Scksexde.exe alert

By Mazrim
Jul 30, 2008
  1. This just popped up on my kids' computer. Seeing the 'sex' in the name lifted a few hairs on my head, so I checked browser history, etc, and found nothing strange.

    The 1st thing my son did this morning after powering the cpu on was to start the game Team Fortress through the Steam application, part of the Half Life Orange Box value pack. It is a legit retail copy.

    The only thing I can think of at this point is that either: a) Bad luck.


    b) Someone may be sending viruses to that specific ip address from a single central location, i.e., whoever sent the lanmanwrk virus we got a few days ago, and JUST cleaned off the system yesterday.

    I know "b' may be far fetched, but I cant think of anythign else really: Running through the directions on how to get rid of the lanmanwrk virus thoroughly cleaned out the system, so I thought.

    Could there be a trojan downloader hiding in the system still?
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I thought you were going to reinstall? would you like to clean the system instead?
  3. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Well, I would like to reinstall, but I still cant boot off the CD at all. The settings in BIOS are correct, and have the CD rom as the primary boot device, but the computer still wont boot off it.

    **edit** I CAN in fact access the CD rom from windows again now as well as the HD now that the lanman virus is gone.
  4. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Attaching HJT log, just ran a min ago after SuperAntiSpyware found another 10 threats.
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I posted instructions in your other thread. :grinthumb
  6. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Ok thanks! :)
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    no problem
  8. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Ok I followed every step, and will have the logs ready, but something wierd just happened a minute ago: After performing every step and cleaning out the computer again, I tried opening Mozilla firefox. Zonealarm detected it, so I granted access, but then it asked for internet explorer access, which I denied. Right when the home page for firefox came up (Google), the antivirus shows another attempted hijack by the lanman virus!!

    Is it lodged in firefox? Is there ANY WAY to get rid of this crap?!?!

    Or should I say to hell with it, and format/reinstall?
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    clean or format up to you - we can get it off there

    Good job denying access - often these things will continue to attempt attacks even after you remove them - you can watch your intrusion attemps blocked through zone alarm
  10. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    **Update** ran Malwarebyte again, and found 4 fakealert files in registry, as well as a copy of lanmanwrk in the systemrestore folder in WIN32.

    Does it ever end?
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am still waiting for the logs please attach them when you are done ;)
  12. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Attachments incoming. I gotta head to work for now but will check on this in a few hrs.
  13. adu123

    adu123 TS Maniac Posts: 278

    just curious, how did you manage to clean that infection, and get the access back?? Causes' I don't see Blind Dragon's cleaning instructions:confused:
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That log looks much better than the last I saw - did you update and run full scan with Avira and did it find anything?

    Remove HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  15. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    There was a separate thread regarding removal of the lanmanwrk.exe virus, and I followed all 15 steps of that.
  16. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Hmm, since I had to deny IE access because of the virus, Im a bit leery on giveing it access again. There any other sure way to do this or....?
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You can install an IE tab to run from within Firefox - that will just use the IE rendering engine.

    Go to tools -> add-ons -> browse all add ons in top right corner -> search for IE tab

    it should be the top result, after that you can right click on the kaspersky link and select open in IE tab
  18. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    I dont see that at all. From firefox, I went into tools -> addons -> and the only two things I have are: Talkback, and Yahoo toolbar. Thats in extensions. There are no other options in the other two tabs whatsoever. Extensions, themes, and updates are the only 3 tabs I have in the addons window, and theres nothing in themes or updates at all.

    **update** just went to mozilla and got it. Just tryin to find where the tab is at actually in Firefox now that its installed, and I'll use Kapersky.
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    do you have firefox 3? I think even in the old version I had the get add-ons tab

    Since you installed it can you right click links and select open in IE tab
  20. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Figured it out and scanned, smitfraudfix.exe made false positives, and a Playstation2 emulator came up false positive, but other than that, nothing came up. Cant post the log because it registers as an html, and if you change it over to .txt, theres only jibberish.
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thats a good thing that it didn't find anything else. I like to use the online scan as a 2nd opinion. Please run me one more hijackthis log for me to look over then we can clean up and secure the work we have done
  22. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Here it is...
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That's a clean log - much better than before - how are you running?

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.


    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

    7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
  24. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Running much better now, thanks for all of your help! :)

    I had spybot S&D and AVG but it seems that wasn't enough. Im setting everything as you instructed, and hopefully this won't happen again anytime soon. :)
  25. Mazrim

    Mazrim TS Enthusiast Topic Starter Posts: 113

    Hmm, I can't find Combofix anymore on my system to follow the 1st step you listed.......
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...