Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy Server detected by Hitman Pro


  • This topic is locked This topic is locked
18 replies to this topic

#1 FalafelCopter

FalafelCopter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 04 July 2014 - 05:24 AM

Hi there!   I had a run in with the GorillaPrice Adware a few weeks back and followed the steps described in the following guide: http://malwaretips.com/blogs/gorillaprice-virus/

 

After running each of those programs a few times I got to a point where they weren't finding any problems anymore and my computer had returned to it's original functionality.   However, every time I ran hitman pro it detected a proxy server on the computer.   I ignored that because it sounded innocuous, maybe something related to our router.     A week later I was informed that my MMO account was banned due to my being hacked.   I contacted their customer service was informed that their records indicated that they had gained access to my account through a compromised email account.   They asked me to secure the computer before unlocking my account.   I ran adwcleaner and hitman pro again and both detected a bunch of problems again.     I'm not entirely sure if I have some lingering malware from before that went unnoticed by the scans or if I picked up some new ones in the last week.      After doing some searching I found out that the proxy servers could be a very serious issue, so I'm here to see if we can clear that and generally secure the computer.

 

I have windows 8.1 so I was not able to run DDS as per the preparation guide.  I ran FRST instead as per this topic: http://www.bleepingcomputer.com/forums/t/535133/do-you-have-dds-for-vista-81/  It might be useful to incorporate that information into your guide, as I lost a bit of time trying to figure out DDS wasn't working.  :D

 

Anyway, here is FRST.txt:

Spoiler

 

And addition.txt

 

Spoiler

 

And my hitman pro log: 

 

Spoiler

 

 

And for good measure here's adwcleaner's log:

 

Spoiler

 

The Junkware Removal Tool:

 

Spoiler

 

And finally I ran the ESET online scanner:

 

Spoiler

 

I spoilered out the log files for ease of viewing but was not asked to do this.   I hope that doesn't cause some problems.  :0

 

Thanks!   I'm kind of excited.  This is the first time I've run into a malware issue this hard to clean up!



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 09 July 2014 - 05:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/539872 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 FalafelCopter

FalafelCopter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 09 July 2014 - 12:27 PM

Hello, I am replying again as per your cute robot.    As I mentioned before hitman pro has been detecting a proxy server on my computer, and running multiple malware detection tools has not cleared it.   I'm not sure whether this is a problem I need to worry about, or if I cleared the bit of malware which caused me to get my MMO account and possibly my email address compromised earlier.

 

Anyway since I have 64 bit windows I was not able to run DDS, but I was able to run the Farbar Recovery Scan Tool as instructed by another thread on this forum.   My logs are as follows:

 

FRST.txt:

Spoiler

 

And Addition.txt:

Spoiler

 

And to finish it off lets run Hitman Pro again for good measure:

 

Spoiler

 

Wait, what?   The proxy server is gone?  That's new.  Give me a sec to reboot and we'll see if it comes back.

 

Edit:  Yep, according to Hitman the proxy server is gone now.  I guess the 25th time I ran it was the charm?    So okay, what I would like is for some info on whether my computer really and truly clean now.    If you think it is then I guess it's okay to close this topic?


Edited by FalafelCopter, 09 July 2014 - 12:59 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 12 July 2014 - 07:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your FRST log, this is some cleanup.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
SearchScopes: HKLM-x32 - DefaultScope value is missing.
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

end
Save the files as fixlist.txt in to the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

====

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===

From your last note I understand that the Proxy issue is solved.

Post the logs requested above for my review.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 16 July 2014 - 08:37 AM

Are you still with me?

#6 FalafelCopter

FalafelCopter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 18 July 2014 - 01:09 AM

Hello, yes I'm still here.  Thank you for the response.   I've been very busy this week but I will follow your steps now.  :D
 

Step 1:  Running the FRST Fix.   Success.   Log is as follows:

 

Spoiler

 

And I ran that security thing:  

 

Spoiler

 

Lastly I'm running Hitman Pro again to see if the proxy server is still gone.   Hey look, it's back again!   I guess I do need help still after all.   Hitman log follows:

 

Spoiler

 

Thanks for all the help so far. :D


Edited by FalafelCopter, 18 July 2014 - 01:48 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 18 July 2014 - 08:42 AM



Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u65.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 60

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Hitman pro is reporting these. Google the files and bold and decide if you want to keep them
C:\Users\CJ\AppData\Local\PunkBuster\AC3\pb\PnkBstrK.sys
C:\Users\CJ\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
C:\Users\CJ\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
C:\Users\CJ\Documents\Assassin's Creed III\pb\pbcl.dll
C:\Users\CJ\Documents\Assassin's Creed III\pb\pbcls.dll


Tools we used.
C:\Users\CJ\Desktop\FRST-OlderVersion\FRST64.exe <- Delete this one.
C:\Users\CJ\Desktop\FRST64.exe <- keep this one move it to folder of you choice. It's to be used next time you report a problem with the computer.
C:\Users\CJ\Downloads\MiniToolBox (1).exe <- Delete it
C:\Users\CJ\Desktop\MiniToolBox.exe <- delete it.

Remove the Chrome cookies.
https://support.google.com/chrome/answer/95647?hl=en

Delete these cookies in bold.
C:\Users\CJ\AppData\Local\Microsoft\Windows\INetCookies\59TNS98V.txt
C:\Users\CJ\AppData\Local\Microsoft\Windows\INetCookies\75723OZU.txt
C:\Users\CJ\AppData\Local\Microsoft\Windows\INetCookies\E4IWHE8J.txt
C:\Users\CJ\AppData\Local\Microsoft\Windows\INetCookies\SEGSEPR8.txt
C:\Users\CJ\AppData\Local\Microsoft\Windows\INetCookies\TOVL5F1J.txt

===

Do you need this proxy for your games?

Proxy server on this computer (User)
127.0.0.1:13081

Proxy server on this computer (User)
127.0.0.1:13081


If not
Remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:13081 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===

If you use Firefox remove the proxy settings also.
http://support.mozilla.com/en-US/kb/Firefox+cannot+load+websites+but+other+programs+can?s=proxy+settings&as=s
===

#8 FalafelCopter

FalafelCopter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 21 July 2014 - 01:40 PM

Java and Adobe have been updated.   The programs you suggested have been deleted.  Cookies are cleared for both chrome and internet explorer.  (Why did I even have cookies in internet explorer?  I literally used it once to download chrome when I put together this computer.)

 

The four pbcl files you linked are all punk buster, an online cheating prevention service installed by certain high profile PC games.  They can stay. :D

 

Now, here's the tricky part.    I tried to turn off the proxy settings, and there was no reference to that IP address.   I'm not using it for games and was only aware of it because Hitman Pro alerted me to the fact that it was running.     I chose "Automatically detect settings" but that doesn't seem to have done anything, because Hitman Pro is still detecting it.   On the plus side, with all the cookies gone, that was the cleanest scan it's done yet!

 

Looks like we still need to work on this if the proxy server is a threat.    Is it possible that it's malware related or is it something going on with my router?

 

Thanks for all the help so far!



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 22 July 2014 - 06:44 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#10 FalafelCopter

FalafelCopter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 22 July 2014 - 12:55 PM

Here you go.  :D

 

Spoiler



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 22 July 2014 - 01:00 PM

How is it now?

#12 FalafelCopter

FalafelCopter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 22 July 2014 - 01:06 PM

I ran Hitman Pro again.   The proxy server appears to still be there.    Less cookies this time though!

 

Spoiler


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 23 July 2014 - 07:05 AM

If this tool finds the Proxy, remove it.


--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#14 FalafelCopter

FalafelCopter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 26 July 2014 - 04:48 AM

Roguekiller stalled out on initialization the first time I ran it and I had to close the process via the task manager to get out, but it worked like a charm the second time.    It looks like it found a bunch of stuff.  :0

 

Spoiler

 

I ran Hitman Pro again and the proxy appears to be gone.  I'll reboot in the morning and see if it comes back.  :D


Edited by FalafelCopter, 26 July 2014 - 04:55 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 PM

Posted 26 July 2014 - 07:20 AM

Good work.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users