Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hitman Pro finds IE proxy but no symptoms.


  • Please log in to reply
4 replies to this topic

#1 NozzaC

NozzaC

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 16 January 2011 - 05:56 AM

My PC was recently infected with a fake AV. I found and removed it's registry startups and associated files and all was working fine. As a precaution I also ran MBAM and Hitman Pro. MBAM found a few items and Hitman found that IE was running through a proxy port on 127.0.0.1. It would apparently fix this but the problem would be there on reboot. So I looked for a rootkit using TDSS Killer which found nothing. Gmer scan would not complete having a BSOD IRQ not equal error 10 mins into the scan. However sigverif found an unsigned driver file and Kernel Detective showed a few hooks, so I went offline to scan with the ERD/DART CD scanner which found an Alureon:F rootkit associated with that driver. I used Combofix for good measure which found a few files in temp file areas but I believe these were no longer active anyway.

So the current state of play is that the system is running fine. No signs of any redirection or symptoms. However Hitman Pro, and only that app still finds that IE is running though the 127.0.0.1 proxy. Checking IE's proxy settings in IE or looking at the relevant reg key doesn't show that proxy.

So I'm trying to work out if this is just a Hitman error or if something really is still going on.

Any help gratefully received.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:29 AM

Posted 16 January 2011 - 06:58 AM

Can you post the MBAM Logs?

#3 NozzaC

NozzaC
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 16 January 2011 - 07:59 AM

Hi

Thanks for the reply. Below is the original MBAM log which found items:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5500

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

10/01/2011 22:49:35
mbam-log-2011-01-10 (22-49-35).txt

Scan type: Quick scan
Objects scanned: 145386
Time elapsed: 29 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\DoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.164.35,93.188.160.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65CC53BF-D06E-439C-ADE2-D6B09F8A2C29}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (93.188.164.35,93.188.160.105) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\jackschris\AppData\Local\Temp\0.05591074014851627.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\jackschris\local settings\temporary internet files\Content.IE5\Z8PHQM63\irfvjtg[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\jackschris\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:29 AM

Posted 16 January 2011 - 04:25 PM

Please post in the Malware Removal Section on this site, and post back here.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:29 PM

Posted 17 January 2011 - 08:03 PM

Hello,

You need to post more than just the MBAM log in that new topic. Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then please post them as a Reply to your topic ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the post.

If you cannot produce any of the other logs, then please create the new post anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log. I will then merge those logs to the initial post there.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users