Jump to content


Photo

CAX Proxy


  • Please log in to reply
3 replies to this topic

#1 bobwbs

bobwbs

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 30 June 2004 - 07:26 AM

I am a novice when it comes to navigating software, but I have followed all your recommended fixes as best I can. I have been somewhat successful in getting rid of the spyware that had completely taken over my XP system. You name it I had it, CoolWWW, HomeOldsp, about:blank, cws.googlems, JS Search, Cool Web Search. GhostSurf Pro, Spy Sweeper & Spybot S&D are keeping them at bay. I spend more time denying access to attacks than surfing. My desktop is a collection of Spyware killer icons. Spy Sweeper is the only one that identified CoolWWW and CAX Proxy. Every attempt at removing them has failed. They keep coming back. I cannot locate them in any Startup folder. Hijack This log shows what I believe to be it but the fix will not......it comes back. Can anyone help?

By the way Spybot S&D, Ad aware, neither of Tenebril's" sweepers identify CAX Proxy or CoolWWW on my system.

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 02 July 2004 - 01:32 PM

Post your HijackThis log as a reply in this thread, and I'll take a look. Don't fret too much about "CAX proxy" though. It may be a false positive. In researching it, I came across this:

I personally find that Spysweeper causes quite a bit of false positives. Eg It's tried to tell me that I had "CAX proxy" just because I set up my Internet explorer to use 127.0.0.1 with proxomitron ! LoL.

Of course, the typical user probably wouldn't be able to tell this wasn't really malware, and would chalk this detection as yet another example of something spysweeper caught that ad-aware or spybot didn't.


How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 bobwbs

bobwbs

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 02 July 2004 - 02:14 PM

Here is my log. I think you're right, CAX Proxy is related to GhostSurf. I have been working on my system, may have made some progress. Been getting Trojan warnings from AVG. (all .dll's)
It removes them but they come back as a different .dll

Logfile of HijackThis v1.97.7
Scan saved at 3:10:36 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MG\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 02 July 2004 - 03:52 PM

Looks pretty good actually - just one ClearSearch BHO.

First, start Spybot and disable TeaTimer so it won't interfere with the fix. Restart it after you're done.

Run a HJT scan and check this one item:

O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Close HJT, Open Windows Explorer and delete this file:

C:\WINDOWS\System32\IETie.dll

That may be all that's needed. Reboot, run a new HJT scan and post a followup log for another look.

Edited by Fireflyer, 02 July 2004 - 03:54 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button