home hardware prices news articles forums photos user reviews
Go Back   Tech Support Forums - TechIMO.com > PC Hardware and Tech > Security and Privacy Issues
Cannot remove spyware (I think it is spyware) Cannot remove spyware (I think it is spyware)
Ask a Tech Support Question (free)!

Cannot remove spyware (I think it is spyware)

Reply
Get bargains at  »  Dealighted.com
Page 1 of 2 1 2
 
Thread Tools Search this Thread
Currently Active Users: 1644
Discussions: 200,933, Posts: 2,379,188, Members: 246,298
Old January 20th, 2005, 07:53 PM   Digg it!   #1 (permalink)
Member
 
Join Date: Sep 2002
Location: Cumberland MD
Posts: 154
Angry
Cannot remove spyware (I think it is spyware)
On Windows 2000 Server, I have a process called rqyokv.exe. Whenever I stop the process it restarts. I have even deleted the file from the system32 directory and all references to it in the registry, but it keeps coming back. References will reapear in the registry, the file will reapear in the system32 directory and it will reappear as a process in task manager. Google is no help. Has anyone seen this? I cannot determine the process that spawns it, I have used proecess explorer from sysinternals.com and it is no help. Under properties process explorer listed C:\Program Files\Common Files\SYSTEM\Mapi\1033\ as the current directory.

In the registry under the the run folder there is a object called Narrator that has this file as its application. I delete the key and it reapears.

What gives

Any help would be greatly appricated
herura is offline   Reply With Quote
Old January 21st, 2005, 09:59 AM     #2 (permalink)
Ultimate Member
 
nomaxim's Avatar
 
Join Date: May 2002
Location: Stow, Ohio, Sol III
Posts: 1,199
Have you run the basic anti-spyware programs. Ad-Aware, Spybot S&D?

Maybe even try the Microsoft beta Anti-spyware.

If you have then d/l Hijackthis, and post your log.
__________________
Well, if crime fighters fight crime and fire fighters fight fire, what do freedom fighters fight? They never mention that part to us, do they?
-George Carlin
nomaxim is offline   Reply With Quote
Old January 21st, 2005, 12:44 PM     #3 (permalink)
Member
 
Join Date: Sep 2002
Location: Cumberland MD
Posts: 154
HiJackThis Log
I took your suggestion and here is the log:
Logfile of HijackThis v1.99.0
Scan saved at 11:39:12 AM, on 1/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\WIN2K\System32\termsrv.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\spoolsv.exe
C:\WIN2K\System32\msdtc.exe
C:\WIN2K\System32\svchost.exe
C:\WIN2K\system32\hidserv.exe
C:\WIN2K\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\MSTask.exe
C:\WIN2K\System32\svchost.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\System32\inetsrv\inetinfo.exe
C:\WIN2K\system32\Dfssvc.exe
C:\WIN2K\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WIN2K\system32\spool\drivers\w32x86\3\hpztsb09. exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NovaNet-WEB Backup\TrayControl.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WIN2K\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WIN2K\system32\rqyokv.exe
C:\Data\Install\Old Hard Drive\Ra95\Downloads\Kiss Viewer\PLAYFKISS.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WIN2K\System32\sol.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WIN2K\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\norine.HOME.001\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.straightdope.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {DC5FBA19-7EA3-0909-879A-7BA2DBF73C9B} - C:\WIN2K\system32\ixtaovhq.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\norine.HOME.001\Local Settings\Temp\D.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WIN2K\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2K\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WIN2K\DOWNLO~1\search3.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WIN2K\system32\spool\drivers\w32x86\3\hpztsb09. exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\NovaNet-WEB Backup\TrayControl.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Uabrkxe] C:\WIN2K\system32\??chost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NovaNet-WEB Backup Tray Control.lnk = C:\Program Files\NovaNet-WEB Backup\TrayControl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/016ee6e3...p/RdxIE601.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5205D90-DAEB-4F39-B74A-622110F83E84}: NameServer = 24.159.0.13,141.157.136.19
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
herura is offline   Reply With Quote
Old January 21st, 2005, 01:53 PM     #4 (permalink)
Ultimate Member
 
Kuasimodem's Avatar
 
Join Date: Oct 2001
Location: Holmen, Wisconsin US
Posts: 2,855
Send a message via MSN to Kuasimodem Send a message via Yahoo to Kuasimodem
Get rid of the following lines:

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {DC5FBA19-7EA3-0909-879A-7BA2DBF73C9B} - C:\WIN2K\system32\ixtaovhq.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\norine.HOME.001\Local Settings\Temp\D.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WIN2K\system32\msbe.dll

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WIN2K\DOWNLO~1\search3.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll

O4 - HKCU\..\Run: [Uabrkxe] C:\WIN2K\system32\??chost.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe


O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\win2k\system32\calsp.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/016ee6e...ip/RdxIE601.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB
__________________
What did a tornado sound like before freight trains were invented?
Kuasimodem is offline   Reply With Quote
Old January 22nd, 2005, 10:52 AM     #5 (permalink)
Member
 
Join Date: Sep 2002
Location: Cumberland MD
Posts: 154
Thanks for the help. I was able to remove all the items that Kuasimodem suggested, after much work as hijackthis did not remove all items for me, but once I removed them all my system appears clean. It even boots faster!

Thanks Again!
herura is offline   Reply With Quote
Old January 22nd, 2005, 11:11 AM     #6 (permalink)
Training for Bankai
 
JPMiller's Avatar
 
Join Date: Jan 2003
Location: Milwaukee, WI
Posts: 5,981
Send a message via Yahoo to JPMiller
So what exactly do you look for in these logs?
I would like to post mine as well to be perused but I feel a bit guilty having some one else do something I should be able to...
JPMiller is offline   Reply With Quote
Old January 22nd, 2005, 01:56 PM     #7 (permalink)
Member
 
Join Date: Sep 2002
Location: Cumberland MD
Posts: 154
Thumbs down
It's Back!
I think I spoke to soon. Another check revealed the process is back. My hijack log looks like this:

Logfile of HijackThis v1.99.0
Scan saved at 12:50:46 PM, on 1/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\WIN2K\System32\termsrv.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\spoolsv.exe
C:\WIN2K\System32\msdtc.exe
C:\WIN2K\System32\svchost.exe
C:\WIN2K\system32\hidserv.exe
C:\WIN2K\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\MSTask.exe
C:\WIN2K\System32\svchost.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\System32\inetsrv\inetinfo.exe
C:\WIN2K\system32\Dfssvc.exe
C:\WIN2K\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WIN2K\system32\spool\drivers\w32x86\3\hpztsb09. exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WIN2K\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NovaNet-WEB Backup\TrayControl.exe
C:\WIN2K\system32\rqyokv.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WIN2K\System32\sol.exe
C:\Documents and Settings\norine.HOME.001\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.straightdope.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2K\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WIN2K\system32\spool\drivers\w32x86\3\hpztsb09. exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\NovaNet-WEB Backup\TrayControl.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NovaNet-WEB Backup Tray Control.lnk = C:\Program Files\NovaNet-WEB Backup\TrayControl.exe
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
herura is offline   Reply With Quote
Old January 22nd, 2005, 02:50 PM     #8 (permalink)
Ultimate Member
 
cryptoguy's Avatar
 
Join Date: Jun 2002
Location: Ohio
Posts: 1,349
Send a message via AIM to cryptoguy
One more line bothers me
C:\WIN2K\System32\sol.exe
Here's the definition and removal proggy of this file
That rqyokv.exe file sounds like a Trojan. Run your anti-virus program. What is it by the way?

edit: link fixed
__________________
23. That's the number of people Mr. T has pitied in the time it has taken you to read this sentence.
Last edited by cryptoguy : January 22nd, 2005 at 11:30 PM.
cryptoguy is offline   Reply With Quote
Old January 22nd, 2005, 05:39 PM     #9 (permalink)
Member
 
Join Date: Sep 2002
Location: Cumberland MD
Posts: 154
The SOL.exe program is solitaire. As for antivirus I use Bitdefender. It found nothing.
herura is offline   Reply With Quote
Old January 22nd, 2005, 06:37 PM     #10 (permalink)
Ultimate Member
 
dchw_dude's Avatar
 
Join Date: Nov 2004
Location: Provo, UT
Posts: 1,337
Try a different program. many will find things that others do not(I used 3 spyware searchers)
__________________
Team TechIMO - Team # 111
http://folding.stanford.edu/
dchw_dude is offline   Reply With Quote
Reply
Page 1 of 2 1 2
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
WARNING: Fake Anti-Spyware, Pop-ups nomaxim Security and Privacy Issues 95 November 6th, 2009 08:59 AM
Anti-virus Protection dg315 Technical Support 10 August 31st, 2004 01:14 AM
Help identifying a spyware Ebisoba Technical Support 4 August 26th, 2004 11:08 PM
IE6 causing issues with freezing Makaze Networking and Internet 12 January 27th, 2003 07:42 PM
Download resumer LiLRiceBoi General Tech Discussion 13 March 16th, 2002 11:48 AM


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Most Active Discussions
Is It Just Me? (2882)
California Passes Anti-Flat-HDTV Le.. (39)
Obama the Muslim (14)
Is the PSU I received dead? (10)
windows vista security holes (9)
Install XP pro and a Vista laptop ?.. (11)
HIS HD5770 graphic card question (15)
Print spooler problem (13)
Foreign voltage (10)
Dept. of HS: NSA 'Helped' Develop V.. (15)
A good PSU? (10)
EVGA 9800 gtx help with finding a g.. (8)
New Computer wont recognize XP disc (7)
Ideal cheap graph card for PC-Gamin.. (17)
Recent Discussions
Wireless Televisions. (4)
CPU fan stops spinning randomly (2)
World's largest Monopoly Game using G.. (332)
Ideal cheap graph card for PC-Gaming? (17)
BIOS won't read disk when I try to fl.. (0)
Install XP pro and a Vista laptop ?? (11)
Partition Magic caused HDD problem (2)
Graphics Card Upgrade Question (1)
favorit (1)
solutions for virtical white lines on.. (1)
Regular Build (3)
Fire in DVD (2)
Modern Warfare For the PC (33)
radeon x850xt platinum & shader 3 (3)
Have you switched yet? (84)
Wireless Router+Cable Modems and Much.. (0)
Optical Audio A-B Switch (1)
windows vista security holes (9)
The NTDVM CPU has encountered an ille.. (24)
[F@H SPAM 11/16/09] ! 1/2 months to r.. (34)
Wireless speakers for PC? (11)
Print spooler problem (13)
Help getting around port 80 for camer.. (2)
Display shows 3x5 inch in middle of s.. (3)
monitor will not turn on at all, (1)


All times are GMT -4. The time now is 09:44 AM.
TechIMO Copyright 2009 All Enthusiast, Inc.

Contact Us - Tech Support Forums - TechIMO.com - Archive - Privacy Statement - Terms of Use -
Coupons and Deals and Dealighted - Store Ratings, Avoid Scam Businesses - Geek News - Tech News for the Geek In You- Web Business Blog - Top


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28