these security warnings poping up wanting me to purchase antivirus software. But not poping up anymore for some reason and dunno why. Its running Win XP PRO with SP 3.

Is there anything to download and run that will remove this virus? Thanks for any help.

Hi Honda2010,

The URL is in many blacklists:

md5:7ef605fc8dba5425d6965fbd4c8fbe1f:150
md5:e46a96233bd182bd9f19a6b6f7566fe4:150.41
md5:f60f296d02f0418cd138c4281e22a2e7:150.41.4
md5:549d841c3704e2b6a273a258dd0b6f17:15041
md5:e5d7b391af20ad1ef7e15d786c24cd50:150414
md5:289dff07669d7a23de0ef88d2f7129e7:234
md5:01667efec95fc60fa66343504e558d39:234.150
md5:d5f4891750403a7eb50cf08d9b618cba:234.150.41
md5:f8066e7c89183e40985e52ccf6563445:234.150.41.4
md5:019d2c3f847429fda26536bdb5f5cddf:234150
md5:5d8295478e43ced0a602cb249b4b4fc9:23415041
md5:3c699ed23357907dec423eb1c06ab02c:234150414
md5:a87ff679a2f3e71d9181a67b7542122c:4
md5:3416a75f4cea9109507cacd8e2f2aefc:41
md5:968af66e9319f525fb50f4d12816b20d:41.4
md5:66808e327dc79d135ba18e051673d906:414

In case you have sufficient expertise in dealing with program files, system processes, .dll files and registry entries. Follow instructions here:
http://deletemalware.blogspot.com/2010/04/remove-infiltration-alert-win32nuqele.html
and here:
http://deletemalware.blogspot.com/2010/04/how-to-remove-antivirus-suite-fake.html

The associated files to be deleted are listed below:

* %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string].exe
* %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]tssd.exe

%WINDOWS%\sysguard.exe
%WINDOWS%\system32\iehelper.dll

The related registry entries to be removed are as follows:

* HKEY_CURRENT_USER\Software\AvSuite
* HKEY_LOCAL_MACHINE\Software\AvSuite
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” =”1″
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = ““
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random string]“
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random string]“
*HKEY_CURRENT_USER\Software\AvScan
*HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “system tool”

polonus

stupid question, but did you update Malwarebytes and run it ?

No I didnt would this remove it? It was sayig everything was infected that you click on but now its letting me get into stuff. Should I try this? I dont know about your first post as I’m not no expert with computers. Thanks!

No I didnt would this remove it?
There is a very good chanse it will, so try...

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4546

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/5/2010 1:50:10 AM
mbam-log-2010-09-05 (01-50-10).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 276893
Time elapsed: 1 hour(s), 32 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\itankxjb (Trojan.FakeAlert.Gen) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My Avast Internet Security found this.

C:/System Volume Information_restore then a bunch of numbers and letters.exe Severity is High. Status Threat:Win32:FakeAlert-PH [Trj] It was moved to chest successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/05/2010 at 02:26 AM

Application Version : 4.34.1000

Core Rules Database Version : 5457
Trace Rules Database Version: 3269

Scan type : Quick Scan
Total Scan Time : 00:12:02

Memory items scanned : 646
Memory threats detected : 0
Registry items scanned : 441
Registry threats detected : 0
File items scanned : 7522
File threats detected : 0

Is there something I can scan with to post a log so someone can verify that my wifes laptop is clean now? I have a DDS log but it wont let me save a GMER log for some reason. We use this for banking and her college and I need it so its safe to use. Its been down since last Thursday and need to get it going. Its all working fine now as normal but need to verify its clean. Any help is appreciated. Thanks!

Is there something I can scan with to post a log so someone can verify that my wifes laptop is clean now?

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4567

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/8/2010 1:40:50 AM
mbam-log-2010-09-08 (01-40-50).txt

Scan type: Quick scan
Objects scanned: 152546
Time elapsed: 9 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I done the OTL the first time and I delete it all and re enabled my disc drive that i prviously disabled to run dds logs so I redownloaded the OTL and ran it again and its not giving me the Extras.Txt but gave the the other OTL.Txt.

Hi there are no indications of a keylogger on your system, and I can see no apparent malware activity. If you wish I can run another programme to give you peace of mind

Thats fine I will run whatever to make sure its clean. Just let me know what to run and I will do my best to run and post it. It seems to be fined now but just like to make sure. Thanks!

Just a FYI. I done a full scan with my AIS and it found nothing. Then I done a Boot Scan with my AIS and it found this and deleted successfully.

File C:\hp\bin\endprocess.exe infected by win32:killapp-w [PUP]

C:\System Volume Information\restore[A80475B6-CF6D-4B3A-BD21-B167DB5304]\RP60\A0022234.exe Infected by win32:killapp-w [PUP]

It deleted them successfully.

more win32:killapp

http://forum.avast.com/index.php?topic=63687.0
http://forum.avast.com/index.php?topic=60681.0

IE8 is much better than IE7:
Stay Safer Online
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx

[b]Increased performance[/b] Internet Explorer 8 includes many performance improvements that contribute to a faster, more responsive web browsing experience in the areas that matter most. Internet Explorer 8 starts quickly, loads pages fast and instantly gets you started on what you want to do next by using a powerful new tab page.
http://www.microsoft.com/windows/internet-explorer/features/faster.aspx
[b]Enhanced tabbed browsing[/b] Have you ever opened a large number of tabs only to find yourself overwhelmed when you go back to review them? Internet Explorer 8 introduces Tab Groups, which make tabbed browsing easier. When one tab is opened from another, the new tab is placed next to the originating tab and color coded, so that you can quickly see which tabs have related content.
http://www.microsoft.com/windows/internet-explorer/features/easier.aspx

OK lets use the big hammer to ensure nothing is lurking

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
[tr][td][/td][/tr]

Here is my ComboFix log. Please tell me how to delete combofix off my laptop if were finished with it. I know there is a tool that totally removes it and all its componets but cant remember what it is from last time I used it on another PC. Thank you very much for all your help.

Please tell me how to delete combofix off my laptop if were finished with it.
I recomend that you wait with doing it untill Essexboy say you can remove it....

Click START then RUN
Now type combofix /u in the runbox and click OK.
Note: The space between the X and the /U, it must be there.

Thanks for the info. I will wait till Essexboy give the ok to uninstall. Thanks you guys for all the help.

Looking at that I am a happy bunny :slight_smile:

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Ok I did all that you asked in your last post its all cleaned up and running better than when it was new. Its very fast. I didn’t update the internet explorer because it dont seem to work right with IE8 none of my pc’s do. There is always errors and yahoo messenger and all dont seem to work right thats why 7 is installed. I use FireFox on mine and its on my wifes the one u just cleaned for me I just got to get her to using it all the time.

I installed the SpywareBlaster on her laptop and mine as well. Will this program interfere with my Avast Internet Security or any of my other programs? I have Malwarebytes and SuperAntiSpyware also both are the free version I have to update and scan manually myself on both.

The reason my wife got this horrible virus is because when we were at work her nephew got on her laptop and visited about 48 different porn sites. I was gonna beat him to death but she wouldn’t let me.

I again thank you for all your help and time you’ve spent on this. I wish I could learn how to do all this myself someday. THANKS A MILLION!!!