Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 03-23-2008, 06:35 PM   #1 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
Got a big prob. Please help me/

Hi all. I have been attacked with a virus. Using Spybot I get the message "22:30 Registry change denied. Identified as: User decision. Resident denied the change of PrxChk (Catagory Shell Services) based on your black list." Help me please. Win WP Pro, new Dell Computer. I usually can take care of myself. This one has me stumped.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-23-2008, 06:50 PM   #2 (permalink)
... a sort of licensed troubleshooter.
 
Willravel's Avatar
 
Do you have your important data backed up?
Willravel is offline  
Old 03-23-2008, 07:03 PM   #3 (permalink)
Her Jay
 
silent_jay's Avatar
 
Location: Ontario for now....
Found this on the SpyBot Forums, hope it helps. It seems to be for RealUpgrade, but maybe the solution will be similar.
http://forums.spybot.info/showthread.php?p=173035
__________________
Absence makes the heart grow fonder
silent_jay is offline  
Old 03-23-2008, 07:04 PM   #4 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
re: PrxChk

do you use a proxy system of some sort?

as far as data being backed up; it's not a bad idea if you haven't already backed up to back up now, just be aware that your backup may also be infected.

also, a virus caught by an adaware program? that's not normal.

you ran virus scans and you got to hits, but with S&D you get that? it is more suspect of a false positive than anything in my book. One of the reasons that I think that sometimes too much information is just too much information to stress out over.
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Last edited by Cynthetiq; 03-23-2008 at 07:06 PM..
Cynthetiq is offline  
Old 03-23-2008, 07:47 PM   #5 (permalink)
Young Crumudgeon
 
Martian's Avatar
 
Location: Canada
Quote:
Originally Posted by Cynthetiq
also, a virus caught by an adaware program? that's not normal.
It's not as abnormal as you'd think. The algorithms that antispyware programs and antivirus programs use are very similar; there are even AS programs that use heuristics now, although I don't know if Spybot S&D has crossed that particular bridge yet. The line between various types of malware is getting fuzzier.

On to solving the problem.

First of all, don't panic. It does nothing to solve your problem.

Google tells me that prxchk is a utility for use with proxy servers. Whether it's actually malware or not is something I don't know, as I've never really investigated, although preliminary research seems to suggest that it's benign. You've managed to put it on your blacklist for registry changes in Spybot S&D, whether intentionally or by accident; to solve the problem, all you need to do is take it off the list. Follow the instructions in the link provided by Silent_Jay, replacing 'RealUpgrade' with 'prxchk' and report back if that doesn't solve your problem.

Note: backing up data is a very good idea in general and in this situation in particular. You may safely back up any mp3 files, txt files and jpg, bmp or png image files, as none of those are capable of carrying malicious code. Microsoft office file formats (.doc, etc) are susceptible to macro viruses, but they're pretty rare. No programs should be backed up (installers or other exes) as they're all potential vectors to spread a worm. The general rule of thumb is that data files are okay, program files are not, although that's not hard and fast. Several Microsoft file formats in particular are vulnerable to various types of malware. I'm also a big fan of keeping a liveboot cd handy (Knoppix, Ubuntu etc) for catastrophic failures. These will require you to learn the basics of navigating within Linux, but it's not that difficult and can potentially be a lifesaver in the event of a full OS crash.
__________________
I wake up in the morning more tired than before I slept
I get through cryin' and I'm sadder than before I wept
I get through thinkin' now, and the thoughts have left my head
I get through speakin' and I can't remember, not a word that I said

- Ben Harper, Show Me A Little Shame
Martian is offline  
Old 03-23-2008, 07:56 PM   #6 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
Quote:
Originally Posted by Martian
It's not as abnormal as you'd think. The algorithms that antispyware programs and antivirus programs use are very similar; there are even AS programs that use heuristics now, although I don't know if Spybot S&D has crossed that particular bridge yet. The line between various types of malware is getting fuzzier.
What I find abnormal about it is that if there is virus software running, that the adaware application discovered it BEFORE the virus software did.

I agree that the heuristics are quite similar in some aspects and that there are many places they logicially overlap. I have found many trojans on peoples machines that listed in adaware and virus applications. That makes sense since trojans have been embedded into websoftwares.

Where I find it fishy is that he runs spybot and (insert virus software) doesn't state anything and appears silent based on the post.
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 03-24-2008, 01:29 AM   #7 (permalink)
has a plan
 
Hain's Avatar
 
Location: middle of Whywouldanyonebethere
There is no reason to get overly paranoid. I wouldn't suggest taking the hard drive out and putting it into a friends computer for safe scanning.

For some other scans, here is my list. I recommend a-squared, ad-aware, cwshredder, and housecall. Run a Hijack-this scan and post the logfile here or at their forums.
Hain is offline  
Old 03-24-2008, 04:48 AM   #8 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
Augi, thanks for the help!
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-24-2008, 10:01 AM   #9 (permalink)
has a plan
 
Hain's Avatar
 
Location: middle of Whywouldanyonebethere
Quote:
Originally Posted by Wyodiver33
Augi, thanks for the help!
That's what we're here for.
Hain is offline  
Old 03-24-2008, 10:40 AM   #10 (permalink)
Knight of the Old Republic
 
Lasereth's Avatar
 
Location: Winston-Salem, NC
Spybot says that the registry change was denied so the virus (if that's what it is) is actually not doing anything on your system. Unless Spybot keeps bugging you, the malware is probably not hurting your system at all.
Lasereth is offline  
Old 03-24-2008, 04:37 PM   #11 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
First of all, TFP Rules! Secondly, Spybot does keep pestering me every few seconds. Tried a system restore, didn't work. Used Norton, etc, still a problem.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-24-2008, 07:04 PM   #12 (permalink)
Young Crumudgeon
 
Martian's Avatar
 
Location: Canada
Quote:
Originally Posted by Wyodiver33
First of all, TFP Rules! Secondly, Spybot does keep pestering me every few seconds. Tried a system restore, didn't work. Used Norton, etc, still a problem.
I'm not completely convinced this is actually malware. Does anyone know what the false positive rate for Spybot S&D is?

Do you use prxchk for anything? If not, the simplest solution may be to just get rid of it. You might be able to do an uninstall through the control panel, but if not you can still do it manually.

EDIT - As so often happens, another option occured to me immediately after hitting reply. In fact, I'm feeling sort of stupid for not thinking of it earlier. Have you tried running ad-aware? If not, install the latest version and try that. If we are dealing with some sort of malware, Ad-aware may be able to pick it up and remove it.

If it doesn't (and if you haven't tried it already) I would highly recommend removing prxchk from the blacklist, as I'm reasonably sure at this point that it is in fact benign. If neither Norton or Ad-aware (both with the latest definitions, I'm assuming) pick it up, it's probably safe.
__________________
I wake up in the morning more tired than before I slept
I get through cryin' and I'm sadder than before I wept
I get through thinkin' now, and the thoughts have left my head
I get through speakin' and I can't remember, not a word that I said

- Ben Harper, Show Me A Little Shame

Last edited by Martian; 03-24-2008 at 07:08 PM..
Martian is offline  
Old 03-24-2008, 07:47 PM   #13 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
Have tried Spybot, Ad Aware, Norton, etc.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-24-2008, 11:31 PM   #14 (permalink)
has a plan
 
Hain's Avatar
 
Location: middle of Whywouldanyonebethere
Quote:
Originally Posted by Martian
EDIT - As so often happens, another option occured to me immediately after hitting reply. In fact, I'm feeling sort of stupid for not thinking of it earlier. Have you tried running ad-aware? If not, install the latest version and try that. If we are dealing with some sort of malware, Ad-aware may be able to pick it up and remove it.

If it doesn't (and if you haven't tried it already) I would highly recommend removing prxchk from the blacklist, as I'm reasonably sure at this point that it is in fact benign. If neither Norton or Ad-aware (both with the latest definitions, I'm assuming) pick it up, it's probably safe.
Ad-Aware, A-squared, and Spybot are pretty good to pick up anything. A-squared is so good that it often will pick up a bunch of false positives.

Since you are using Tea Timer with spybot, why not just tell tea timer to deny the registry change and have it remember that action?

Also, are you making sure to immunize your system after every spybot update?
Hain is offline  
 

Tags
big, me or, prob


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 04:02 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360