TechSpot

Spyware Hidden Proxy Problem

By trinsic
Jul 21, 2005
Topic Status:
Not open for further replies.
  1. I so I am cleaning this computer that had a bunch of spy ware installed on it, included auora/nail I ran thorugh the removal steps in the forms (thanks guys) and was able to clean most of it off. I dont see any abnormal services running on boot but some how I still getting spyware activity.

    Couple of things that are happening:

    1) I am still reciving cookies related to Look2Me and SurfSideKick.
    2) under some unknown cirumstances AppWrap[1].exe ends up reappearing in the IE temporary internet folder.
    3) HTTP requests are being redirected to ports 1052-1100 > 80.

    I have pretty much ran every removal tool I can think of and Im thinking my only solution is to run a System File replace in windows xp.
    I was wondering if anyone has heard of the proxy thing and if there was a way to remove it, because I think thats were I am receiving the infections.

    Any help would be appericated. I Will post my HiJackThis logs when I get to the location shortly.
  2. just_a_nobody

    just_a_nobody TS Rookie Posts: 205

    Hi trinsic, try running Ewido, maybe that will kill them pesky varmits.

    You can download a trial version of Ewido here: : http://www.ewido.net/en/

    Be sure you update it before using it, and when it finds a problem, be sure to select the check box to do the same action (clean) when it finds a problem, otherwise, you will have to click continue, to keep scanning with every problem it finds.
  3. trinsic

    trinsic TS Rookie Topic Starter

    Thanks for replying. I have run Ewindo, it cleans the cookies, but then if I reboot and run a scan it finds them again. Also I have this wired proxy thing going on im not sure what it is but all my browser requests are going through alternate ports and I dont have an proxy apps installed that I know if that would cause this.

    Here is an example:

    Count:1
    Action:Monitored
    Application:firefox.exe
    Access:Outbound TCP access
    Object:1620 -> 144.160.134.61:80 (http)
    Interface:[1] Intel(R) PRO/100 VE Network Connection
    Time:7/21/2005 7:50:23 PM
  4. trinsic

    trinsic TS Rookie Topic Starter

    HighJackThis Log.

    Logfile of HijackThis v1.99.1
    LOG removed, see How to post your Hijackthis log-files as an attachment.



    + Created on: 1:00:05 AM, 7/21/2005
    + Report-Checksum: 3CBE6742

    Ewindo Log
    + Scan result:

    :mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vumkvbgk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vumkvbgk.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    :mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vumkvbgk.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup


    ::Report End
  5. sphinx

    sphinx TS Rookie Posts: 17

    my fave little program that ive been using on systems to remove spyware lately has been Spyware Doctor, and if you have some really bad then try getting BART PE and running the Mcafee GUI Wrapper and Ad-Aware off the bootable OS.
  6. just_a_nobody

    just_a_nobody TS Rookie Posts: 205

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.