Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxyenabled keeps reappearing


  • Please log in to reply
5 replies to this topic

#1 Skyfire888

Skyfire888

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 11 June 2014 - 04:09 PM

I recently cleaned my pc from the wajam malware and some other one installed from updating Daemon Tools Lite. But now, every time I run RogueKiller it keeps showing the same registry settings like ProxyEnable 1, and a proxyserver. And under Antirootkit it just says Object IAT, module unknown. I've tried all these programs so far to scan: AdwCleaner, RogueKillerx64, HitmanPro, otl, rkill, sophos, and TDSSKiller. What can I do to get rid of this proxyenabling.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:16 PM

Posted 11 June 2014 - 05:44 PM

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

RKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Copy and Paste it in your next reply.

NOTE. RKill.txt log will also be present on your desktop.

 

Important : Do not reboot your computer yet, but download and run this next scan.

 

 

Malwarebytes Anti-Malware Free version 1.75.0 has now been upgraded to Version 2.0.2

Any problems with this, please just ask.

 

* Download Malwarebytes Anti-Malware and save it to your desktop
* Double click the desktop icon, click Run, then OK
* Click Next
* Select I accept the agreement then continue to click Next then finally click Install
** Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
* If you are notified the Database is out of date click Update Now
* Click Scan Now >>
----------
** Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
* Click Start (Start, Search, All files and folders for Windows XP) then type mbam
* Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com
----------
** When completed click the down arrow on Export Log and select Text file (*.txt)
* Save the file to your desktop as MBAM
* Click Apply Actions then restart your computer if requested
* Copy and past the contents of MBAM.txt in your reply

 

 

When finished -

Please download Temp File Cleaner by Old Timer to your desktop
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press OK to reboot your computer and finish the cleanup.


#3 Skyfire888

Skyfire888
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 11 June 2014 - 06:37 PM

Rkill 2.6.6 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/11/2014 03:59:36 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1 localhost
 
Program finished at: 06/11/2014 03:59:48 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)
 
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.06.11.08
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17126
Johann :: ASUS-ROG [administrator]
 
6/11/2014 4:00:54 PM
mbam-log-2014-06-11 (16-00-54).txt
 
Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 490276
Time elapsed: 34 minute(s), 58 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:16 PM

Posted 11 June 2014 - 06:44 PM

Malwarebytes Anti-Malware 1.75.0.1300 << Please note this version has been replaced for some time now.
 

Malwarebytes Anti-Malware version 1.75.0.1300 has now been upgraded to Version 2.0.2

Please follow Removal and Update methods. (link is to Malwarebytes site) if required -

 

Apart from that, there is nothing showing ..


Edited by noknojon, 11 June 2014 - 06:44 PM.


#5 Skyfire888

Skyfire888
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 11 June 2014 - 06:46 PM

Also let me add that everytime i restart a shortcut to My Computer and my user profile folder keeps reappearing even if i deleted them before rebooting. I'm guessing the malware affected some group policy in order to keep the proxy enabled. The malwares I cleaned were Trolatunt, Wajam, OpenCandy, Highlightly, and Somoto. I still have them quarantined in malwarebytes.

 

This is a log from days ago:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.06.05.13
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17107
Johann :: ASUS-ROG [administrator]
 
6/5/2014 4:34:36 PM
mbam-log-2014-06-05 (16-34-36).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250360
Time elapsed: 3 minute(s), 14 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 4
HKCR\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} (PUP.Optional.BrowseFox.A) -> Quarantined and deleted successfully.
HKCU\Software\trolatunt (PUP.Optional.Trolatunt.A) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Update trolatunt (PUP.Optional.Trolatunt.A) -> Quarantined and deleted successfully.
HKLM\Software\trolatunt (PUP.Optional.Trolatunt.A) -> Quarantined and deleted successfully.
 
Registry Values Detected: 1
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|gethighlightly@gethighlightly.com (PUP.Optional.Highlightly.A) -> Data: C:\Program Files (x86)\Mozilla Firefox\extensions\gethighlightly@gethighlightly.com -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 5
C:\$Recycle.Bin\S-1-5-21-648671964-1769031948-1812062652-1002\$R2KEARR.exe (PUP.Optional.Trolatunt.A) -> Quarantined and deleted successfully.
C:\Users\Johann\AppData\Local\Temp\bitool.dll (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Johann\AppData\Local\Temp\DTLite4491-0356.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Johann\AppData\Local\Temp\wajam_download_new.exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Users\Johann\Local Settings\Temporary Internet Files\Content.IE5\7YU8Y7H9\BiTool[1].dll (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
 
(end)


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:16 PM

Posted 11 June 2014 - 07:28 PM

Quarantined and deleted successfully. << That is what we like to see :thumbup2:

These items have been Deleted and are not Quarantined any more, so they should not be there.

They were fully removed when you rebooted, or restarted your computer.

 

Database version: v2014.06.11.08 << You are still using the old Malwarebytes Anti-Malware version.
Please follow my directions and links above to Remove and Update your version of Malwarebytes Anti-Malware.
 
 
If you are still having any problems with those above items, and for a general cleanup, please read on (also your user profile) .......
 
1. Go to Add/Remove Programs in Control Panel or Programs and Features if using Vista/Windows 7/8. From within Add/Remove Programs look for anything odd in your list and select Remove.

2. Open your browser and disable (uncheck) all extensions. Make a list, then one by one, re-enable each extension to see if the pop-ups (problems) start appearing again with that particular extension. Once you identify the responsible extension...permanently remove it but let me know which one it was so I can update our lists.
This is a list of general "How To" project for you to follow ....... (Never click on Advertising in these links, or anywhere) ...
* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer

3. If the above did not resolve the problem, then create a new browser user profile.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users