Proxy.small and others - no internet access now. Please help!

Hi there, hope someone can help me. I’m running XP SP2, aVast and AVG.

I did something stupid and managed to open a file loaded with various viruses. I managed to delete and or quarantine all of them using a mix of AVG and avast. I did need to turn off system restore to eliminate the last one which was Proxy.small.

My main symptom is I can’t access internet now. Thought it may have been due to whatever it was trashing my IE6 but problem persists despite my installing IE7 and I have no access to my router via this PC…it is not updating aVast or AVG etc.

Used HJT and deleted a bunch of things, maybe too many. Still have the possibility to restore things via the backup facility of HJT. So if whoever helps me sees something critical missing here that could explain my inability to access internet then please let me know and I’ll look for that in the Backups list of HJT.

I’m attaching here my latest HJT logfile…please help. Really stuck here.

Thanks,

Dave M

Hi dave_in_gva,

Do you mean AVG Free anti-virus?

You must not have two resident anti-viruses on your system because they will fight over files like two dogs over a bone and will cause instability problems- uninstall one of them.

If you meant AVG Anti-Spyware, this is not a problem- if fact very desireable.

If you do not really understand what you have deleted with HijackThis!, I recommend you restore everything.

Scan your computer with AVG Anti-spyware, Ad-Aware and Spybot Search & Destroy- they will automatically remove malware files and registry entries. You can post another log when you’ve finished just to check no malware remains.

If you have no internet access, you will have to download these programs plus the latest definition files on another computer.

Also download WinSock XP Fix and run this if you still have no internet connection- again do this on another computer if you have to.

Good luck!

http://www.snapfiles.com/get/winsockxpfix.html

Hi Frank,

Thanks for your fast reply…I’ve come across your name on other threads and you’ve also been a help to me when I have not been the original poster.

I do mean AVG Anti-spyware only (version 7.5).

I’ll try what you suggest and post back here.

Thanks for being the Easter bunny,

Dave

Hi dave_in_gva,

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the ‘Registry’ menu, click ‘Export Registry File’. In the ‘Export range’ panel, click ‘All’, then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shellspl
spools.exe

and delete it if it exists.

Close the registry editor.
Advanced

* Summary
* Description
* Recovery
* Advanced
*  

This section contains the description and advanced technical information

Troj/Proxage-A is a proxy Trojan for Windows based systems.

When first run the Trojan copies itself to \spools.exe.

The following registry entry is created to run spools.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shellspl
spools.exe

Once installed, Troj/Proxage-A contacts an IP address on port 5968 to inform a remote intruder that the Trojan is installed. The Trojan listens for incoming traffic on a random port.

Whilst running, the Trojan also attempts to disable any security software running on an infected computer.

polonus

Hi Frank (and Polonus),

Well thanks SOOOOO much!

Polonus I did not have the Troj/Proxage-A after a registry check.

Frank, your recipe did the trick. I restored everything I’d deleted in HJT, then ran Ad-Aware, Spybot, and AVG.

I followed that by the winsock fix and rebooted to find my net connection restored.

I don’t know if it is strictly necessary, but I did re-run HJT and attach my last logfile. Although everything appears to be working fine now I would appreciate being told if there’s anything in this logfile I should take action on.

Again, thanks once more!

Dave M

Hi dave_in_gva:
Here you can find your analysis: http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html
It will be there for three consequent days.
As I see it you have a Cool Websearch infection as well 02 BHO etc. compstuih.dll; 08 Extra context menu etc.:
Run the cwshreddertool from here: http://www.trendmicro.com/cwshredder/ and post a new HJT logfile to be analysed.
FwF certainly will give the logfile a glance as well.

polonus

Glad you’re back online!

No major issues, just a bit of a clean up required.

These two entries are for BHO’s that have been removed: you can run HijackThis! again, tick the entires then click ‘fix’.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll (file missing)

MyWebSearch is something you may want to consider removing, just because it slows your computer down. The way to do this is via Add/Remove Programs first:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZFYYYYYYYYCH

http://www.pchell.com/support/mywebsearch.shtml

These seem to be entries for malware left over after removal: you can fix them with HijackThis! (Check againe afterwards to make sure they have gone- there shouldn’t be a problem removing them.)

O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)

O20 - Winlogon Notify: h618 - C:\WINDOWS\g260468.dll (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

Is Pure Networks\Network Magic something you installed? It seems to be some sort of remote access application. If you installed it, it’s nothing to worry about.

Regards,

The Easter Bunny. :wink:

Frank, Polonus,

Thanks again so much. Truly fantastic to have people like you out there. I would not have been able to this myself so thanks again. I hope good karma follows you both the rest of your days.

Frank you asked about Network Magic and it is indeed something I’ve installed myself.

I’ve followed your combined instructions and think (hope) everything should be fine now. Attaching what I hope is my final HJT logfile. Thanks again if you see anything residual that I should be acting on to let me know.

Best wishes,

Dave M

Everything looks fine now. 8)

Hi FwF,

Thank you, FwF, for helping us through on this once again, and I share a bit of this good k@rma with you,

your malware fighting friend,

polonus