1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

AVG just detected "Proxy" virus in exe file I ran a year ago

Discussion in 'Virus & Other Malware Removal' started by hugedog, Feb 2, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. hugedog

    hugedog Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    7
    AVG just reported an infected .exe file and moved it to the "Virus Vault". In the "Test Results" it does not list a virus name, but in the Vault under "virus name" is listed "Virus Found Proxy". Putting the file through the online tests at http://virusscan.jotti.org/, most of the scans come up negative, with the following exceptions:

    AntiVir Found HEUR/Crypted
    AVG Antivirus Found Proxy
    BitDefender Found Backdoor.Pcclient.GV
    VirusBuster Found novirus:packed/NSPack


    What concerns me is that I believe I actually executed this file around a year ago (when AVG didn't report anything on it). I haven't been able to find much on those virus names, but I may not know the right place to look.

    Whatever this malware is, it appears to be in the Trojan/Backdoor category, so I don't think I'm infected with a virus per se. I run Outpost Firewall Pro, updated and reasonably configured, plus AVG 7.5, plus Spybot S&D 1.3, and my computer sits behind 2 routers (wireless router and Vonage router), connected to a Cable modem. Can I feel reasonably secure that I haven't been e-mugged? Or is there anything I can do to verify whether I've been badly compromised?

    I am not, to my knowledge, a victim of identity theft or any of the other nastiest things that could happen as a result of a Trojan.

    Any assistance or reassurance would be appreciated.


    System:
    Windows XP Pro SP2, 1G RAM
    Motorola Cable Modem
    Netgear Wireless Router
    Linksys VPIP (Vonage) Router
    Outpost Firewall Pro 3.51.759.6511 (462)
    AVG 7.5 updated regularly
    SpyBot Search and Destroy 1.3 w/Teatimer resident
    Other security software/scanners run occasionally


    Thanks!
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    SpyBot Search and Destroy 1.3 is old, you should remove that and get version 1.4: http://www.majorgeeks.com/download2471.html

    You can submit the file here: http://www.thespykiller.co.uk/forum/index.php?board=1.0 so it can be examined.

    Just press new topic, fill in the needed details and post a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the window press send to upload the file.



    Click here to download HJTsetup.exe
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. hugedog

    hugedog Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    7
    I started to upgrade to SpyBot 1.4, but then looked around a bit and decided to switch to using CounterSpy instead, which I have now installed. Any feedback on this choice?

    I uploaded the file in question to the forum at "thespykiller" and posted a link to this thread there.

    Not sure whether you were directing me to post my HJT log here or there, but here it is:





    Logfile of HijackThis v1.99.1
    Scan saved at 3:22:03 PM, on 2/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\system32\mgabg.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    C:\Program Files\SpamPal\spampal.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Venturi2\Client\ventc.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINNT\system32\PDesk\PDesk.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\SpamPal\spampal.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar5.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar5.dll
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:eek:s_startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\RunOnce: [Panda_cleaner_118607] C:\WINNT\system32\ActiveScan\pavdr.exe 118607
    O4 - HKLM\..\RunOnce: [Panda_cleaner_98265] C:\WINNT\system32\ActiveScan\pavdr.exe 98265
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\TRASH.EXE (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\TRASH.EXE (file missing) (HKCU)
    O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\nppicj32.dll
    O15 - Trusted Zone: guru.grisoft.com
    O15 - Trusted Zone: free.grisoft.cz
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} -
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} -
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
    O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095293790390
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} -
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NetExec process executer service (NetExec) - Unknown owner - C:\WINNT\System32\NetExec.exe (file missing)
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SpamPal for Windows - SpamPal.org - C:\Program Files\SpamPal\spampal.exe
    O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} -
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} -
    O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} -
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} -
    O23 - Service: NetExec process executer service (NetExec) - Unknown owner - C:\WINNT\System32\NetExec.exe (file missing)

    Close all applications and browser windows before you click "fix checked".


    You have two anti-virus programs running, which will cause trouble. Uninstall one or set it for on-demand only.


    I've never used CounterSpy so I can't comment on it. The website indicates a 15 day trial so if that is what you loaded I would remove it after 15 days or if you like it pay for it. Otherwise it will become worthless in the removal since malware changes day to day.
     
  5. hugedog

    hugedog Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    7
    Thanks for the replies, cybertech. I nuked the HJT entries as you suggested. Not sure what you mean about two anti-virus progs. AVG is the only A-V prog I'm (knowingly) running. I'm running other security progs (Outpost and counterspy) but I wouldn't think they would conflict with AVG. What are you seeing that I'm not?
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I think I saw your removal of Panda.

    Are you still getting virus warnings?
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/540575

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice