Spyware Hidden Proxy Problem

Status
Not open for further replies.
I so I am cleaning this computer that had a bunch of spy ware installed on it, included auora/nail I ran thorugh the removal steps in the forms (thanks guys) and was able to clean most of it off. I dont see any abnormal services running on boot but some how I still getting spyware activity.

Couple of things that are happening:

1) I am still reciving cookies related to Look2Me and SurfSideKick.
2) under some unknown cirumstances AppWrap[1].exe ends up reappearing in the IE temporary internet folder.
3) HTTP requests are being redirected to ports 1052-1100 > 80.

I have pretty much ran every removal tool I can think of and Im thinking my only solution is to run a System File replace in windows xp.
I was wondering if anyone has heard of the proxy thing and if there was a way to remove it, because I think thats were I am receiving the infections.

Any help would be appericated. I Will post my HiJackThis logs when I get to the location shortly.
 
Hi trinsic, try running Ewido, maybe that will kill them pesky varmits.

You can download a trial version of Ewido here: : http://www.ewido.net/en/

Be sure you update it before using it, and when it finds a problem, be sure to select the check box to do the same action (clean) when it finds a problem, otherwise, you will have to click continue, to keep scanning with every problem it finds.
 
just_a_nobody said:
Hi trinsic, try running Ewido, maybe that will kill them pesky varmits.

You can download a trial version of Ewido here: : http://www.ewido.net/en/

Be sure you update it before using it, and when it finds a problem, be sure to select the check box to do the same action (clean) when it finds a problem, otherwise, you will have to click continue, to keep scanning with every problem it finds.

Thanks for replying. I have run Ewindo, it cleans the cookies, but then if I reboot and run a scan it finds them again. Also I have this wired proxy thing going on im not sure what it is but all my browser requests are going through alternate ports and I dont have an proxy apps installed that I know if that would cause this.

Here is an example:

Count:1
Action:Monitored
Application:firefox.exe
Access:Outbound TCP access
Object:1620 -> 144.160.134.61:80 (http)
Interface:[1] Intel(R) PRO/100 VE Network Connection
Time:7/21/2005 7:50:23 PM
 
HighJackThis Log.

Logfile of HijackThis v1.99.1
LOG removed, see How to post your Hijackthis log-files as an attachment.



+ Created on: 1:00:05 AM, 7/21/2005
+ Report-Checksum: 3CBE6742

Ewindo Log
+ Scan result:

:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vumkvbgk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vumkvbgk.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vumkvbgk.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup


::Report End
 
my fave little program that ive been using on systems to remove spyware lately has been Spyware Doctor, and if you have some really bad then try getting BART PE and running the Mcafee GUI Wrapper and Ad-Aware off the bootable OS.
 
Status
Not open for further replies.
Back