Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

All sorts of crazy stuff is happening!

Started by xnarg , Mar 26 2005 09:47 PM

  • Please log in to reply

#1
xnarg
Posted 26 March 2005 - 09:47 PM

xnarg

    Member

  • Member
  • PipPip
  • 13 posts
I had a coolWWWsearch and other spyware problems yesterday. I tried to remove them and succeeded in removing most but couldn't get some of the more stubborn programs removed. Things eventually became worse and I lost my internet connection and my computer just froze up.
I figured there was nothing I could do, so I reformatted my whole computer, and reinstalled windows XP. Just as windows was fully installed and everything was setup, all the spyware came back and my computer began to freeze up and crash again. I reformatted it once more and now I think i've removed all of the major spyware programs, but weird things are still happening.

Current problems:
When I hit CTRL+ALT+DEL the task manager won't stay open for more than a split second, I can't dowload CA's EZ Armor(was using it before the reformat), and HijackThis will open for a split second and then close, also.

I've used Ad-Aware, Spybot S&D, and have the free AVG up right now along with SpyBlaster. i would have posted a HijackThis Log, but I can't get it to even stay opened.

Thanks in Advance
  • 0

Advertisements

#2
xnarg
Posted 27 March 2005 - 12:19 PM

xnarg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I just got HJT to work. Someone please tell me what to delete, i don't want to delete anything i'm not suppose to! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:57 PM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\userinit32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\winupdate32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\TBPanel.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Grant Kirkland\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Update] winupdate32.exe
O4 - HKLM\..\Run: [bheeCUc7E] C:\WINDOWS\qdcflgb.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\Run: [bh$æÆõö/ØG%)ßfÏNb½C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qdcflgb.exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winupdate32.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\Run: [Microsoft Update] winupdate32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\RunServices: [Microsoft Update] winupdate32.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivrs] copq.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111887185039
O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
  • 0

#3
xnarg
Posted 28 March 2005 - 02:41 PM

xnarg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I just reformatted my computer again. I think I have removed all of the spyware, but I have a trojan which is causing regedit, msconfig and task manager to close. I can't find it's name, but it adds a file called "msdirectx.sys" in my documents. Here is my new HJT log. Someone please help....

Logfile of HijackThis v1.99.1
Scan saved at 2:36:48 PM, on 3/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nokiaay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\smrrs.exe
C:\WINDOWS\System32\copq.exe
C:\WINDOWS\System32\winmap.exe
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\copq.exe
C:\HJT\HijackThis2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Ethernet Drivers] smrrs.exe
O4 - HKLM\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\Run: [xteamf0r] nokiaay.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] winmap.exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Ethernet Drivers] smrrs.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\RunServices: [xteamf0r] nokiaay.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winmap.exe
O4 - HKLM\..\RunOnce: [xteamf0r] nokiaay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] winmap.exe
O4 - HKCU\..\Run: [xteamf0r] nokiaay.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\RunOnce: [xteamf0r] nokiaay.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#4
xnarg
Posted 28 March 2005 - 03:30 PM

xnarg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I did some research on the msdirects.sys file that was showing up in my documents.
Turns out is called Trojan.Win2K.Rootkit. I don't even know where to start to remove something like this... Any :tazz: would be great. ;)
  • 0

#5
aparis99
Posted 29 March 2005 - 03:51 PM

aparis99

    New Member

  • Member
  • Pip
  • 2 posts
For two days, a few of us here at work have been dealing with a factories PC's, They have a crazy insane virus... its COPQ.exe, and u have it, this is the only thing that i found on the internet about it so...

Compaq Service Drivrs - copq.exe is a virus, spreads thru networks quick

msconfig entries, registry entries, alt ctrl del disabled, regedit disabled etc etc...

We are having a hard time removing this but we are making progress...
  • 0

#6
xnarg
Posted 29 March 2005 - 07:17 PM

xnarg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I did a total reformat last night and got rid of the msdirectx.exe thing.
Now I have something showing up in my task manager called "hwclock.exe".
It seems to be shutting off IE control panel, task manager, and reg. edit.
I have firefox and eTrust CA firewall right now so I can stil access everything but I'm not sure for how much longer I iwll be able to...
Anyone know anything about this?

It seems I'm just going from one problem to another.....
  • 0

#7
aparis99
Posted 30 March 2005 - 08:29 AM

aparis99

    New Member

  • Member
  • Pip
  • 2 posts
how do i edit my posts?
  • 0

#8
noble-pc.com
Posted 30 March 2005 - 10:45 AM

noble-pc.com

    New Member

  • Member
  • Pip
  • 2 posts
I had a computer come in yesturday with this copq.exe virus and yes it appears to be a difficult one... so far I have deleted every instance of it in the registry before doing this i changed the name of the folder it was located in so when i deleted it it wouldnt refer right back to it... I also deleted the exe before I put the hard drive back in the computer i did a scan from a different computer first... I turned off system restore almost themost important step always!! I also deleted it from msconfig and I also used HJT to delete any instance of it.. along with almost all other things HJT found... Right now I am doing a virus scan with the machine running to see if there are any traces left of this virus... hopefully it comes up negative then I will reboot and as long as one of the folders i changed them name doesnt give me heck Iw ill be able to boot in change the folders names back.. and the virus should be gone... hopefully.. I also ran cwshredder i isntall ccleaner and ran it also... the more removal tools you use the better your chances of sucess... then once you think its gone... reboot 5 or 6 times with system restore off then... check for the virus using virus program and HJT also search the registry one more time.. if it does not show up I think your golden :tazz:
  • 0

#9
noble-pc.com
Posted 30 March 2005 - 01:21 PM

noble-pc.com

    New Member

  • Member
  • Pip
  • 2 posts
oh yeah make sure you write down all folder names you change and where they are located so you can change them back once you delete the copq.exe file from each one... if you do not you will get an error at start up...
  • 0

#10
xnarg
Posted 30 March 2005 - 03:56 PM

xnarg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

how do i edit my posts?

View Post


I don't know....

And thanks for the advice, but I got tired of dealing with it and just reformatted again...for the 8th time lol. Anyway, I found a free firewall from CA and so far I haven't been infected with anymore viruses(sp?) or trojans.
I don't know much about firewalls, so can someone name a few good ones so I'll know what to look for after this free trial is up?

-Thanks
  • 0

#11
insipid
Posted 03 April 2005 - 06:20 PM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
xnarg, I just came across your post at Spywareinfo, and found this post in the process of giving it the once-over. It's unfortunate, but there are so many victims that the limited number of qualified helpers can't keep up with demand, though we do try. I see you've reformatted, which is also unfortunate, because I would have responded to your log today and we could have gotten you cleaned up. I will post at SWI that this is resolved, so no other helpers spend time on it.

About all I can do now is give you some advice to help prevent these sort of problems. Please note that this advice accurately describes my own security strategy. It works.

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupd...t.aspx?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
Kerio Personal Firewall
Zone Alarm
Sygate Personal Firewall
For ease of use, I recommend Zonealarm.

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.

Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.
  • 0

#12
xnarg
Posted 06 April 2005 - 03:12 PM

xnarg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

xnarg, I just came across your post at Spywareinfo, and found this post in the process of  giving it the once-over.  It's unfortunate, but there are so many victims that the limited number of qualified helpers can't keep up with demand, though we do try.  I see you've reformatted, which is also unfortunate, because I would have responded to your log today and we could have gotten you cleaned up.  I will post at SWI that this is resolved, so no other helpers spend time on it.

About all I can do now is give you some advice to help prevent these sort of problems.  Please note that this advice accurately describes my own security strategy.  It works.

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is  extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupd...t.aspx?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one .  Here are a few free ones:
Kerio Personal Firewall
Zone Alarm
Sygate Personal Firewall
For ease of use, I recommend Zonealarm.

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D  regularly to scan your system.  Links to excellent tutorials on these programs are in my signature below.

Finally, I suggest downloading and trying Mozilla Firefox browser.  Firefox is a free fully functional browser.  It's much safer than Internet Explorer.

View Post


Thanks for the offer to help, but I had nothing on my computer to lose so I just figured I might as well just reformat to save time.
I'm using a free anti-virus and firewall from CA which seems to be working well. I've downloaded and installed all updates for windows and IE. I've got Spyblaster going and run Ad-aware and Spybot S&D each night. I use firefox browser now also.

I've had this computer for 5 years and this is the first spyware infection I wasn't able to solve myself, so I guess it was just bound to happen sometime.

-Thanks :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP