Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

proxy server setting is hijacked


  • Please log in to reply
12 replies to this topic

#1 rgrbckr

rgrbckr

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 December 2014 - 10:51 AM

Hi, The proxy server setting is hijacked and keeps resetting to 127.0.0.0 port 8000. I do not use proxy to connect to the internet. The reset happens after a reboot. I am running windows 8.1 on a dell inspiron 17r. Can anyone help with this please?



BC AdBot (Login to Remove)

 


#2 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2014 - 11:10 AM

Hello there,

 

I'm not sure there's anything malicious about 127.0.0.0 port 8000.. it's the default server.

 

I'm sure someone will correct me if I'm wrong through.

 

Thanks,

Lighthouse Party



#3 rgrbckr

rgrbckr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 21 December 2014 - 11:17 AM

Yes I know that this is the default server but when I uncheck the box and then restart the computer and try to get on internet again it comes up with proxy server error. I look in internet options and the box for proxy server is checked again. How can I fix this so it will stop defaulting to use a proxy server?



#4 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2014 - 11:50 AM

Hello there,

 

Do you remember making any changes to your computer? Do you have any VPN programs installed?

 

Is 'proxy server error' the full message you receive? When do you receive the error?

 

Please download MiniToolBox to your desktop

  • Double click MiniToolBox.
  • Select the following and then press go.
  • Post the log in your next reply.

Flush DNS
Reset IE Proxy Settings
Reset FF Proxy Settings
List Installed Programs
List Restore Points

 

Thanks,

Lighthouse Party


Edited by LighthouseParty, 21 December 2014 - 11:50 AM.


#5 rgrbckr

rgrbckr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 December 2014 - 12:01 PM

I am working on a friends computer. She must have downloaded something that contained ad ware. ran adwcleaner and hit man pro. Found 2 Trojans with hit man. There are no vpns installed.

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by Chris (administrator) on 21-12-2014 at 11:56:19
Running from "C:\Users\Chris\Downloads"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

=========================== Installed Programs ============================
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.356 - Adobe Systems Incorporated)
Adobe AIR (x32 Version: 15.0.0.356 - Adobe Systems Incorporated) Hidden
Blackboard IM 4.1.0-C (HKLM-x32\...\Blackboard IM) (Version: 4.1.0-C - Blackboard)
CCleaner (HKLM\...\CCleaner) (Version: 5.00 - Piriform)
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.2.4 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.2.4 - Dell Inc.)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 17.0.8.1 - Synaptics Incorporated)
EverQuest (HKCU\...\soe-EverQuest) (Version: 1.0.3.183 - Sony Online Entertainment)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® PRO/Wireless Driver (Version: 16.01.5000.0577 - Intel Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3958 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology (HKLM\...\{0728A184-F899-4356-B93D-8228674F0DEB}) (Version: 2.6.1209.0268 - Motorola Solutions, Inc.)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.2.1000 - Intel Corporation)
Intel® Rapid Storage Technology (Version: 12.8.2.1000 - Intel Corporation) Hidden
Intel® Turbo Boost Technology Monitor 2.6 (HKLM\...\{6C9365EB-1F9E-4893-9196-3EC77C88D0C5}) (Version: 2.6.2.0 - Intel)
Intel® WiDi (HKLM\...\{6097158B-0184-4140-BEC3-7885794D2571}) (Version: 3.5.40.0 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{c9967fbd-e3c3-4ed0-992a-5b33260f2944}) (Version: 16.1.5 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (Version: 16.01.5000.0269 - Intel Corporation) Hidden
Intel® Trusted Connect Service Client (Version: 1.24.388.1 - Intel Corporation) Hidden
Lightspark 0.5.3-git (HKLM-x32\...\Lightspark) (Version: 0.5.3-git - Lightspark Team)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
OpenOffice 4.0.1 (HKLM-x32\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 10.15.018 - Dell Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6959 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.8400.39030 - Realtek Semiconductor Corp.)
========================= Restore Points ==================================

07-12-2014 01:07:15 Checkpoint by HitmanPro
11-12-2014 04:10:20 Windows Update
21-12-2014 11:31:18 Checkpoint by HitmanPro

**** End of log ****



#6 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2014 - 12:10 PM

Hello there,

 

Let's run scans on your computer to check for malware, since two Trojans were detected.

 

:step1: Please download Malwarebytes Anti-Malware to your desktop

  • Double click mbam-setup-x.x.x.xxxx and follow the on-screen instructions.
  • On the dashboard, click update now.
  • After that, click scan now - the scan will now begin.
  • When the scan's completed, select apply actions - make sure the action is quarantine.
  • Restart your computer.

How to get the log.

  • On the dashboard, select the history tab and click application logs.
  • Select the log which has the time and date of when you did the scan.
  • Click copy to clipboard and paste it into your reply.

:step2: Please download Security Check to your desktop

  • Double click SecurityCheck and follow the on-screen instructions.
  • A log should open, called checkup.txt.
  • Please post the contents of it in your next reply.

:step3: Non-malware removal steps
 
Run System File Checker - http://support.microsoft.com/KB/929833
Run Disk Check - http://support.microsoft.com/kb/2641432
Run Disk Cleanup - http://windows.microsoft.com/en-gb/windows/delete-files-using-disk-cleanup

Thanks and good luck!


Edited by LighthouseParty, 21 December 2014 - 12:12 PM.


#7 rgrbckr

rgrbckr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 21 December 2014 - 12:30 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/21/2014
Scan Time: 12:16:05 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.21.03
Rootkit Database: v2014.12.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Chris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320317
Time Elapsed: 10 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 Results of screen317's Security Check version 0.99.93 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbam.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#8 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2014 - 12:32 PM

Hello there,

:step1: Please download rKill to your desktop

  • Double click it (Win 7, 8 and Vista users, right-click and select run as admin)
  • The tool will run and then a log file should open.
  • Please post the contents of it in your next reply.

Please don't restart your computer before running the next step.

:step2: Please download AdwCleaner to your desktop

  • Double click adwcleaner_x.xxx.exe. (Win 7, 8 and Vista users, right-click and select run as admin)
  • If prompted, click I agree.
  • Click scan. When it's finished, select clean.
  • Allow AdwCleaner to restart your computer.
  • Once your computer's restarted, a log should appear.
  • Please post this in your next reply.

:step3: Please download Junkware Removal Tool to your desktop

  • Double click JRT.exe. (Win 7, 8 and Vista users, right-click and select run as admin)
  • Press any key and the scan will begin.
  • At the end, a log will open. Please post this in your next reply.

:step4: Please visit the ESET Online Scanner webpage
:exclame: Internet Explorer MUST be used for this step.  :exclame:

  • Click the checkbox next to 'Yes, I accept the Terms of Use' and click start.
  • Select the checkboxes which are displayed in the picture below.

jqnp8z.png

  • Press start and the scan will now begin - this scan will take a long time.
  • When the scand finished, select list threats and then export.
  • Choose a name for the log (e.g ESET) and click save (to your desktop)
  • Press the back button and then click finish. Please include the contents of the log in your reply.

Edited by LighthouseParty, 21 December 2014 - 12:32 PM.


#9 rgrbckr

rgrbckr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 December 2014 - 02:40 PM

Rkill 2.6.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/21/2014 01:05:34 PM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/21/2014 01:05:38 PM
Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)

 

 

# AdwCleaner v4.106 - Report created 21/12/2014 at 13:15:22
# Updated 21/12/2014 by Xplode
# Database : 2014-12-21.4 [Local]
# Operating System : Windows 8.1  (64 bits)
# Username : Chris - CHRIS
# Running from : C:\Users\Chris\Desktop\adwcleaner_4.106.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightspark 0.5.3-git
Folder Deleted : C:\Program Files (x86)\Lightspark 0.5.3-git

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Lightspark Team
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lightspark

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

*************************

AdwCleaner[R0].txt - [2814 octets] - [06/12/2014 19:43:37]
AdwCleaner[R1].txt - [1805 octets] - [21/12/2014 07:26:30]
AdwCleaner[R2].txt - [1201 octets] - [21/12/2014 13:14:08]
AdwCleaner[S0].txt - [2775 octets] - [06/12/2014 19:45:48]
AdwCleaner[S1].txt - [1869 octets] - [21/12/2014 07:33:53]
AdwCleaner[S2].txt - [1131 octets] - [21/12/2014 13:15:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1191 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 8.1 x64
Ran by Chris on Sun 12/21/2014 at 13:20:12.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1671669301-2232883036-827637822-1001\Software\Microsoft\Internet Explorer\Main\\Start Page

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\WINDOWS\syswow64\ai_recyclebin"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/21/2014 at 13:21:56.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


C:\AdwCleaner\Quarantine\C\Program Files (x86)\SPDUpdater\uninstall.exe.vir a variant of Win32/Adware.Gertokr.D application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SPDUpdater\updater.exe.vir a variant of Win32/Adware.Gertokr.D application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
 



#10 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2014 - 02:42 PM

How is the PC now?



#11 rgrbckr

rgrbckr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 21 December 2014 - 02:47 PM

going to reboot and see... be back in a sec.



#12 rgrbckr

rgrbckr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 December 2014 - 02:52 PM

Seems to be fixed.... Thank you very much for your help. If it reverts I will post again. But for now it is good.



#13 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2014 - 03:02 PM

Glad your issue is now resolved :)

For one last final step, please download Delfix from here and save it to your desktop. Right-click it and select run as administrator. Select the following and press run:

  • Remove disinfection tools
  • Purge system restore

To prevent infections in the future, I recommend you install the programs below:

Happy surfing!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users