I think ccproxy is spyware - help me clean my system

hello!
I am not a virus analyst expert but few days ago I played with a port sniff program. what I detected is that ccproxy send request to “oraniom.com” and that domain send an ICMP in return. I immediately deleted ccproxy but I am worry about what other spyware they uploaded to my system and what they stolen. need your help to clean my system and analyze that program.

also if you ping oraniom.com they send an ICMP in back with this content:
abcdefghijklmnopqrstuvwabcdefghiabcdefghijklmnopqrstuvwabcdefghi
abcdefghijklmnopqrstuvwabcdefghi

link of software:
http://www.youngzsoft.net/ccproxy/

edit:
logs attached

you can upload and test the install file at. www.virustotal.com or www.metascan-online.com if not to big. :wink:

for infection check, follow this guide and attach the requested logs. http://forum.avast.com/index.php?topic=53253.0
when done, a removal expert will check for any infections…

VirusTotal for the Link: https://www.virustotal.com/en/url/19c12e75b5a7149075e1b5d20dce8cec763f2e46d0df8f6174282e5a198e987c/analysis/1373016902/

The file needs to be scanned for Malware aswell. Also at www.virustotal.com

Additional Info: The site has been known for Hosting “Badware/Malware” in the past. So careful with it.

Safety score…: 100
Adult content…: no
Verdict…: safe

However Virustotal under the WOT Section has this:

Vendor reliability…: Unsatisfactory
Child safety…: Unsatisfactory
Trustworthiness…: Unsatisfactory
Privacy…: Poor

Can you put the file into something like Media-Fire so I can scan it? Thanks. Or you can do it yourself @ virustotal.com

Unfortunately I uninstalled that few days ago, but I just used a file recovery program and here is recovered exe file:
http://www.sendspace.com/file/ryzg7w

here is setup file I used:
http://www.sendspace.com/file/6v64dw

@Pondus: log files attached

thanks :slight_smile:

This is what Microsoft has on it: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=HackTool:Win32/CCProxy.B
This site’s web rep is questionable: http://www.mywot.com/en/scorecard/youngzsoft.net?utm_source=addon&utm_content=popup-donuts
All in all we can certainly classify the tool as a PUP, it can be abused by an attacker to listen in on your Internet traffic!
Also read: http://www.runscanner.net/lib/ccproxy.exe.html

Aliases
Trojan/Win32.Proxy (AhnLab)
not-a-virus:Server-Proxy.Win32.CCProxy.x (Kaspersky)
TR/Virtl.3815.46 (Avira)
Program.CCProxy (Dr.Web)
Win32/CCProxy application (ESET)
not-a-virus:Server-Proxy.Win32.CCProxy (Ikarus)

Summary|Symptoms|Technical Information|Prevention|Recovery

Summary
HackTool:Win32/CCProxy.B is a tool used to redirect your Internet traffic through a specified proxy server.

Symptoms
System changes

The following system changes may indicate the presence of this malware:

The presence of the following files:
\log\log.txt
\ccproxy.ini

Technical Information (Analysis)
Installation

HackTool:Win32/CCProxy.B creates the following files:

\log\log.txt
\ccproxy.ini
Payload

Opens and listens to certain ports

HackTool:Win32/CCProxy.B opens and listens to the following TCPports:

1080
110
119
2121
23
25
808
To check for Internet connectivity, it tries to connect to yahoo.com via port 80.

Redirects Internet traffic through a proxy server

HackTool:Win32/CCProxy.B is used to redirect your Internet traffic through a proxy server.
→ It may be configured by a remote attacker to listen in on your Internet activities. ←

Analysis by Hyun Choi (Microsoft Malware Protection Center)

pol

most websites said it is a proxy/hacktools. I know it, I used it to create a proxy server but why it try to connect to “oraniom.com” that is not stated anywhere in website if it is classified as a proxy/hacktools only?

I also whois oraniom.com, it is totally not related to that company.

The common denominator here is Private Layer INC,
Proxy Finders. Proxessor Proxy finder enterprise Proxy_Leecher_6.5. Proxy Checkers. Proxy Checker_1 … نامه به مدیر لینک باکس. Supported By Oraniom.com.
Also suspect why they want to advert with a clean slate here: http://www.radabg.com/url/oraniom.com/
Read this and do the test advised there: http://www.dnsleaktest.com/what-is-transparent-dns-proxy.php
How such a dns leak is being fixed, see: http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php
See also: DNS test result for oraniom dot com
CATEGORY STATUS TEST CC RESULT
IP to Country

GEO DB - Database Age: 0.36 Days.
This file is available from here. The file we use here is updated every few days
Determine non cached NS from root
NS

Root

A.ROOT-SERVERS.NET. [198.41.0.4] [Query Root Server for COM.]
NS

Parent

K.GTLD-SERVERS.NET. [192.52.178.30] [Query Parent Server for ORANIOM.COM.] HAS GLUE
N.B. not authoritative, but it’s a pointer to the authoritative servers, allowing for the loop to be resolved. (remark from polonus)
The parent nameserver K.GTLD-SERVERS.NET DID send out GLUE for [at least] NS61.MIHANWEBHOST.COM. This means K.GTLD-SERVERS.NET is reporting NS61.MIHANWEBHOST.COM’s host names AND sending the A (IP addresses) records for NS61.MIHANWEBHOST.COM. This is is good and avoids an extra ‘A’ lookup. For full details, see RFC1912, Section 2.3
If you find problems, we could also ak the help from a qualified removal expert here on the webforums,

polonus

thanks, fortunately dnsleak test result was correct for me. it was google dns that I set in LAN.
how about log files? anything I worry about?
I am not sure what oraniom.com doing, but fortunately gone away when I removed ccproxy ???

Think for the moment, your good to go.
But it would not harm to do the following tests - go here: http://www.thinkbroadband.com/tools/dnscheck.html
What you should get as things are OK is the following message:
Success! We detected your IP address as NN.NN.NN.NN and did not find an open DNS resolver running.

Did you get a similar green result, Congrats, you are not likely to be a zombie.

Re-check here: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl
and here: http://myresolver.info/

polonus

results for both my original IP and my ssh tunnel IP:
thinkbroadband: result was success,
measurement-factory.com: not working (empty result)
myresolver: was correct ip and dns

Avast is already detecting the files:

https://www.virustotal.com/en/file/df58d24634a4eef40ca4b00505479049f89d4fa7b7a927e4a74fb08936472052/analysis/1373029779/

https://www.virustotal.com/en/file/a412a22fc582141ba3a183e50318dad02652a0e57af7409a20b4aaf111e6eeb5/analysis/1373029736/

https://www.virustotal.com/en/file/a412a22fc582141ba3a183e50318dad02652a0e57af7409a20b4aaf111e6eeb5/analysis/1373029915/

Threat Expert Report: http://www.threatexpert.com/report.aspx?md5=39eac5c8dee7670ca6b71142f9070f19

Url Analyse: https://www.virustotal.com/de/url/02802334865f0bd3d54e6b0cc1bc2a7c04363de6239c964547d05f2b6cb223c1/analysis/1373035126/

https://www.virustotal.com/de/url/23003bd06f6146ecac883974302c7a68e462c90d5b30c2e6c843fcbd9778e921/analysis/1373035213/

https://www.virustotal.com/de/url/6dd6c6e0963ac4d3472989698dadc559a7dbe34cd41eb6465a24b0f9ac4fa054/analysis/1373035294/

Hi Steven Winderlich,

No it is no spyware or malware as such.
avast! is only detecting it as PUP, a program that may be an unwanted when not intentionally installed or added by an attacker.
The threat is that there is room for abuse by a third party attacker…

polonus

I think i havent said that it is Spyware.

Did you set the proxies in FF and IE ?

I use proxifier to share it. actually here is what i am:
a ssh tunnel for personal use
and using ccproxy I created a local sock5 server and shared ssh tunnel on it and then used that socks5 on my phone :smiley:

OK in that case the logs look clean, any further problems ?

thank you :slight_smile: