spybot,adware,hijack????

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
We are running xp prof.

son did homework, now the homepage and browser have changed. spy I assume. found lycos ieagent in program files, won't delete. can't seem to find anything in remove programs. ie directs to freeeesearch. can';t seem to go to spybot,adware,hijack or such due to it giving me a "can't display page" and then redirects to freeesearch. also, not sure if related.....when i start up pc, system32 window is popped up and open with a file highlighted(i think i remember it to be 1052 ??)
 
Joined
Oct 9, 2001
Messages
9,396
Yes.............its related.
If you email me HERE
with an outline of the problem ill send you the programs you need.
;)
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
Logfile of HijackThis v1.97.7
Scan saved at 2:35:29 PM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\okgpncsk.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [skymdve] "C:\WINDOWS\System32\skymdve.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38070.8152662037
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

(y) (n) :confused:
 
Joined
Jul 26, 2002
Messages
46,353
Hi Rondi

Welcome to TSG! :)

I have merged your new thread with your original thread. Please make all posts regarding this matter in this thread.
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
GOT IT!
just keep replying .........
new problem...new thread!

OOO she's catching on :p (y)
 
Joined
Jul 26, 2002
Messages
46,353
First please do this:

Navigate to the C:\Windows\system32 folder and locate the skymdve.exe file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder.

Now please do the same with the C:\WINDOWS\okgpncsk.exe file.

Attach copies of those zipped folders and send them to me here. Please include a link to this thread so I'll remember where they came from.

These files may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [skymdve] "C:\WINDOWS\System32\skymdve.exe"

O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe


Restart to safe mode.

How to start your computer in safe mode

Now find and delete:

The C:\WINDOWS\okgpncsk.exe file
The C:\WINDOWS\System32\skymdve.exe file
The C:\WINDOWS\System32\f~a folder

I can't say what the exact name of this last folder, but it will contain this file .. ra32.exe. Probably the easiest way to find the folder is to Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders". In the "Look in" box choose "Drive C:"
In the "All or part of the file name" box type:

ra32.exe

Clcik Search. whatever folder that file is found in delete the folder. (Not the System32 folder, but the f~a sub-folder.

This is a passward stealing trojan so if I were you I'd change all my critical passwords, particularly the financial ones.

See here:

http://vil.nai.com/vil/content/v_101037.htm
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
so far so good......... what are these two applications? I've noticed they are both created on dates pc was worked on, just curious. also, i'm zipping and sending copy but should i keep my copy til u check it out or just dump it?

while zipping it asked if i want compressed files handled by zip or sommmething like that I said no. Is that okay?

also, now that i see a zip copy as well as orig. will i be dumping both of my copies or keeping which one.
 
Joined
Jul 26, 2002
Messages
46,353
Go ahead and dump the original and keep the zips for now, just in case. I'm not sure exactly what they are, but I'm about 99.99% sure they are some kind of malware.
 
Joined
Jul 26, 2002
Messages
46,353
Also I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP! See this thread for some good free ones:

http://forums.techguy.org/t110854/s.html
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
just realized what i have zipped is the icons that say : skymdve andokgpncsk there is no .exe

is this right?
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
no wonder my computer guy went back to argentina.....took mccafee and gave me malware.
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
Please.....could you look at log.....please.

1. went in safe mode looked under C:\windows\system32... can't find folder that might match f~a. Then manually(4 1/2hrs) looked through everything can't find any ra32.exe. I did "search" before this, it found but then note poped up, saying something about time running has ended contact admin of application for more info. "search" can no longer find. HJT finds it!

Logfile of HijackThis v1.97.7
Scan saved at 8:15:24 PM, on 4/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38070.8152662037
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jul 26, 2002
Messages
46,353
Download TheKillbox from here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip the files to your desktop.

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\f~a\ra32.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The C:\WINDOWS\System32\f~a\ra32.exe listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to restart, Don't restart yet

First Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe

Then restart.
 

Rondi

Thread Starter
Joined
Apr 23, 2004
Messages
36
flrman1,
It's still there.......I printed directions just like last time and went step by step. could it be i deleted something it needed, (like uninstall) to delete?

i love your step by step instuctions! Your the bomb!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top