w32.spybot.worm or codq.exe Survied format twice

[Eddie_42]

Hello,

First post


I got the w32.spybot.worm acording to my Norton. I decided that it would be best just to re-format my computer and not worry about fixing it. (i need the re-format anyway...good timing). The virus somehow survived. now, i can only open task manager or msconfig for about 2 seconds before they close. other things, like media player and mozilla run just fine.

I do have a breif minute or two from a fresh boot that will allow me into the task manager. Everything appears normal. proc sits a 2% use until the worm activates. MSconfig has a processes called codq.exe that shows up, i dont know what this is but everywhere ive look says its bad.

This thing is taxing my proc. at 100% all the time. ive tried several removal methods and cannot seem to get this fixed.

I also cannot get Norton, or any program for that matter to install. I did the format off a recovery CD provided my computer manufacturer. XP home.

Any help would be greatly appreciated.
Eddie

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions in the order they are given.

Post a fresh HJT log, only after doing the above.

Regards Howard :wave: :wave:

 

[Eddie_42]

My HJT

Hello,

I followed all the steps above.

Here are my results from Panda:

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@as-us.falkag[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@mediaplex[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@tribalfusion[1].txt
Hacktool:Rootkit/FU.A Not disinfected C:\Documents and Settings\Eddie\msdirectx.sys
Virus:W32/SdBot.HEQ.worm Disinfected C:\WINDOWS\msndn.exe
Virus:W32/Gaobot.FED.worm Disinfected C:\WINDOWS\system32\codq.exe
Virus:W32/SdBot.HEQ.worm Disinfected C:\WINDOWS\system32\fdhbe_83711.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Virus:W32/SdBot.HEQ.worm Disinfected C:\WINDOWS\system32\i_51507.exe
Hacktool:Rootkit/FU.A Not disinfected C:\WINDOWS\system32\msdirectx.sys


trend micro found stuff and deleted most of it however it could not delete file: TROJ-ROOTKIT.H


there was no detection of moitfraud, look2me, or vundo

attached is my HJT

 

[Spike]

According to HJT, you haven't properly followed the instructions. As such, even if you got the entries below fixed, I still wouldn't say you were clean because I wouldn't be sure enough. The only thing your HJT log says you have done is a scan with panda. (not everything in the instructions shows up in the log, but we know what does.)

Furthermore, you are not even using XPSP1!!, let alone SP2, and so your computer is just asking for trouble to come and find it. As such, I will identify the entries, but I'm not telling you what to do with them, because there's no point - you'd be back here soon enough with more problems, perhaps even the same ones.

Logfile of HijackThis v1.99.1
Scan saved at 11:35:17 PM, on 5/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\Windows-Anti.exe
O4 - HKLM\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\Run: [Windows Anti Verifier] Windows-Anti.exe
O4 - HKLM\..\RunServices: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\RunServices: [Windows Anti Verifier] Windows-Anti.exe
O4 - HKCU\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKCU\..\RunServices: [Compd Service Drivrs] codq.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)

If you would like further help, please update windows and follow the instructions in Howards post properly.

 

[howard_hopkinso]

There are special instructions for removing TROJ-ROOTKIT.H. Go HERE. and follow the instructions.

Then, go HERE and follow the instructions. Once done, follow the rest of the instructions below.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Windows-Anti.exe
codq.exe
msndn.exe

Close task manager.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok.

Compd Service Drivrs
Windows Anti Verifier
msndn

Close the services window.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\Run: [Windows Anti Verifier] Windows-Anti.exe
O4 - HKLM\..\RunServices: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\RunServices: [Windows Anti Verifier] Windows-Anti.exe
O4 - HKCU\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKCU\..\RunServices: [Compd Service Drivrs] codq.exe

O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\WINDOWS\msndn.exe
C:\WINDOWS\System32\Windows-Anti.exe
codq.exe You will need to search your system for this.

Reboot into normal mode and turn system restore back on.

Update your windows to at least service pack 1(sp1) and preferably service pack 2(sp2)

Regards Howard

 

[Eddie_42]

fixed some stuff

hello again,

I have updated to SP2. I still cant get my copy of NAV 2005 to install but i did get NAV 2002 installed, updated and run (no viruses).

I booted in safe mode and ran HJT and fixed the codq.exe problems. the windows anti verifier didnt show up this time.

I attahed my new HJT

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msndn.exe

Close task manager.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following service(if there) and select stop if it`s running. Set the startup type to disabled. Click apply/ok.

Microsoft Networks DN (msndn)

Close the services window.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\WINDOWS\msndn.exe

Reboot into normal mode and turn system restore back on.

Your system should now be clean.


Regards Howard

 

[Spike]

Versions of NAV before 2003 are no longer supported by Symantec. You need to uninstall it I'm afraid.

It's probably just as well because NAV/NIS is an awful piece of software anyway. Download and install AVG, Which is free.

If you need a firewall, use Zone Alarm, or Sunbelt Kerio.

 

[Eddie_42]

i shut of msndn through services.msc.

HJT didnt find it when i did the scan, and it was not in the c:/windows/ folder.

heres my latest hjt

 

[Eddie_42]

I also forgot to ask....I am also not a huge fan of NAV. I dont mind paying for a decent peice of software so is AVG the best choice or should i pay ofr panda or pc-cillin or some such other program?

 

[howard_hopkinso]

Your HJT log is now clean.

Regards Howard

 

[howard_hopkinso]

AVG free and either of the free firewalls Spike recommended are fine. They are much better than any of that Symantec/Norton crapware.

Regards Howard

 

[Spike]

If you wanted to pay though, I'd say Kaspersky Antivirus Is your best bet, but AVG free is perfectly sufficient, decent, and doesn't cost a penny.

If you go for Kaspersky, download and install the free trial first, just to make sure you aren't buying a product that's somehow incompatibel with something else on your system. (such things do happen with most software from time to time. even good software.)

The same goes for the free firewalls, but if you really wanted one of the best commercial products out there, go for Agnitum outpost Pro.

There's no point in wasting money though, so I'd go with what I mentioned in my first post.