Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

View previous topic View next topic Go down

Solved Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by screamer on Tue Feb 03, 2009 5:46 pm

hey! I really hope you can help! My pc started to not open spybot around a week ago (though I think it was still running in background). I got infected with the Spyware protector 2009/bankerfox a/win32nugel. I then couldnt get on the internet and couldn`t open my hard drive (C) with this error."Windows cannot find RECYCLER\S-6-4-23-100025934-100004717-100006476-9345.com make sure you typed the file name correctly, and then try again. To search for a file click start button and then click search" and then wouldn`t load any virus/spyware software I have (avg8, and would oen spybot still).

I then thought I would check out the problem using another pc i have(not connected to the net) to run webroot spysweeper (I connect the hard drive of the ill pc to the healthy pc using one of those things that lugs into the hard drive and you can connect it to another pc using a usb). It found a rootkit and i removed it and prompted me to restart. During start up all this code came on. Now on my healthy pc I get the same message as ill one when I try to get into my hard drive (even after disconnecting from usb). Now I think the healthy pc is messed up!

Connecting the ill one back up I then ran malware bytes and it found a load of stuff - like - loads of trojans. I quarantined them.

SPYWARE PROTECTOR/BANKERFOX A/WIN32 NUQEL seems to be gone.

I still can`t get into my hard drive. And notice that network adapters, along with loads of other services seem to be gone. Tried the winsock reset trick - no luck.

Then tried system restore and nothing happened. downloaded "helpsvc" from somewhere and put it back in but still wont load help and support.

I ran services.msc and it says most of the services have stopped. When I try to turn them back on it says error1068 or sometimes error 2.

Here is the HighJack Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:05, on 03/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltaIITray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\PixArt\PAC7311\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Mr Ellaway\Desktop\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [PAC7311_Monitor] C:\WINDOWS\PixArt\PAC7311\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\MRELLA~1\LOCALS~1\Temp\IXP002.TMP\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-1004\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H (User '?')
O4 - HKUS\S-1-5-21-1659004503-789336058-725345543-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - S-1-5-21-1659004503-789336058-725345543-1004 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: AudioSrv - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: avg8emc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: avg8wd - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: BITS - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Browser - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: DcomLaunch - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Dhcp - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Dot3svc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: EapHost - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: ERSvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Eventlog - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: EventSystem - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: gusvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: HidServ - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: hkmsvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: idsvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: iPod Service - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: KService - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: lanmanworkstation - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: MSIServer - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: napagent - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: NetDDE - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: NetDDEdsdm - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Netlogon - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Netman - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Nla - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: NtLmSsp - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: NtmsSvc - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: ose - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: PlugPlay - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: PolicyAgent - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: ProtectedStorage - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: RasAuto - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\VRT31.tmp (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11190 bytes

screamer
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-02-03
OS : windows xp sp3

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Belahzur on Tue Feb 03, 2009 5:49 pm

Moved to malware removal zone.
Post coming up, hang on.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Belahzur on Tue Feb 03, 2009 5:53 pm

Hello.
Sorry, but there is no way of fixing this.
See here:
[You must be registered and logged in to see this link.]

A format is the only option.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by screamer on Tue Feb 03, 2009 6:22 pm

Thank you so much for your time - do you think this is solvable without a re-format? MBAM scan was clean.
Here is the DDS as requested.

DDS (Ver_09-01-07.01) - NTFSx86
Run by Mr Ellaway at 18:16:14.48 on 03/02/2009
Internet Explorer: 7.0.5730.13
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [BJCFD] "c:\program files\broadjump\client foundation\CFD.exe"
mRun: [Easy-PrintToolBox] "c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE" /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [PAC7311_Monitor] c:\windows\pixart\pac7311\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [wextract_cleanup1] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\mrella~1\locals~1\temp\ixp002.tmp\"
StartupFolder: c:\docume~1\mrella~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-03 13:38 268 a---h--- C:\sqmdata06.sqm
2009-02-03 13:38 244 a---h--- C:\sqmnoopt06.sqm
2009-02-03 13:25 1,081,616 a------- c:\windows\system32\MSCOMCTL.OCX
2009-02-03 12:29 268 a---h--- C:\sqmdata05.sqm
2009-02-03 12:29 244 a---h--- C:\sqmnoopt05.sqm
2009-02-03 11:02 268 a---h--- C:\sqmdata04.sqm
2009-02-03 11:02 244 a---h--- C:\sqmnoopt04.sqm
2009-02-02 23:27 --d----- c:\docume~1\mrella~1\applic~1\Malwarebytes
2009-02-02 23:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-02 23:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 23:27 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 23:27 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-01 23:14 133,254 a------- c:\windows\Promo3-Is_it_safe.png
2009-02-01 23:14 289,840 a------- c:\windows\Promo2-Petri.png
2009-02-01 23:14 298,242 a------- c:\windows\Promo1-map.png
2009-02-01 23:12 103,424 a------- C:\byptemd.exe
2009-02-01 23:11 40,448 a------- C:\txxsv.exe
2009-02-01 23:11 2 a------- C:\81138942
2009-02-01 23:11 --d----- c:\docume~1\mrella~1\applic~1\cogad
2009-02-01 23:11 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-02-01 23:11 184,322 a------- c:\windows\system32\Updater.exe
2009-01-06 15:20 --d----- c:\program files\Smilebox
2009-01-06 15:19 --d----- c:\docume~1\mrella~1\applic~1\Smilebox

==================== Find3M ====================

2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-08-13 20:00 938 a------- c:\program files\test.htm
2008-10-04 02:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 18:16:41.35 ===============

screamer
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-02-03
OS : windows xp sp3

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Belahzur on Tue Feb 03, 2009 6:24 pm

Hello.
Nope, no way of fixing it.
If we fix the malicious services, it will wreck your machine.
If we don't fix the services, the malware will remain.

Either way, we can't do anything.
I edited my first post, see there, I have included a link to a topic with your infection someone else had.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by screamer on Tue Feb 03, 2009 6:41 pm

oh dear...thank you so much for your help anyway.

screamer
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-02-03
OS : windows xp sp3

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Belahzur on Tue Feb 03, 2009 6:50 pm

See these links on info for backing up and formatting.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by screamer on Tue Feb 03, 2009 7:20 pm

reading my first post is there a probability that the other pc (I used to get rid of a rootkit off the ill pc) is infected? because it gves me the Recycler message that the dead one gives? And if so, how can i back up my files onto an external hard drive without the infection spreading there? Does these infections really simply just get passed from machine to machine by simply connecting via usb? I hope not - the other pc is my main working one which is why I never connect it to the net...

screamer
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-02-03
OS : windows xp sp3

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Belahzur on Tue Feb 03, 2009 7:27 pm

Yep, it's called a flash drive infection.
We need to clean the stick.
Plug it into the infected machine, this one that is pretty much useless right now.

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.


Now open my computer again, right click the stick drive > Explore
If there's an autorun.inf file on the stick, delete it.
Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.


The stick should be protected now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by screamer on Tue Feb 03, 2009 7:42 pm

oh no! ok... I`ll do that with my stick. Sorry to be a pain... But if my other pc is infected and it`s not connected to the internet - then is there still any risk of the system crashing/messing up etc? I have zero experience for this kind of thing - mind if I post a high jack log for the other one?

screamer
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-02-03
OS : windows xp sp3

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Belahzur on Tue Feb 03, 2009 8:11 pm

Yes, sure.
Do the F_D on the infected stick in the infected machine first, then post a log from the other machine in a new topic.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Bankerfox A/win32 nuqel/Spyware protector 2009/error 1068

Post by Doctor Inferno on Sat May 09, 2009 10:12 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum