Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove proxy setting 127.0.0.1:8800


  • This topic is locked This topic is locked
29 replies to this topic

#1 sdray_

sdray_

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 29 November 2014 - 12:00 AM

Hi,

 

I've been following a few recent threads of people in a similar position. I repeatedly manually disable a proxy server only to find it keeps returning.

 

Please see the attached FRST.txt and addition.txt from FRST. Might someone recommend what text I should include in my fixlist.txt to remove the problems? 

 

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


m

#2 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 29 November 2014 - 03:29 PM

Hello,

 

I'm attaching the reports from AdwCleaner as well since it looks like most other posts ask for them.

 

Thanks!

Attached Files



#3 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 29 November 2014 - 04:24 PM

Hi sdray_ and Welcome to BleepingComputer.
 
Please do not make anymore changes to your machine.

I am reviewing your situation with my mentor and will advice you on what to do in my next reply.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 29 November 2014 - 05:55 PM

Hi sdray_

Before we continue I can see some specialised software on your machine. Can you confirm if this machine is a Work or a Personal machine? If its a work machine do you have permission to fix it?

Thank you

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 29 November 2014 - 10:43 PM

It is a personal machine and I have administrative rights.

 

Thank you.



#6 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 30 November 2014 - 04:00 AM

Hi sdray_

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

As you have made some changes I need a New FRST and Addional Logs

Please delete your copy of FRST then Download Farbar Recovery Scan Tool and save it to your Desktop.

  • Double-click the downloaded icon to run the tool.

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#7 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 30 November 2014 - 09:21 AM

Hi Seedy21,

 

Thank you so much for your help. I will follow the procedures you have outlined for this forum.

 

I've delted my old version of FRST.exe and all its folders, downloaded the program through the link you provided, and ran the scan as instructed. Please find my updated FRST and additional files attached and let me know how to proceed.

 

Thanks.

Attached Files



#8 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 30 November 2014 - 04:50 PM

Hello Sdray_

Your new log shows us that you have run Zoek
 

2014-11-28 22:36 - 2014-11-28 22:16 - 00024064 _____ () C:\Windows\zoek-delete.exe
2014-11-28 22:19 - 2014-11-28 22:39 - 00012080 _____ () C:\zoek-results.log
2014-11-28 22:16 - 2014-11-28 22:34 - 00000000 ____D () C:\zoek_backup
2014-11-28 22:15 - 2014-11-28 22:16 - 01294848 _____ () C:\Users\steve\Downloads\zoek.exe


Zoek is a specialised tool that can cause damage to your machine if you don't know what you are doing. Please do not run any more tools unless I instruct you.

Can you confirm you installed Chrome Remote Desktop Host on your machine?

Step 1

  • Click on Start -> Control Panel -> Add/Remove Programs
  • Uninstall the following Programs:-
    Bonjour
    Idle Crawler
    Pando Media Booster
  • Close the Add/Remove Programs and Control Panel
  • Restart your computer

Step 2

Make sure FRST is on your DESKTOP

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the Desktop as fixlist.txt



CloseProcesses:
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2115480003-4009880752-3695228751-1000\...\Run: [Pando Media Booster] => C:\Program Files\Pando Networks\Media Booster\PMB.exe [3093624 2013-02-01] ()
SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin HKU\S-1-5-21-2115480003-4009880752-3695228751-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
CHR HomePage: Default -> hxxp://www.delta-search.com/?babsrc=HP_ss&mntrId=02EF50E549C5399B&affID=120007&tsp=4931
CustomCLSID: HKU\S-1-5-21-2115480003-4009880752-3695228751-1000_Classes\CLSID\{31261F21-2B16-45EE-BEAB-07C4CFA18B65}\InprocServer32 -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
CustomCLSID: HKU\S-1-5-21-2115480003-4009880752-3695228751-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\steve\AppData\Roaming\moters\mentste.dll No File <==== ATTENTION
Task: {5A7CC77A-3325-46B1-97FB-83B4BE9D9CF8} - System32\Tasks\Microsoft\Windows\Maintenance\Update IC => %LOCALAPPDATA%\1A0BF894-A7DF-8547-6500-000000B100\Runner.exe
Task: {766A52E3-BCBB-4605-8259-4D98184028F0} - System32\Tasks\Runner IC => %LOCALAPPDATA%\1A0BF894-A7DF-8547-6500-000000B100\Runner.exe
Task: {AC4CA538-ABF0-4426-9FCC-CBBCA7F9E3B9} - \PastaQuotes No Task File <==== ATTENTION
AlternateDataStreams: C:\Users\steve\Downloads\Super Mario Bros. 3__3435_il6757.exe:typelib
C:\Users\steve\AppData\Local\1A0BF894-A7DF-8547-6500-000000B100\
C:\Users\steve\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpscy9we.dll
C:\Program Files\Pando Networks\
C:\Users\steve\AppData\Roaming\moters\
EmptyTemp:

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the desktop (Fixlog.txt) please post it to your reply.

Step 3

RogueKiller.png Scan with RogueKiller

Please download RogueKiller and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on RogueKiller.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the pre-scan will be done. It shouldn't take more than 2-3 minutes.
  • Accept the Terms of use.
  • When the Scan button becomes available, please click it. RogueKiller will start a full scan.
  • Let this process run uninterrupted!.
  • When finished, a Report button will become available. Click it. You will be presented with a logfile.

Please include the content of this logfile in your next reply.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#9 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 30 November 2014 - 05:56 PM

Hi Seedy21,

 

Yes, I had knowingly installed Chrome remote desktop for personal use some time ago.

 

Thank you for reiterating that I shouldn't run anything apart from what you advise. I had already run Zoek after my initial posting, but before learning that I shouldn't do anything except what you recommend. I am strictly following your orders now!

 

I followed your directions and have attached both the Fixlog.txt and the RogueKiller log.

Please advise next steps.

 

Thank you very much for all your help!

 

Attached Files



#10 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 01 December 2014 - 02:57 PM

Hi sdray_
 
I would like you to re-run FRST

  • Double-click the downloaded icon to run the tool.

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

Can you tell me if you are still having the proxy issues?


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#11 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 02 December 2014 - 08:46 AM

Hi seedy21,

 

Unfortunately I am still having the same proxy issues. I tried changing my LAN settings manually to disable the proxy, but it is re-enabled automatically.

 

Here are the two log files from my FRST re-run.

 

Thanks for your help.

Attached Files



#12 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 02 December 2014 - 02:29 PM

Hi sdray_

 

I am going to need a bit of time to look though your logs again.

 

Can you tell me if you have this issue with any other computer/ mobile phone/ tablet in your house?


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#13 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 02 December 2014 - 09:15 PM

Thanks for sifting through the logs some more.

 

I don't have this issue on any other device in the home and only recently got the message on the impacted computer.



#14 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:48 AM

Posted 03 December 2014 - 04:49 PM

Hi Sdray_
 
Step 1
 
Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the Desktop as fixlist.txt
 

CloseProcesses:
REG: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
REG: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
REG: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v MigrateProxy /f
REG: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /f
REG: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /f
REG: reg delete "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies" /ve /f
CMD: ipconfig /flushdns
EmptyTemp:

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the desktop (Fixlog.txt) please post it to your reply.
 
Step 2
 
I see you currently have Malwarebytes Anti-malware still installed on your machine

  • Open the progam and next to Database Verison select Update Now
  • Once it has updated select Settings > Detection and Protection >Tick Scan for rootkits
    MBAMsettings.JPG
  • Go back to the Dashboard and select Scan Now
    MBAMScan.JPG
  • If threats are detected, click the Apply Actions button, MBAM will ask for a reboot
    MBAMReboot.JPG
  • On completion of the scan (or after the reboot) select View Detailed Log
    Select Export > Select text file and save to the desktop.
    MBAMLog.JPG

Please post that log for my review.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#15 sdray_

sdray_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 03 December 2014 - 07:54 PM

Hi seedy21,

 

I was able to run the new fixlist, but after restarting following the fix, I could not log into windows. The OS would start to load, but only a blank windows screen would ever show up. I could never enter my user name and password. I went into safemode to retrieve the fixlog, which is attached.

 

I didn't try running the ADware scan in safemode in order to check in with you first.

 

Any other ideas?

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users