Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Chrome/DNS/Proxy Hijacked? a.spdse.com


  • Please log in to reply
4 replies to this topic

#1 jonas914

jonas914

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 21 October 2014 - 01:22 AM

I have a user that installed some adware indavertently. I'm not 100% sure which one exactly since a helpful manager tried to fix the PC himself with MalwareBytes and who knows what else.

 

I ran some scans with rkill and TDSSKiller, Combofix, AdwCleaner, and Junkware removal.  Everything comes up clean.  But I'm convinced something is still left behind because when I browse to pages that are completely static, that I made myself, I see Chrome momentarily go to other addresses.  One that I see repeatedly is:

"Waiting for a.spdse.com..."

That looks like an address for "Save Path Deals" adware to me.  

 

I don't see this behavior indication in IE.  

I tried resetting Chrome, and uninstalling Chrome, but it's still the same.  

 

The only thing I'm sure of, is that I should not see any reference to "a.spdse.com" when I go to any of my own pages.  Where could this be coming from?

 

While writing this, I found a clue:  The proxy settings are being hijacked.  It's being set to 127.0.0.1 port 8000, and even if I disable it or change it, it goes right back!

What service could be running that isn't being detected?



BC AdBot (Login to Remove)

 


#2 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 21 October 2014 - 02:36 AM

Ugh, I've been trying everything I can think of, no luck.  It still immediately reverts back to 127.1/8000



#3 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 21 October 2014 - 03:50 AM

Hmm, I may have fixed it.  The only method that seemed to have any affect on it was here:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

 

 

I Changed the first octet of 0008 from 03 to 09 and that seemed to make the setting to not use proxy persistent.  I still don't understand why it was stuck though.  And what set it to 127.0.0.1:8000?  If it was Malware and it was already gone, could it have still jacked up the proxy settings? If all the tools come up clean, and this was the only thing, do you assume I'm likely allright?

 

FYI, I found the information here:

http://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/lan-connection-settings-keep-changing-back-to/76a0f5d2-167f-41fa-bf40-1461b8c01642

 

I take it all back.  It just reverted again...


Edited by jonas914, 21 October 2014 - 03:52 AM.


#4 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 22 October 2014 - 12:32 PM

FYI, found the culprit.  Even though it was clean, there was a setting in the task scheduler to put the proxy back if it was changed.



#5 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 27 October 2014 - 09:20 PM

So, I have an additional question (not that anybody replied in the first place though)...  I've been thinking.  When the proxy server was set to the following:

127.0.0.1:8000

Internet browsing mostly went out, but I noticed hits to other servers like the one in my original post, a.spdse.com and others.   How did it go there in the first place?  Is something mischievous still on the computer monitoring port 8000? 

Right now, it's "fixed" and everything works fine and tests clean, but I'm curious why it worked like it did in the first place?

 

Anybody?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users