Hello All. I have been a fan of this site for quite some time, and usually things do not escalate to the point in which I need assistance. However, I am afraid that with this proxy issue that is indeed the case. I will give you a summary.
HP Laptop / Windows 7 HP 64-bit SP1 / Mechanical HDD / Office 2010 Installed / Updated to Current Status as of 01-15-15 / Drivers up-to-date and have no event logs indicating driver problems. Machine has been cleaned of aparent infections, however, the system is replicating a proxy setting in the registry for 127.0.0.1 Loopback on LAN Connection Settings. Out bound and in bound network traffic and ports , services, etc... are being monitored through every step of my processes excluding scans in which the disk is offline. System was disinfected by sequential methods using process killers, rootkit reomvers, malware removal tools, BHO removers, and cleanup utilities (ie CCleaner). Upon restart however, the proxy reverts to the state of 127.0.0.1 loopback.
RogueKiller finds and removes 2 Registry entries. PUM.Proxy 127.0.0.1 and the loopback are found and removed without issue ( out of 14 "runs" the first 2 of those times when the system was less "sanitized" I had error 2 on attempt to remove the registry keys, and this was alleviated by running tweaking AIO and did not occur since. RogueKiller does find EAT Hooks on explorer.exe associated with Kernelbase.dll and kernel32.dll and some other normal windows dlls, the only suspicious one being apphelp.dll. the address of the hooks being 0x77d800** (** = 40, 28, and 10). Unknown Path, Unknown Module.
I have used hijack free and hijackthis. nothing out of place in hijackfree, no lowercase "system" trying to listen or anything like that lol.
-- Hijackthis find the proxy settings set back to the 127 and loopback on every restart.
Mod Edit: Merged topics - Hamluis.
I have done CHKDSK /f, sfc /scannow reports nothing out of the ordinary. I also used Tweaking AIO and repaired the normal stuff along with registry permission, file associations, etc... all the stuff that would make sense in this scenario. I have examined the TCPIP stack, along with port - service correlation etc... nothing out of the norm. I proceeded to reset securities and permissions
So your probly thinking the next logical deduction would be instances of malware, the obvious being a rootkit right?
GMER, Farbar, hijackfree were used between each instance for monitoring purposes. nothing unusual appeared.
I ran on multiple troubleshooting sessions (running proccess killers between each instance) Mbar, comodo, bitdefender, ERARemover, TDSS, powereraser, HJT, Emsisoft EK, rootkit revealer, rootkitbuster, stinger, ASWmbr and so forth with just about every tool at my disposal for rootkit removal.
If it was file-based, I am fairly certain the Offline(windows not initialized) scans with avira RD, Kapersky RD, eset live. coupled with the online( running from windows) scans of the above stated plus Superantispyware, MBAM, HMP, JRT, ADWcleaner, MSE, Pc-decrapifier, kaspersky. etc... would have hopefully found somthing so I could submit samples like I did with reddit I was assisting in documenting the poweliks generator crap.
I have most quite a swiss army knife of tools, so if you guys need any logs or anything let me know. Thanks!
Edited by hamluis, 16 January 2015 - 09:12 AM.
Moved from Win 7 to Am I Infected - Hamluisl.