TechSpot

w32.spybot.worm or codq.exe Survied format twice

By Eddie_42
May 10, 2006
  1. Hello,

    First post


    I got the w32.spybot.worm acording to my Norton. I decided that it would be best just to re-format my computer and not worry about fixing it. (i need the re-format anyway...good timing). The virus somehow survived. now, i can only open task manager or msconfig for about 2 seconds before they close. other things, like media player and mozilla run just fine.

    I do have a breif minute or two from a fresh boot that will allow me into the task manager. Everything appears normal. proc sits a 2% use until the worm activates. MSconfig has a processes called codq.exe that shows up, i dont know what this is but everywhere ive look says its bad.

    This thing is taxing my proc. at 100% all the time. ive tried several removal methods and cannot seem to get this fixed.

    I also cannot get Norton, or any program for that matter to install. I did the format off a recovery CD provided my computer manufacturer. XP home.

    Any help would be greatly appreciated.
    Eddie
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions in the order they are given.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  3. Eddie_42

    Eddie_42 TS Rookie Topic Starter Posts: 173

    My HJT

    Hello,

    I followed all the steps above.

    Here are my results from Panda:

    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@as-us.falkag[1].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@fastclick[1].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@media.fastclick[2].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@mediaplex[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Eddie\Cookies\eddie@tribalfusion[1].txt
    Hacktool:Rootkit/FU.A Not disinfected C:\Documents and Settings\Eddie\msdirectx.sys
    Virus:W32/SdBot.HEQ.worm Disinfected C:\WINDOWS\msndn.exe
    Virus:W32/Gaobot.FED.worm Disinfected C:\WINDOWS\system32\codq.exe
    Virus:W32/SdBot.HEQ.worm Disinfected C:\WINDOWS\system32\fdhbe_83711.exe
    Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
    Virus:W32/SdBot.HEQ.worm Disinfected C:\WINDOWS\system32\i_51507.exe
    Hacktool:Rootkit/FU.A Not disinfected C:\WINDOWS\system32\msdirectx.sys


    trend micro found stuff and deleted most of it however it could not delete file: TROJ-ROOTKIT.H


    there was no detection of moitfraud, look2me, or vundo

    attached is my HJT
     
  4. Spike

    Spike TS Evangelist Posts: 2,168

    According to HJT, you haven't properly followed the instructions. As such, even if you got the entries below fixed, I still wouldn't say you were clean because I wouldn't be sure enough. The only thing your HJT log says you have done is a scan with panda. (not everything in the instructions shows up in the log, but we know what does.)

    Furthermore, you are not even using XPSP1!!, let alone SP2, and so your computer is just asking for trouble to come and find it. As such, I will identify the entries, but I'm not telling you what to do with them, because there's no point - you'd be back here soon enough with more problems, perhaps even the same ones.

    If you would like further help, please update windows and follow the instructions in Howards post properly.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There are special instructions for removing TROJ-ROOTKIT.H. Go HERE. and follow the instructions.

    Then, go HERE and follow the instructions. Once done, follow the rest of the instructions below.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Windows-Anti.exe
    codq.exe
    msndn.exe

    Close task manager.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok.

    Compd Service Drivrs
    Windows Anti Verifier
    msndn

    Close the services window.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Compd Service Drivrs] codq.exe
    O4 - HKLM\..\Run: [Windows Anti Verifier] Windows-Anti.exe
    O4 - HKLM\..\RunServices: [Compd Service Drivrs] codq.exe
    O4 - HKLM\..\RunServices: [Windows Anti Verifier] Windows-Anti.exe
    O4 - HKCU\..\Run: [Compd Service Drivrs] codq.exe
    O4 - HKCU\..\RunServices: [Compd Service Drivrs] codq.exe

    O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\msndn.exe
    C:\WINDOWS\System32\Windows-Anti.exe
    codq.exe You will need to search your system for this.

    Reboot into normal mode and turn system restore back on.

    Update your windows to at least service pack 1(sp1) and preferably service pack 2(sp2)

    Regards Howard :)
     
  6. Eddie_42

    Eddie_42 TS Rookie Topic Starter Posts: 173

    fixed some stuff

    hello again,

    I have updated to SP2. I still cant get my copy of NAV 2005 to install but i did get NAV 2002 installed, updated and run (no viruses).

    I booted in safe mode and ran HJT and fixed the codq.exe problems. the windows anti verifier didnt show up this time.

    I attahed my new HJT
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msndn.exe

    Close task manager.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following service(if there) and select stop if it`s running. Set the startup type to disabled. Click apply/ok.

    Microsoft Networks DN (msndn)

    Close the services window.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\msndn.exe

    Reboot into normal mode and turn system restore back on.

    Your system should now be clean.


    Regards Howard :)
     
  8. Spike

    Spike TS Evangelist Posts: 2,168

    Versions of NAV before 2003 are no longer supported by Symantec. You need to uninstall it I'm afraid.

    It's probably just as well because NAV/NIS is an awful piece of software anyway. Download and install AVG, Which is free.

    If you need a firewall, use Zone Alarm, or Sunbelt Kerio. :)
     
  9. Eddie_42

    Eddie_42 TS Rookie Topic Starter Posts: 173

    i shut of msndn through services.msc.

    HJT didnt find it when i did the scan, and it was not in the c:/windows/ folder.

    heres my latest hjt
     
  10. Eddie_42

    Eddie_42 TS Rookie Topic Starter Posts: 173

    I also forgot to ask....I am also not a huge fan of NAV. I dont mind paying for a decent peice of software so is AVG the best choice or should i pay ofr panda or pc-cillin or some such other program?
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Regards Howard :)
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    AVG free and either of the free firewalls Spike recommended are fine. They are much better than any of that Symantec/Norton crapware.

    Regards Howard :)
     
  13. Spike

    Spike TS Evangelist Posts: 2,168

    If you wanted to pay though, I'd say Kaspersky Antivirus Is your best bet, but AVG free is perfectly sufficient, decent, and doesn't cost a penny.

    If you go for Kaspersky, download and install the free trial first, just to make sure you aren't buying a product that's somehow incompatibel with something else on your system. (such things do happen with most software from time to time. even good software.)

    The same goes for the free firewalls, but if you really wanted one of the best commercial products out there, go for Agnitum outpost Pro.

    There's no point in wasting money though, so I'd go with what I mentioned in my first post.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...