Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy server keeps coming back


  • This topic is locked This topic is locked
11 replies to this topic

#1 tcreasy

tcreasy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 October 2015 - 11:09 AM

Hello,

I am trying to clean an infected computer for a friend. I have run scans of TDSSKiller, MalwareBytes Anti-Virus, CCleaner, HitmanPro, etc. Every scan is now coming up clean, except for a proxy server to 127.0.0.1. I absolutely cannot remove this, I've deleted registry keys according to guides online, and every reboot or few minutes it comes back. What can I do?

BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 18 October 2015 - 01:11 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 tcreasy

tcreasy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 October 2015 - 03:05 PM

Thank you! The scan logs are attached.Attached File  FRST.txt   31.11KB   3 downloadsAttached File  Addition.txt   34.63KB   1 downloads



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 18 October 2015 - 03:19 PM

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    RemoveProxy:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 
    AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction 
    HKU\S-1-5-21-2575765601-3032489924-2484510372-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction 
    Toolbar: HKLM - No Name - {97ab88ef-346b-4179-a0b1-7445896547a5} -  No File
    Toolbar: HKLM-x32 - No Name - {97ab88ef-346b-4179-a0b1-7445896547a5} -  No File
    S2 warm; C:\Windows\whispering.exe [9216 2015-10-13] (thankful) [File not signed]
    HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* 
    HKU\.DEFAULT\Software\Classes\exefile: "%1" %* 
    HKU\S-1-5-19\Software\Classes\.exe: exefile => "%1" %* 
    HKU\S-1-5-19\Software\Classes\exefile: "%1" %* 
    HKU\S-1-5-20\Software\Classes\.exe: exefile => "%1" %* 
    HKU\S-1-5-20\Software\Classes\exefile: "%1" %* 
    Task: {0B0998A6-CAD3-4C46-82C0-96EAD0D54056} - \SwiftSearch Auto Updater 1.10.0.25 Pending Update -> No File 
    Task: {15DB0129-115B-4E1F-998D-412BADD872FB} - \54833b46-d877-43fd-9022-0df192c7ae27-10_user -> No File 
    Task: {26533B74-F09F-46A9-8EBF-4EF77A75AC15} - \Winsta Update -> No File 
    Task: {3AD11800-B2FE-4987-AD65-96AA6E4265C1} - \Convertor -> No File 
    Task: {4E003E86-114D-4601-AC61-4EC05E9A68C4} - \99e76572-1069-49f4-8a72-fa686f17346c-5_user -> No File 
    Task: {6BC4C376-FA1C-4A4F-93CC-E90EBDEEAD28} - \Crossbrowse -> No File 
    Task: {6F4E656A-C41B-4C56-938D-01D648D34439} - System32\Tasks\MySystemiTools => 
    Task: {737DB1DA-BC8A-4327-B055-30BE313F9B10} - \54833b46-d877-43fd-9022-0df192c7ae27-5 -> No File 
    Task: {73C3ADBA-C18E-4185-AD0C-CB1AC68DA9B2} - \99e76572-1069-49f4-8a72-fa686f17346c-10_user -> No File 
    Task: {74959D00-09D7-429F-87E1-0D9BF66EE5F2} - \99e76572-1069-49f4-8a72-fa686f17346c-5 -> No File 
    Task: {847CBFA6-6DC6-42BA-9074-118D07816773} - \globalUpdateUpdateTaskMachineUA -> No File 
    Task: {85F77C53-3EBA-468F-80D9-19DA29667B72} - \54833b46-d877-43fd-9022-0df192c7ae27-5_user -> No File 
    Task: {87EA5288-CC34-4DE4-A417-6BE06E302125} - \99e76572-1069-49f4-8a72-fa686f17346c-1-6 -> No File 
    Task: {96F56866-8E63-4757-BDEA-8974FC848330} - \54833b46-d877-43fd-9022-0df192c7ae27-11 -> No File 
    Task: {9D182435-B75C-49DB-8157-1391CE22601C} - \99e76572-1069-49f4-8a72-fa686f17346c-1-7 -> No File 
    Task: {B9EB276C-4B39-4AF0-BC15-13E128BD300D} - \WinKit -> No File 
    Task: {BAD2A0D1-983F-4283-A6D2-2CD409515DA9} - \globalUpdateUpdateTaskMachineCore -> No File 
    Task: {C3DC0CED-1653-40B4-BFE4-F2440B6878D3} - \SwiftSearch Auto Updater 1.10.0.25 Core -> No File 
    Task: {C4124E49-8FA5-4DF9-804E-D1B134AF9031} - \54833b46-d877-43fd-9022-0df192c7ae27-1-6 -> No File 
    Task: {CA0350AD-B08E-45A4-BE7A-D40065B5E90A} - \JAXNB1 -> No File 
    Task: {D81EEC4C-8B5E-47CF-A0E1-1A4D68D605C7} - \99e76572-1069-49f4-8a72-fa686f17346c-11 -> No File 
    Task: {E2CD2D36-8072-47B5-AB35-291748CDE853} - \54833b46-d877-43fd-9022-0df192c7ae27-1-7 -> No File 
    C:\Program Files (x86)\farm
    Task: {F2130AFB-CAEF-443C-8607-FEE68BA6ED5C} - System32\Tasks\QoDHMu6uHx6o2TQp8zup-ni-2015-10-13-ni-12694 => 
    FirewallRules: [{1619E69E-20B0-4A1F-BB63-0B42378E33B3}] => (Allow) C:\Program Files (x86)\farm\blue.exe
    FirewallRules: [{F926D746-42C0-4FD9-9217-E8F32A891377}] => (Allow) C:\a\winonit.exe
    FirewallRules: [{F69005E5-BF79-4D49-B758-4DDC17676AB4}] => (Allow) C:\a\winonit.exe
    FirewallRules: [{55EB3899-97B4-47A3-9C21-9B75F19A082F}] => (Allow) C:\Program Files (x86)\farm\sprout.exe
    FirewallRules: [{1E82C06A-AC43-4B7E-94AD-682685A27FDC}] => (Allow) C:\Program Files (x86)\farm\sprout.exe
    FirewallRules: [{F412501A-6EE0-4240-A5C2-C3FBEFF3FDEF}] => (Allow) C:\a\QoDHMu6uHx6o2TQp8zup-ni-2015-10-13-ni-12694.exe
    FirewallRules: [{E6758944-D1B2-42BB-9582-21C56D0F73C6}] => (Allow) C:\a\QoDHMu6uHx6o2TQp8zup-ni-2015-10-13-ni-12694.exe
    FirewallRules: [{95B34C16-2BF3-4799-B7D4-3DB3256C0DB9}] => (Allow) C:\Program Files (x86)\synonymous\famous.exe
    FirewallRules: [{B6A3690F-F444-4771-A062-6DAAF3194D85}] => (Allow) C:\Program Files (x86)\synonymous\famous.exe
    FirewallRules: [{98870BDB-DA37-40CF-8425-7542133ECE26}] => (Allow) C:\Program Files (x86)\chief\vegetable.exe
    FirewallRules: [{7FA06F1D-19FF-49DC-B4F7-6B2DCDF60907}] => (Allow) C:\Program Files (x86)\chief\vegetable.exe
    File: C:\Windows\whispering.exe
    C:\Windows\whispering.exe
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.


(in normal boot mode!)

Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

Edited by deeprybka, 18 October 2015 - 03:20 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 tcreasy

tcreasy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 October 2015 - 03:29 PM

Here are the request logs.  Thanks.  Attached File  Addition.txt   34.63KB   3 downloadsAttached File  Fixlog.txt   14.27KB   2 downloadsAttached File  FRST.txt   32.95KB   3 downloads



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 18 October 2015 - 03:33 PM

Please follow the instructions. The new Addition.txt is missing. :)
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 tcreasy

tcreasy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 October 2015 - 03:36 PM

Sorry about that! Here are the new logs!Attached File  Fixlog.txt   14.27KB   2 downloadsAttached File  Addition.txt   32.9KB   5 downloadsAttached File  FRST.txt   33.7KB   3 downloads



#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 18 October 2015 - 03:47 PM

The Proxy is gone.

Step 1

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
    Copy and paste the contents of that logfile in your next reply.
Step 2

v21logo.PNG

Scan with Malwarebytes Anti-Malware.
  • Please open Malwarebytes Anti-Malware and update the database.
  • Click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
    m21p.png
  • Click on "Remove Selected" [5].
  • Then click "Save Results" [6] and select
    m21p4.png
  • Return to our forum. Paste your log into your next reply and then click Finish [7].
mbamv21.gif


Step 3

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed, click on Finish.
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png

Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 tcreasy

tcreasy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 October 2015 - 06:23 PM

Here are the copies of the logs you requested:

 

# AdwCleaner v5.014 - Logfile created 18/10/2015 at 15:49:42
# Updated 18/10/2015 by Xplode
# Database : 2015-10-18.5 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Benjamin Hubbard - BENJAMINHUBBARD
# Running from : C:\Users\Benjamin Hubbard\Desktop\adwcleaner_5.014.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [682 bytes] ##########

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/18/2015
Scan Time: 3:53 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.10.18.04
Rootkit Database: v2015.10.16.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Benjamin Hubbard

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 344083
Time Elapsed: 23 min, 31 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=78bdb7ae4065ca49931a4bf65c2f824a
# end=init
# utc_time=2015-10-18 08:57:48
# local_time=2015-10-18 03:57:48 (-0600, Central Daylight Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
Update Init
Update Download
Update Finalize
Updated modules version: 26294
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=78bdb7ae4065ca49931a4bf65c2f824a
# end=updated
# utc_time=2015-10-18 09:00:51
# local_time=2015-10-18 04:00:51 (-0600, Central Daylight Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=78bdb7ae4065ca49931a4bf65c2f824a
# engine=26294
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-10-18 10:31:05
# local_time=2015-10-18 05:31:05 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 2038181 196750915 0 0
# scanned=168364
# found=2
# cleaned=0
# scan_time=5413
sh=2CF9F87AA2EA689D9B9F5CCED4C51B2595C19027 ft=1 fh=4b16eff5bfe216f3 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Benjamin Hubbard\Desktop\ccsetup510.exe"
sh=7BC5C0C578363B5B8B29F56D05689BF4F67B917F ft=0 fh=0000000000000000 vn="Win32/Adware.Hicosmea.I application" ac=I fn="C:\Windows\Installer\b940781a.msi"
 

 

 



#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 19 October 2015 - 02:29 AM

Step 1

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

zoek.jpg

Please download 51a612a8b27e2-Zoek.pngZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    systemspecs;
    filesrcm;
    autoclean;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.


lesestoff.png

Can you please tell me which problems still persist now?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 22 October 2015 - 12:04 PM

Hi,

3 Day Inactivity

this is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:33 AM

Posted 24 October 2015 - 10:59 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users