Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy hijacked to http://ɴ.net/server.pac


  • This topic is locked This topic is locked
2 replies to this topic

#1 ibok

ibok

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 18 May 2016 - 02:33 PM

Hi there-

 

Yesterday I noticed that the “automatic proxy setup” had been turned on and set to http://ɴ.net/server.pac. And I can not delete or change this setting. Basically I see the same problem as described in this post:

http://www.bleepingcomputer.com/forums/t/614253/proxy-hijack-to-http%C9%B4netserverpac-and-google-redirects/

 

I searched Registry for "http://xn--koa.net/server.pac", and spot it in several places. I deleted all the "http://xn--koa.net/server.pac" that I found. After restarting the OS for several  times, the problems didn't appear. I assumed the problem was fixed.

 

BUT today, it comes back again. So I know method of simply deleting http://xn--koa.net/server.pac in Registry won't fix this problem permanently. 

 

I attached FRST reports below.

 

​Also, just minutes ago, by using FRST, I searched Registry again for "http://xn--koa.net/server.pac", and found 4 items:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"="http://xn--koa.net/server.pac"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"="http://xn--koa.net/server.pac"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr\{EB95D93D-C5CF-484E-A309-AC1729732EC9}]
"AutoConfigUrl"="http://xn--koa.net/server.pac"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr\{EB95D93D-C5CF-484E-A309-AC1729732EC9}]
"AutoConfigUrl"="http://xn--koa.net/server.pac"
(I'm not sure if this information is useful. Just in case. By the way, the problem is on my new computer. I have been using it for about only one week.)
 
Can anyone help? thank you very much!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,266 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:27 PM

Posted 19 May 2016 - 09:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
AutoConfigURL: [HKLM-x32] => hxxp://xn--koa.net/server.pac
SearchScopes: HKU\S-1-5-21-396674881-3467920554-3846058263-1001 -> DefaultScope {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
SearchScopes: HKU\S-1-5-21-396674881-3467920554-3846058263-1001 -> {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
CHR Extension: (Chrome Web Store Payments) - C:\Users\mings\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-09]
S3 SogouUpdate; "C:\Program Files (x86)\SogouInput\8.0.0.7839\SogouUpdate.exe" [X]
CustomCLSID: HKU\S-1-5-21-396674881-3467920554-3846058263-1001_Classes\CLSID\{b5eedee0-c06e-11cf-8c56-444553540000}\InprocServer32 -> C:\Users\mings\Downloads\ueltraedutchinese\UltraEdit\ue64ctmn.dll => No File
Task: {143DBC61-1236-4CB9-B0D5-D5208EA7B9B2} - System32\Tasks\InstallShield® Update Service Scheduler => C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe [2016-04-20] (InstallShield®)
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know if the problem persists.

Edited by nasdaq, 19 May 2016 - 09:58 AM.


#3 ibok

ibok
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 19 May 2016 - 09:50 AM

Thank you very much nasdaq!

After posting my above request yesterday, some other problems emerged on my computer, including the malfunction of inputting method. I could hardly use it. So I reset the windows system back to factory condition. Hence the proxy hijacking problem gone.

Could you please close this topic?

If, by any chance, you suspect any of the programs on my computer caused the proxy hijacking, please let me know. I’m quite hesitating to install some programs now.

I appreciate your time. Thank you again!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users