Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove Proxy hijack 127.0.0.1 Port 8080


  • This topic is locked This topic is locked
6 replies to this topic

#1 sadisticpotato

sadisticpotato

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 12 August 2015 - 01:48 PM

Somebody I know managed to get his computer infected with this and I've run adwcleaner and malwarebytes but for the first time it hasn't fixed the problem. I know the pros here can analyze logs and such.

 

The problem is that whenever I open internet explorer or chrome, it says something along the lines of "Proxy server (127.0.0.1:8080) isn't responding" and whenever I try to change it within the browser settings to "automatically detect" it just switches back to the hijacked proxy.

 

Not sure what software to install to get the logs you guys need. Please reply ASAP.

 

Thanks


Edited by sadisticpotato, 13 August 2015 - 08:25 AM.


BC AdBot (Login to Remove)

 


m

#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 12 August 2015 - 02:43 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

Please try to complete the steps and reply at least every 24 hours.  If you find that your delayed just post a quick reply here and let me know!!  After 5 days if your topic is not replied I will assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

<<<<<<<<<<

Lastly if you have not already done so you should consider backing up your important data - pictures, documents, etc... Worse case scenario is need for a wipe and reinstall your operating system to its factory settings. Therefore your precious data will be salvaged. There are both free and paid applications available.

Cobian Backup
DriveImage XML
CrashPlan
 
<<<<<<<<<<
 
Please copy and paste the MBAM and ADW logs for my review.
 
<<<<<<<<<<
 
Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop ---> Important

  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

<<<<<<<<<<

 

With your next post please provide:

  • MBAM log
  • ADW log
  • FRST log
  • Addition log
  • A detailed description of the problems your experiencing

Kind regards,
thcbytes

 


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 sadisticpotato

sadisticpotato
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 14 August 2015 - 01:56 AM

-snip-

 

Terribly sorry I'm late. No excuses.

 

Tried to copy + paste but the forum said the post was too long. No MBAM log because it said there were no issues. 

Attached Files



#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 14 August 2015 - 10:41 PM

Hello,
 
Do this.....

Check for additional security risks:
  • Please download CKScanner© by askey127 and save it to your desktop.
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, just click OK.
  • Post the contents of ckfiles.txt in your next reply. It is located on your desktop
<<<<<<<<<<
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:11-08-2015 02
Ran by William (administrator) on WILLIAM-PC (13-08-2015 17:29:04)
Running from G:\

You must from this point forward run FRST from your desktop.  Right click and cut FRST from G:\ and paste it onto your desktop.
 
<<<<<<<<<<

The ADW log you posted...

# AdwCleaner v4.208 - Logfile created 13/08/2015 at 17:23:51
# Updated 09/07/2015 by Xplode
# Database : 2015-07-09.2 [Local]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : William - WILLIAM-PC
# Running from : E:\adwcleaner_4.208 (1).exe
# Option : Scan

You scanned but did not fix.

Double click on AdwCleaner.exe to run the tool again.
  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished.
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Copy and paste the contents of that logfile in your next reply.

<<<<<<<<<<

FRST fix:
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:
start
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [HKLM] => ProxyEnable is set
ProxyEnable: [HKLM-x32] => ProxyEnable is set
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080
ProxyServer: [HKLM-x32] => http=127.0.0.1:8080;https=127.0.0.1:8080
EmptyTemp:
RemoveProxy:
CMD: ipconfig /flushdns
end
  • Save the file to your desktop and name it as fixlist.txt
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
Please copy and paste the log in your next reply.

<<<<<<<<<<

Send me a copy of a suspicious file for analysis

1. Please go to here.
2. Where it asks for the "Link to topic where this file was requested" copy and paste in
http://www.bleepingcomputer.com/forums/t/586223/cant-remove-proxy-hijack-127001-port-8080/#entry3790262
3. Where it says "Browse to the file you want to submit", browse to
C:\Program Files\KMSpico\Service_KMS.exe
4. Press the Send File button.

<<<<<<<<<<
 

IPinside Agent (HKLM-x32\...\IPinside Agent) (Version: 1.0.1.27 - interezen)
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
SoftCamp Secure KeyStroke 4.0 (HKLM-x32\...\SoftcampSCSK) (Version:  - )
고클린 (HKLM-x32\...\GoClean) (Version: 1.4.4 - Irongate)
네이버 업데이터 (HKLM-x32\...\NaverUpdater) (Version: 1.0.2.27 - NAVER Corp.)
네이버 업데이터 64bit (HKLM\...\NaverUpdater) (Version: 1.0.64.27 - NAVER Corp.)
네이버 툴바 (HKLM-x32\...\NaverToolbar) (Version: 4.0.29.296 - NAVER Corp.)
사진 갤러리 (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
인증서 로밍 클라이언트 (1.14.1111.1) (HKLM-x32\...\CertLoaming) (Version: 1.14.1111.1 - BTWorks, Inc.)
Veraport(보안모듈 관리 프로그램) - 2,6,3,2 (HKLM-x32\...\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1) (Version: 2,6,3,2 - Wizvera)


Did you purposely install these?

<<<<<<<<<<

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here
  • When the download appears, save to the Desktop.
  • On the Desktop, right-click the Zoek.exe file and select: Run as Administrator (Give it a few seconds to appear.)
  • Next, copy/paste the entire script inside the code box below to the input field of Zoek:
autoclean;
  • Now...
  • Close any open Browsers.
  • Click the Run script button, and wait. It takes a few minutes to run all the script.
  • When the tool finishes, the zoek-results.log is opened in Notepad.
  • The log is also found on the systemdrive, normally C:\
  • If a reboot is needed, the log is opened after the reboot.
Please attach the zoek-results.log in your reply.

<<<<<<<<<<

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated


    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

    Please download and install Microsoft Security Essentials
    http://www.microsoft.com/security_essentials/

    After successful installation please run a scan and alert me if there are any detections.

    In order to post those detections please do this...
    • Please double click the MSE icon in the lower right system tray.
    • Click History, Check All Detected Items
    • Maximize the screen
    • Highlight all the detections
    • Press Ctrl + C to copy into notepad and save as MSE detections.txt
    Copy/paste the results here for my review

    <<<<<<<<<<

    With your next post please provide:
    • Ckfile log
    • ADW log
    • Fixlog
    • Successful upload?
    • Answer to install questions
    • Zoek log
    • MSE log
    • A detailed update about the problems that persist
    Kind regards,
    thcbytes

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 sadisticpotato

sadisticpotato
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 15 August 2015 - 02:33 AM

I didn't notice that this computer had KMSPico installed on it. Remember, not mine. Removed it, ran adwcleaner a couple of times and boom. Problem gone.

 

Gonna have a quick prep talk about piracy with this particular person. Thanks for dealing with my stupidity very kindly. :P 

 

Keep up the good work. Take a break as well; you really seem to be helping absolutely everyone all the time. Thanks for the help though!

 

-snip-



#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 15 August 2015 - 09:00 AM

My pleasure helping out.  I do it because I enjoy it.  I like a good puzzle. 

 

Nevertheless the proxy is usually just a symptom of an underlying problem.  I am happy to facilitate a proper evaluation and treatment of this computer if you desire.  I do suspect that the owner of that computer might have the problems related to piracy and also lack of antivirus protection.

 

I obviously don't condone piracy but I do clean computers regardless of the cause.  A stark human medical analogy would be a criminal infected with a treatable illness.  I don't condone criminal activities but I would clearly treat the criminal so that they don't infect others.

 

Just let me know if you want to continue and clean up this computer or I can close the topic.

 

Kind regards,

thcbytes


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 24 August 2015 - 09:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users