Wyodiver33

Hi all. I have been attacked with a virus. Using Spybot I get the message "22:30 Registry change denied. Identified as: User decision. Resident denied the change of PrxChk (Catagory Shell Services) based on your black list." Help me please. Win WP Pro, new Dell Computer. I usually can take care of myself. This one has me stumped.

__________________
I like stuff.

Willravel

Do you have your important data backed up?

silent_jay

Found this on the SpyBot Forums, hope it helps. It seems to be for RealUpgrade, but maybe the solution will be similar.
http://forums.spybot.info/showthread.php?p=173035

__________________
Absence makes the heart grow fonder

Cynthetiq

re: PrxChk

do you use a proxy system of some sort?

as far as data being backed up; it's not a bad idea if you haven't already backed up to back up now, just be aware that your backup may also be infected.

also, a virus caught by an adaware program? that's not normal.

you ran virus scans and you got to hits, but with S&D you get that? it is more suspect of a false positive than anything in my book. One of the reasons that I think that sometimes too much information is just too much information to stress out over.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Martian

It's not as abnormal as you'd think. The algorithms that antispyware programs and antivirus programs use are very similar; there are even AS programs that use heuristics now, although I don't know if Spybot S&D has crossed that particular bridge yet. The line between various types of malware is getting fuzzier.

On to solving the problem.

First of all, don't panic. It does nothing to solve your problem.

Google tells me that prxchk is a utility for use with proxy servers. Whether it's actually malware or not is something I don't know, as I've never really investigated, although preliminary research seems to suggest that it's benign. You've managed to put it on your blacklist for registry changes in Spybot S&D, whether intentionally or by accident; to solve the problem, all you need to do is take it off the list. Follow the instructions in the link provided by Silent_Jay, replacing 'RealUpgrade' with 'prxchk' and report back if that doesn't solve your problem.

Note: backing up data is a very good idea in general and in this situation in particular. You may safely back up any mp3 files, txt files and jpg, bmp or png image files, as none of those are capable of carrying malicious code. Microsoft office file formats (.doc, etc) are susceptible to macro viruses, but they're pretty rare. No programs should be backed up (installers or other exes) as they're all potential vectors to spread a worm. The general rule of thumb is that data files are okay, program files are not, although that's not hard and fast. Several Microsoft file formats in particular are vulnerable to various types of malware. I'm also a big fan of keeping a liveboot cd handy (Knoppix, Ubuntu etc) for catastrophic failures. These will require you to learn the basics of navigating within Linux, but it's not that difficult and can potentially be a lifesaver in the event of a full OS crash.

__________________
I wake up in the morning more tired than before I slept
I get through cryin' and I'm sadder than before I wept
I get through thinkin' now, and the thoughts have left my head
I get through speakin' and I can't remember, not a word that I said

- Ben Harper, Show Me A Little Shame

Cynthetiq

What I find abnormal about it is that if there is virus software running, that the adaware application discovered it BEFORE the virus software did.

I agree that the heuristics are quite similar in some aspects and that there are many places they logicially overlap. I have found many trojans on peoples machines that listed in adaware and virus applications. That makes sense since trojans have been embedded into websoftwares.

Where I find it fishy is that he runs spybot and (insert virus software) doesn't state anything and appears silent based on the post.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Hain

There is no reason to get overly paranoid. I wouldn't suggest taking the hard drive out and putting it into a friends computer for safe scanning.

For some other scans, here is my list. I recommend a-squared, ad-aware, cwshredder, and housecall. Run a Hijack-this scan and post the logfile here or at their forums.

Wyodiver33

Augi, thanks for the help!

__________________
I like stuff.

Hain

That's what we're here for.

Lasereth

Spybot says that the registry change was denied so the virus (if that's what it is) is actually not doing anything on your system. Unless Spybot keeps bugging you, the malware is probably not hurting your system at all.

Wyodiver33

First of all, TFP Rules! Secondly, Spybot does keep pestering me every few seconds. Tried a system restore, didn't work. Used Norton, etc, still a problem.

__________________
I like stuff.

Martian

I'm not completely convinced this is actually malware. Does anyone know what the false positive rate for Spybot S&D is?

Do you use prxchk for anything? If not, the simplest solution may be to just get rid of it. You might be able to do an uninstall through the control panel, but if not you can still do it manually.

EDIT - As so often happens, another option occured to me immediately after hitting reply. In fact, I'm feeling sort of stupid for not thinking of it earlier. Have you tried running ad-aware? If not, install the latest version and try that. If we are dealing with some sort of malware, Ad-aware may be able to pick it up and remove it.

If it doesn't (and if you haven't tried it already) I would highly recommend removing prxchk from the blacklist, as I'm reasonably sure at this point that it is in fact benign. If neither Norton or Ad-aware (both with the latest definitions, I'm assuming) pick it up, it's probably safe.

__________________
I wake up in the morning more tired than before I slept
I get through cryin' and I'm sadder than before I wept
I get through thinkin' now, and the thoughts have left my head
I get through speakin' and I can't remember, not a word that I said

- Ben Harper, Show Me A Little Shame

Wyodiver33

Have tried Spybot, Ad Aware, Norton, etc.

__________________
I like stuff.

Hain

Ad-Aware, A-squared, and Spybot are pretty good to pick up anything. A-squared is so good that it often will pick up a bunch of false positives.

Since you are using Tea Timer with spybot, why not just tell tea timer to deny the registry change and have it remember that action?

Also, are you making sure to immunize your system after every spybot update?