The original version of this page can be found at : http://forum.bullguard.com/forum/10/HELP--Proxy5AS-and-Proxy5AQ-an_1728.html
Posted By : Psycho Steve - 7-12-2004 7:04
Hope you can help , this has been driving me mad for the last couple of days. I have run Spy Sweeper, Adaware 6, AVG and now Hijack This, the following is a copy of the scan,
 
Logfile of HijackThis v1.97.7
Scan saved at 19:01:01, on 12/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\system32\config\winlogon.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WindUpdates\WinKA.exe
D:\ipaq\WCESCOMM.EXE
C:\WINDOWS\System32\x0r\svshost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\SpywareWebroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php?account_id=3004
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WIACA5~1\WinSB.DLL
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\put all folders in here\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WIACA5~1\WinSB.DLL
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF6f52.dll
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WIACA5~1\WinSB.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF6f52.dll
O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\smss.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] D:\SpywareWebroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\ipaq\WCESCOMM.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38108.4762152778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Which ones do I need to get rid?
 
Thanks in advance....
Psycho Steve
 
 
 
 

Posted By : eagle - 7-12-2004 7:23
Are you at all familiar with regedit? if you are you can go in there type in the name of the virus search it and delete it.
Eagle smilewinkgrin

Posted By : Psycho Steve - 7-12-2004 7:39
Yes I think so... probably a stupid question but should I just search for Proxy or Proxy.5 ???

Posted By : eagle - 7-12-2004 8:18
No not stupid,
try proxy first then proxy.5 if you get no results the first time.
Eagle smilewinkgrin

Posted By : Psycho Steve - 7-15-2004 10:24
This is the latest Log, thought I'd got shot of th bugs, but it seems they keep coming back:
Couldn't find anything that looked suspicous in the registry under Proxy or Proxy.5, I've now installed Zone Alarm as well, just to stop programs accessing the net that I don't know about! Any suggestions on this lot...
Logfile of HijackThis v1.97.7
Scan saved at 22:20:06, on 15/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\config\winlogon.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\host32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\SpywareWebroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WindUpdates\WinKA.exe
D:\ipaq\WCESCOMM.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\x0r\svshost.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\put all folders in here\Zone Alarm\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\put all folders in here\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF6f52.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF6f52.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\smss.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] D:\SpywareWebroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\ipaq\WCESCOMM.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38108.4762152778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Posted By : eagle - 7-16-2004 1:23
Same as before only this time do a disk clean and then turn off restore, scan second time if clean then turn restore back on.
oh while in disk clean click more options tab and tell it to delete all restore points.
                              Eaglesmilewinkgrin

Posted By : Psycho Steve - 7-21-2004 11:13
Thanks Eagle.

I think I've killed it now, I managed to get Revop.C as well, I turned off Restore and found I had two processes called Winlogon which I found in Task Manager, stopped one of them and deleted it in C drive. Then used Trojan Hunter which found four possible Trojans which I deleted from C drive also.

No problems so far... haven't yet had the courage to turn Restore back on though!

Thanks for all your help...Keep up the good work.

Posted By : eagle - 7-22-2004 2:41
Your welcome,
 and come back anytime!
         Eaglesmilewinkgrin


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard