Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy Server automatically turns on


  • This topic is locked This topic is locked
20 replies to this topic

#1 Okremm

Okremm

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 09 May 2015 - 12:07 PM

Good day!

 

My computer has the tendency to turn on "Use a proxy server" with ip address of 127.0.0. (I can't remember the last number).

 

While browsing through this forum, I noticed that the moderators often give a fixlist for farbar. Also, I found that each fixlist was unique to the person asking for help. So, I was hoping that someone can help me with the problem.

 

Pasted below is the MBAM log. I deleted the PUM.Bad.Proxy using MBAM but the proxy turned on again after about a day.

 

Thank you kindly,

Okremm

 

+++++++++++++++++++++++++++++++++

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/9/2015
Scan Time: 11:17:35 PM
Logfile: MBAM log.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.08.07
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 352299
Time Elapsed: 16 min, 48 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Bad.Proxy, HKU\S-1-5-21-4036279912-1196733202-2470012660-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [56e1fa9744468ea802a56ef1739254ac]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 11 May 2015 - 07:40 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop. Don't kill any malicious processes at your own.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that Addition.txt is checked before you press the Scan button.
  • Press Scan button.
  • It will make 2 logs (FRST.txt and Addition.txt) in the same directory the tool is run. Please copy and paste them to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 13 May 2015 - 11:46 AM

Hi,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.

Thank you for your understanding.


Regards,
Georgi


cXfZ4wS.png


#4 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 13 May 2015 - 11:57 PM

Hello, Sorry scanning now.



#5 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 14 May 2015 - 12:18 AM

Here it is. Attached below

Attached Files



#6 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 14 May 2015 - 12:24 AM

I had to use zip for the FRST file.

Attached Files

  • Attached File  FRST.zip   63.85KB   4 downloads


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 14 May 2015 - 05:00 PM

Hi,

 

 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Let me know how are things after the fix above.

 

 

Regards,

Georgi


cXfZ4wS.png


#8 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 15 May 2015 - 11:10 AM

The virus usually appears every 24 hours. I have to wait another 24 just to make sure. So far, it has yet to come up.



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 15 May 2015 - 11:18 AM

Hi please post the fixlog.txt.

 

 

Regards,

Georgi


cXfZ4wS.png


#10 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 15 May 2015 - 11:30 AM

Sure thing.

 

 

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 15 May 2015 - 02:05 PM

Hi,

 

Let's check for malware leftovers:

 

 

STEP 1

 

 

Please download Malwarebytes Anti-Malware 2.1.6.1022 Final to your desktop.
 

  • Double-click mbam-setup-2.1.6.1022.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 2

 

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

6-scanfin-choose.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

Note: Programdata is hidden by default. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

 

 

 

STEP 3

 

 

emsisoft_emergency_kit.pnglogo.png

  • Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
  • Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
  • Click on the "Yes" button when asked to obtain the latest malware definitions.
  • Once the update is complete click "Scan".
  • Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
  • Next click on the Full Scan. When the scan complete, click on the View Report button (don't delete or quarantine anything).
  • Please copy and paste the content of the report in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#12 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 16 May 2015 - 01:15 AM

Emisoft Log

 

Emsisoft Emergency Kit - Version 9.0
Last update: 5/16/2015 12:34:38 PM
User account: ZN-201501231753\Admin

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    5/16/2015 12:40:00 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN -> NETWORKINFORMER     detected: Trojan.Win32.Zbot (A)
Value: HKEY_USERS\S-1-5-21-4036279912-1196733202-2470012660-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-4036279912-1196733202-2470012660-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
C:\FRST\Quarantine\C\Program Files (x86)\AFC Secure Net\amjob.exe     detected: Trojan.GenericKD.2357643 (B)
C:\FRST\Quarantine\C\Program Files (x86)\AFC Secure Net\itff.exe     detected: Trojan.GenericKD.2358114 (B)
C:\FRST\Quarantine\C\Program Files (x86)\AFC Secure Net\ssnet.dll     detected: Trojan.GenericKD.2357767 (B)
C:\Program Files\KMSpico\AutoPico.exe     detected: Riskware.MSIL.HackTool (A)
C:\Program Files\KMSpico\Service_KMS.exe     detected: Riskware.MSIL.HackTool (A)

Scanned    256197
Found    8

Scan end:    5/16/2015 2:01:44 PM
Scan time:    1:21:44
 


Hitman Pro log

 

HitmanPro 3.7.9.241
www.hitmanpro.com

   Computer name . . . . : ZN-201501231753
   Windows . . . . . . . : 6.3.0.9600.X64/8
   User name . . . . . . : ZN-201501231753\Admin
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (19 days left)

   Scan date . . . . . . : 2015-05-16 11:35:07
   Scan mode . . . . . . : Quick
   Scan duration . . . . : 2m 26s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 0

   Objects scanned . . . : 4,661
   Files scanned . . . . : 4,661
   Remnants scanned  . . : 0 files / 0 keys
 

MBAM log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/16/2015
Scan Time: 11:44:34 AM
Logfile: MBAM log.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.16.01
Rootkit Database: v2015.05.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354940
Time Elapsed: 23 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


I haven't 'Quarantined selected' the Emisoft stuff yet.



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 16 May 2015 - 02:54 AM

Hi,

 

There is no need to delete anything with Emsisoft. The malicious files are already quarantined by us and they are rendered harmless.

The rest of the files are part of your Windows activation cracks...This is playing with fire though.
Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications like LibreOffice, GIMP, Linux
Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.
So my advice is - stay away from them! If you like Microsoft Windows and Microsoft Office I suggest that you purchase them.

 

 

 

Do you recognize this file?

 

C:\Downloads\setup.exe

 

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link => Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Downloads\setup.exe

Note, if VT says the file have already been analysed, make sure you click the reanalyse button.

Please post back the link with the results of the scan in your next post and let me know how are things now.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#14 Okremm

Okremm
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 16 May 2015 - 05:04 AM

I highlighted over the file and it says Fraps Installer, Beepa Pty Ltd. The antivirus scan stated.

 
"Probably harmless! There are strong indicators suggesting that this file is safe to use."
 
Is it okay to just delete the file, seeing as I uninstalled it awhile back?
 
It has recently only come to light that the OS I'm using is not legitimate. I intend to buy the real version if I can figure out how to unlock my driver.


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:03 AM

Posted 17 May 2015 - 04:13 AM

Hi,

 

Yes, we can delete the file if you no longer need it.

 

 

STEP 1

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

STEP 2

 

 

Before I let you go I'd like to scan your machine with ESET OnlineScan.

Since Eset could take up to an hour or even more depending on the size of your hard drive and the speed of your computer I suggest that you run this scan at night when you are not there and the computer is idle.

 

 

  • Please download and the run exe from the link below:
    ESET OnlineScan
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check the option beside: Enable detection of potentially unwanted applications
  • Now click on Advanced Settings and make sure that the option Remove found threats is NOT checked, and select the following:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
    • Click on the Change button and select only Operating memory and drive C:\

fhSji42.png

 

  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

 

STEP 3

 

 

Also let's check for outdated and vulnerable software on your pc

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations.

Let me know for any remaining issues.

 

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users