Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to Remove Proxy, 127.0.0.1:8000, Loopback.


  • Please log in to reply
7 replies to this topic

#1 b.barnes2112

b.barnes2112

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 15 January 2015 - 06:45 PM

Hello All.  I have been a fan of this site for quite some time, and usually things do not escalate to the point in which I need assistance.  However, I am afraid that with this proxy issue that is indeed the case.  I will give you a summary.
 
HP Laptop / Windows 7 HP 64-bit SP1 / Mechanical HDD / Office 2010 Installed / Updated to Current Status as of 01-15-15 / Drivers up-to-date and have no event logs indicating driver problems.  Machine has been cleaned of aparent infections, however, the system is replicating a proxy setting in the registry for 127.0.0.1 Loopback on LAN Connection Settings.  Out bound and in bound network traffic and ports , services, etc... are being monitored through every step of my processes excluding scans in which the disk is offline.  System was disinfected by sequential methods using process killers, rootkit reomvers, malware removal tools, BHO removers, and cleanup utilities (ie CCleaner).  Upon restart however, the proxy reverts to the state of 127.0.0.1 loopback.
 
RogueKiller finds and removes 2 Registry entries.  PUM.Proxy 127.0.0.1 and the loopback are found and removed without issue ( out of 14 "runs" the first 2 of those times when the system was less "sanitized" I had error 2 on attempt to remove the registry keys, and this was alleviated by running tweaking AIO and did not occur since.  RogueKiller does find EAT Hooks on explorer.exe associated with Kernelbase.dll and kernel32.dll and some other normal windows dlls, the only suspicious one being apphelp.dll.  the address of the hooks being 0x77d800** (** = 40, 28, and 10).  Unknown Path, Unknown Module.
 
I have used hijack free and hijackthis.  nothing out of place in hijackfree, no lowercase "system" trying to listen or anything like that lol.
-- Hijackthis find the proxy settings set back to the 127 and loopback on every restart.
 
Mod Edit:  Merged topics - Hamluis.
 
I have done CHKDSK /f, sfc /scannow reports nothing out of the ordinary.  I also used Tweaking AIO and repaired the normal stuff along with registry permission, file associations, etc... all the stuff that would make sense in this scenario.  I have examined the TCPIP stack, along with port - service correlation etc... nothing out of the norm. I proceeded to reset securities and permissions
 
So your probly thinking the next logical deduction would be instances of malware, the obvious being a rootkit right?
 
GMER, Farbar, hijackfree were used between each instance for monitoring purposes. nothing unusual appeared.
 
I ran on multiple troubleshooting sessions (running proccess killers between each instance) Mbar, comodo, bitdefender, ERARemover, TDSS, powereraser, HJT, Emsisoft EK, rootkit revealer, rootkitbuster, stinger, ASWmbr and so forth with just about every tool at my disposal for rootkit removal.
 
If it was file-based, I am fairly certain the Offline(windows not initialized) scans with avira RD, Kapersky RD, eset live.  coupled with the online( running from windows) scans of the above stated plus Superantispyware, MBAM, HMP, JRT, ADWcleaner, MSE, Pc-decrapifier, kaspersky. etc... would have hopefully found somthing so I could submit samples like I did with reddit I was assisting in documenting the poweliks generator crap.
 
So I am kind of at a loss... Event viewer dosnt say anything out of the norm ether. I just hope it is not a new fileless malware.  I did take it into consideration and sifted through logs keeping javascript and svchost in mind... alas, nothing.  I will appreciate any help in the matter.
 
I have most quite a swiss army knife of tools, so if you guys need any logs or anything let me know. Thanks!


Edited by hamluis, 16 January 2015 - 09:12 AM.
Moved from Win 7 to Am I Infected - Hamluisl.


BC AdBot (Login to Remove)

 


#2 Phantom010

Phantom010

  • Members
  • 1,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyberspace
  • Local time:02:36 AM

Posted 15 January 2015 - 07:01 PM

In my opinion, you still need assistance with malware removal. However, if by any chance malware has been completely eradicated, it may have messed up registry keys and values, and set policies.

 

 

Before running Windows Repair (All In One), please do the following:

 

Press the Windows key + R to open a Run box. Copy/Paste the following command:

regedit /e C:\Look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"

Press Enter.

You won't notice anything. However, it will have created a report on your C drive named Look. Copy/paste the content into your next reply.

 

 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Try the portable version of Windows Repair (All In One).
 
Once you've extracted the Tweaking.com - Windows Repair folder, open it and click on PwbGpDx.png to run the program.
 
Go to step 5, backup the registry and create a restore point:
 
 
B0d3a37.png
 
 
Click Next:
 
 
lsXwdmK.png
 
 
Click on Open Repairs.

 

 

BkmLvXn.png
 

 

Select the circled items and deselect the others.
 
Click on box next to the Restart/Shutdown System when Finished.
 
Click on Restart System.
 

Disabling your antivirus is recommended before running the repairs.

 

Click on Start Repairs:
 
 
SMzY5MM.png



#3 b.barnes2112

b.barnes2112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 15 January 2015 - 07:54 PM

Apologies, accidental incomplete post, please disregard (sorry guys)



#4 b.barnes2112

b.barnes2112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 15 January 2015 - 07:55 PM

I have finished the completed post, with the same topic name, apologies mods



#5 b.barnes2112

b.barnes2112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 15 January 2015 - 08:32 PM

in reply to phantom010 in my accidental incomplete post (please disregard, sorry guys)

 

------------

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

 

------------


Edited by b.barnes2112, 15 January 2015 - 08:32 PM.


#6 Phantom010

Phantom010

  • Members
  • 1,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyberspace
  • Local time:02:36 AM

Posted 15 January 2015 - 09:44 PM

Thank you for the registry keys. No policies have been set up in them.

 

Did you have time to try Windows Repair (All In One)?

 

http://www.bleepingcomputer.com/forums/t/563364/unable-to-remove-proxy-1270018000-loopback/#entry3597378



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:36 PM

Posted 15 January 2015 - 09:49 PM

Hello b.barnes.

2 fairly simple options for you to try -

 

First -

Reset the Hosts file automatically, click the Fix it link below.
Click Run in the File Download dialog box, and then follow the steps in this M/soft Fix it wizard. >> http://go.microsoft.com/?linkid=9668866

 

Second -

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. Note: Windows 8.1 Users will not be able run DDS and create a log

When you have done that, Copy and Paste your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs or you're using Windows 8.1, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one, to prevent others answering incorrectly.

 

Unless there is a decent answer to you, I would (personally) do no more "playing" around with the computer ......You may do more harm than good ! !

 

Regards -



#8 Ranjith S V

Ranjith S V

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 16 January 2015 - 08:19 AM

Hai,

      Good Evening.

Attached Files

  • Attached File  Look.txt   466bytes   11 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users