1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spybot,adware,hijack????

Discussion in 'Virus & Other Malware Removal' started by Rondi, Apr 23, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    We are running xp prof.

    son did homework, now the homepage and browser have changed. spy I assume. found lycos ieagent in program files, won't delete. can't seem to find anything in remove programs. ie directs to freeeesearch. can';t seem to go to spybot,adware,hijack or such due to it giving me a "can't display page" and then redirects to freeesearch. also, not sure if related.....when i start up pc, system32 window is popped up and open with a file highlighted(i think i remember it to be 1052 ??)
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Yes.............its related.
    If you email me HERE
    with an outline of the problem ill send you the programs you need.
    ;)
     
  3. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    Logfile of HijackThis v1.97.7
    Scan saved at 2:35:29 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\okgpncsk.exe
    C:\WINDOWS\System32\PDesk\PDesk.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [skymdve] "C:\WINDOWS\System32\skymdve.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38070.8152662037
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    (y) (n) :confused:
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Rondi

    Welcome to TSG! :)

    I have merged your new thread with your original thread. Please make all posts regarding this matter in this thread.
     
  5. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    GOT IT!
    just keep replying .........
    new problem...new thread!

    OOO she's catching on :p (y)
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First please do this:

    Navigate to the C:\Windows\system32 folder and locate the skymdve.exe file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder.

    Now please do the same with the C:\WINDOWS\okgpncsk.exe file.

    Attach copies of those zipped folders and send them to me here. Please include a link to this thread so I'll remember where they came from.

    These files may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [skymdve] "C:\WINDOWS\System32\skymdve.exe"

    O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe


    Restart to safe mode.

    How to start your computer in safe mode

    Now find and delete:

    The C:\WINDOWS\okgpncsk.exe file
    The C:\WINDOWS\System32\skymdve.exe file
    The C:\WINDOWS\System32\f~a folder

    I can't say what the exact name of this last folder, but it will contain this file .. ra32.exe. Probably the easiest way to find the folder is to Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders". In the "Look in" box choose "Drive C:"
    In the "All or part of the file name" box type:

    ra32.exe

    Clcik Search. whatever folder that file is found in delete the folder. (Not the System32 folder, but the f~a sub-folder.

    This is a passward stealing trojan so if I were you I'd change all my critical passwords, particularly the financial ones.

    See here:

    http://vil.nai.com/vil/content/v_101037.htm
     
  7. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    so far so good......... what are these two applications? I've noticed they are both created on dates pc was worked on, just curious. also, i'm zipping and sending copy but should i keep my copy til u check it out or just dump it?

    while zipping it asked if i want compressed files handled by zip or sommmething like that I said no. Is that okay?

    also, now that i see a zip copy as well as orig. will i be dumping both of my copies or keeping which one.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go ahead and dump the original and keep the zips for now, just in case. I'm not sure exactly what they are, but I'm about 99.99% sure they are some kind of malware.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Also I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP! See this thread for some good free ones:

    http://forums.techguy.org/t110854/s.html
     
  10. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    just realized what i have zipped is the icons that say : skymdve andokgpncsk there is no .exe

    is this right?
     
  11. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    OMG! your right who took my mccafee???? give it back!
     
  12. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    no wonder my computer guy went back to argentina.....took mccafee and gave me malware.
     
  13. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    Please.....could you look at log.....please.

    1. went in safe mode looked under C:\windows\system32... can't find folder that might match f~a. Then manually(4 1/2hrs) looked through everything can't find any ra32.exe. I did "search" before this, it found but then note poped up, saying something about time running has ended contact admin of application for more info. "search" can no longer find. HJT finds it!

    Logfile of HijackThis v1.97.7
    Scan saved at 8:15:24 PM, on 4/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\System32\PDesk\PDesk.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38070.8152662037
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Download TheKillbox from here:

    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    Unzip the files to your desktop.

    Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\f~a\ra32.exe

    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The C:\WINDOWS\System32\f~a\ra32.exe listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to restart, Don't restart yet

    First Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe

    Then restart.
     
  15. Rondi

    Rondi Thread Starter

    Joined:
    Apr 23, 2004
    Messages:
    36
    flrman1,
    It's still there.......I printed directions just like last time and went step by step. could it be i deleted something it needed, (like uninstall) to delete?

    i love your step by step instuctions! Your the bomb!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223280

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice