Spyware problem - Persistent proxy server setting for dial up connection -



I have a problem on a Windows XP Home system. I have cleaned out hundreds of bits of ad/spyware, run Trend Micro Antivirus, Bitdefender antivirus, Adaware, Spybot, Microsoft Anti-Spyware, and all of these tools now report clean. I used HijackThis to clean out other nasties, and the problem persists. I cannot find any reason for the proxy setting to continually return, but it does. If I delete the entries with HijackThis, uncheck the 'Use Proxy' in the dial up settings (it's a Sagem USB ADSL modem - Very nasty!) then I can connect - Once. Then, subsequently the proxy setting has returned. I know this is spyware related, but I cannot resolve it, and I am tearing my hair out. Here is the HijackThis log, which doesn't show anything untoward as far as I can see (The WinMX application is clean):

Logfile of HijackThis v1.99.1
Scan saved at 23:53:34, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

Any help will be gratefully received. In fact, if you can resolve this one for me then I'll definitely sign up for a years paid subscription!

Thanks a lot.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Also do a check with stinger:

Try this.  Do a global scan on the start page then select each item at the side eg spyware, trojan, etc and scan each of them, you can then go up the list find out which ones are on and click on the icon for them above and click remove.

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

N20netSteveAuthor Commented:
Sorry, should have stated that I also used Stinger!

I don't know what Ewido is - I'll investigate.

Disable XP system Restore, THEN run a Highjack this and tick these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
N20netSteveAuthor Commented:

Sorry, my original query had some information missing (I have done a lot of work on this machine - It's hard to remember it all!) - System restore was the first thing I switched off, and those two entries also get deleted with HijackThis. The problem is, they are reinstated every time the ADSL modem connection is tried (even if the ADSL line isn't connected to the modem)

Thanks for all the suggestions so far.

Uninstall all the ADSL modem stuff and re-install - u on tiscali?
N20netSteveAuthor Commented:

It was originally a Tiscali service, but I've created another connection to my ISP (Mailbox Internet) which is also suffering. Have you had these issues with Tiscali? The proxy server isn't a Tiscali server - There's some information here: http://forums.techguy.org/t407327.html, but no solution either. This seems to be very low incidence, but very hard to remove.

It's currently running an Ewido scan. AdwareAway found nothing!

Chris ColemanCommented:
Ok, this is comment and not an answer, it 's perhaps strange that you're getting the same proxy server as I did before my problem was solved .. and exactly the same symptoms--


I have looked up the proxy in Whois and get,

oXeo Networks
OrgID:      OXEONE
Address:    90 admiralty loop
City:       staten island
StateProv:  NY
PostalCode: 10309
Country:    US

www.oxeon.com is redirected to http://www.axinet.fr/  ...
                                                              So probably no joy there ?

--By the way did you search the registy for ProxyEnable as descibed in my origional question, I think you must have ..

-- If you boot in safe mode, and remove the proxy from the registry, then start the connection a few times does it reoccur ..


N20netSteveAuthor Commented:
Hello Chris,

I did indeed do it all from Safe Mode, and remove the registry keys for Proxy Enable and the Proxy Server IP. It comes back every time.

I saw your original query - In fact I posted my query at the end of yours, before I understood how EE worked!

Thanks a lot for the comments.

Chris ColemanCommented:
Apologies, the above should say, http://www.oxeo.com/ is a hosting service in the USA, maybe they can provide information on the invalid proxy. I will email them ..

Also I know I'm way off topic, I'll stop now.

Greetings, N20netSteve !

Run Rootkit Revealer to find the program creating the proxy

N20netSteveAuthor Commented:
Hello war1,

I ran Ewido, and it took a VERY long time to complete the scan (about 180 minutes on about 3GB of data). After this the HijackThis scan still showed the proxy setting, but I deleted it (again!) and rebooted. It appears to have sorted the problem out, but I need to wait a while before I can try it in anger as I need to disconnect the office ADSL service in order to connect up.

As regards rootkit revealer, it completed a scan, and reported no discrepancies. This was after the Ewido phase, though.

I emailed Oxeo, expecting it to fall on deaf ears, and this is what came back within a couple of hours!:
(This is from an address of efp@gmx.net)

Dear Stephen,

In order to delete the software and to restore the previous internet
settings to your computer, please de-install the software titled “Internet
Connection Control” via the Windows Settings.

Best Regards,


Technical Support

On Di, Oktober 18, 2005 18:10, Manuel Kreutz wrote:
> Hello,

> Please look into this and contact the user (scasey@**********)
> or me regarding this issue.

> Sincerely,

> ---
> Manuel Kreutz
> OXEO - Superior Hosting
> eMail : mk@oxeo.com

> Toll Free: 1-866-ASK-OXEO

> Begin forwarded message:

>> ==============================================
>> Posted By: Stephen Casey Posted On: 18 Oct 2005 08:09 AM
>> ==============================================
>> Hello,
>> I am trying to fix a machine with a problem. The Internet
>> connection keeps
>> having a proxy server set up, IP I have
>> tried
>> many, many things to resolve this issue, and so far failed. There
>> is more
>> information here:
>> http://www.experts-exchange.com/Operating_Systems/WinXP/
>> Q_21598640.html
>> So, in desperation I am emailing you to ask if you can shed any
>> light on
>> this problem?
>> Thanks for your time.
>> Regards
>> Stephen Casey.

I deleted the Internet Connection Control last night - That didn't fix the problem!

Sorry this is a long post. I hope it's sorted out now. I shall post back when I have tried it completely.


N20netSteveAuthor Commented:
It would appear that it's not sorted out! I revisited the 'Add Remove Programs' option, and there was "Internet Connection Control"! So, I tried to uninstall it (again) and this time my anti-virus software (BitDefender) and anti-spyware (Microsoft Anti-Spyware) both crash, and then the computer crashes to a blue screen, with a message:
A problem has been detected and Windows has been shut down to prevent damage to your computer.
A process or thread crucial to system operation has unexpectedly exited or been terminated.

Technical information:

*** STOP: 0x000000F4 (0x00000003,0x81D97AE8,0x81D97C5C,0x805F9F88)
Hmm... I have emailed 'Omar' to ask him what to do. Let's see what he says. I'm impressed that Oxeo seemed to take it seriously - The email to me from them asked me to email their abuse department if the problem isn't solved.

N20netSteveAuthor Commented:
Well, the PC seems pretty knackered now - Login problems, Control Panel won't respond, can't run any apps and the AV and Anti-Spyware are also shot!

Time for a bit of FDisk, I think.

I can't express the contempt that I feel for these virus and malware authors. I have wasted about 12 hours so far on a machine that I quoted two hours labour for. And now I need to start from the ground up. I may modify my policy - Got spyware/virus troubles? I'll spend 15 minutes on it, and if it's not fixed then it's nuke time. No more 'Just another 5 minutes' attitude - It's hardly ever worth it.

Thanks for all the suggestions.

Steve, sorry that you had to reformat.  Hopefully, you have picked up some tools for future use.
N20netSteveAuthor Commented:
Thanks war1,

I have indeed found Ewido and rootkit revealer.

I'll update this thread if I get anything back from 'Omar' or Oxeo.

I don't really know what to do with the points - I only have 150 so far, and I think the question was worth more. I'll look back through the thread and split them up among  a few - I bet you can't wait!

Thanks for all the help. I think I'll take the money I get from this repair and buy a years subscription. However, I may just spend it on beer. Undecided at the moment. Each strategy has attractions!

Yeah I know how you feel about the spyware/adware/malware - it's the SOLE reason why I keep an external usb hard disk with several ghost images of the standard PC configs we use here.  Might be worth your while to do this also - it takes some time to load all the applications and get it configured right, then ghosting it, but believe me it'll save you HOURS in the future.

I'm going to invent a malware tracer that traces the author and sends an electrical surge when it detects headphones being used - in my mind I can see ears being fried, ahh well I can but dream,

good luck
N20netSteveAuthor Commented:
My problem is that I fix PCs for a disparate (desperate?!) group of people. It's not a controlled office environment - It's a small domestic PC repair thing, so every PC is different (in every way) and of course everybody wants their system returned to them with the same apps and data as when I took it away, but working.

Have you any experience of installing an image created on one system onto a different system? I tried this in the days of Win98, and it was a baaaaad idea. However I've heard that XP is much better in this regard. I just haven't bothered trying. Maybe I should raise another question? Just need to get some points! But, then there are all the issues about installation keys etc.....

Ah well, looks like the balance is tipping in favour of the beer!


Steve, when you talking about imaging, I assume you mean using Norton Ghost.  Ghost works if the hardware are exactly the same.
N20netSteveAuthor Commented:
Hello war1,

That's what I thought. I don't use Ghost. I use Acronis TrueImage, but it's the same thing. Sadly it would appear that it's largely irrelevant!

Thanks to all. The PC now has a brand new, fresh copy of XP SP2, and I'm just trying to locate my Office XP Pro with FrontPage CD in order to put that back in.......... Then it's time for Windows Update, Sygate, Bitdefender, Microsoft Anti-Spyware. Then it should be usable for about a week before they call me back with more spyware issues.

Chris ColemanCommented:
Steve, glad you're up and  running again, I guess I was lucky with that one.. Although I should add that my client had two copies of Encyclopeda Brittania on hs PC, over 1400,000,000 individual fies had to be scanned by Norton AV, after two hours scanning we deleted them, thats when I found the p(r)oxy problem here, 10 hours later .. how do explain that  too a client ?

               They sell a nice beer over here called 'chase your tail', which sounds pretty good to me !


ps. These hijacking, virus headed, spyware dudes, will get their rewards in PC purgatory..
Steve, any update?
N20netSteveAuthor Commented:
Hi war1,

No updates I'm afraid. I just reinstalled it all from the ground up. Didn't give them back their nasty Ares p2p software. They were insistent on p2p software though, so I put on WinMX and gave them a lesson in safe surfing.

Oxeo didn't respond to my second email. A shame, but not a surprise.

This beat me I'm afraid. I kept an image of the drive, in case it's categorised in the future. I'd like to know what it was that occupied several evenings of my life.

Thanks for the rootkit revealer tip. I ended up buying this:
Absolutely awesome book. If you're into coding and security it's worth every penny. I am looking forward to some long dark winter evenings, with the kids in bed, a pot of coffee and my compiler!

Thanks for all the help. I've split the points up three ways, and 'accepted' the HijackThis solution, as that *should* have sorted it, so was good advice.


Steve, good to hear you got rid of the problem, even though you had to reinstall.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.