LAN settings proxy server keeps getting checked, malware??

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by chrisby18951, Dec 6, 2012.

  1. chrisby18951

    chrisby18951 Private E-2

    Hi everyone,

    This is my first post, so bear with me! I have been having issues with my internet connection, mainly my Dropbox was not syncing and occasionally I was getting redirected to incorrect sites. I finally found that the proxy server box was checked, unchecking it solved the issue but it would get checked again on its own randomly, but always on a reboot. I tried locking the option out using GPedit but it still changed. Ran various scans to no avail, so now I have followed the specific instructions on here and the appropriate logs are attached. I was using MSE as my security but had to uninstall it before scanning as I was getting the system error 5 Access is denied when trying to do a "net stop msmpsvc" and I could not stop in services.msc as all options were greyed out for MSE. Everything I did was done in elevated mode also. I have not noticed anything more than annoyance issues from this bug but this is a work computer with a lot of installs on it so I am hoping to eradicate this before it gets worse. Thanks to EVERYONE for your help!!!!!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you deliberately set up to use this proxy?
    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.haycocktwp.com
     
  3. chrisby18951

    chrisby18951 Private E-2

    No, I did not set that at all, and I believe some scanner I tried early on removed that entry but it came back along with the checked box. This is quite a persistent one, that's for sure.
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.haycocktwp.com

    After clicking Fix exit HJT.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  5. chrisby18951

    chrisby18951 Private E-2

    Thank you so much! I did as instructed and the log is attached. I look forward to your response!!

    Chris
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:16110;https=127.0.0.1:16110

    After clicking Fix exit HJT.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  7. chrisby18951

    chrisby18951 Private E-2

    Thanks again!! I should admit that it is possible that my virus scanner was enabled on the last scan, I completely forgot to turn it off. If you need it to be run again, I will reboot and do just that!

    Chris
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Proxy has gone. Correct?
     
  9. chrisby18951

    chrisby18951 Private E-2

    No, after a reboot it has returned. Both entries are still there
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    When you re run HitmanPro, are does it offer you a choice with the proxy? Are you able to fix it from there? Let me know!
     
  11. chrisby18951

    chrisby18951 Private E-2

    It offers to fix and says is t repaired the 127.0.0.1:16110 entry and an entry for:
    iBackupBot.exe in C:\Program Files (x86)\VOWSoft iPod Software\iBackupBot for iTunes

    I dont recognize it myself.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It says it repaired it? Ok then rerun Hitman and then attach the new log please. Also... Run C:\MGTools\analyse.exe and choose to do a system scan only and save a log file. Attach that too please.
     
  13. chrisby18951

    chrisby18951 Private E-2

    Here are the logs. It always comes back on reboot.

    Thanks!
     

    Attached Files:

  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You need to use MSconfig to put this machine back into normal start up please!

    Follow these instructions please Proxy Server - Changing Settings and let me know if it helped.
     
  15. chrisby18951

    chrisby18951 Private E-2

    I returned it to normal startup, I did not have much turned off really. As for the proxy instructions, I already have been doing that, every reboot. That is the problem, it checks the box every reboot. Funny thing is it does not stop me from accessing the internet. it stops my Dropbox from syncing and slows browsing down. Very odd.............

    Thanks!!
     
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You feel comfortable in the registry?

    Click Start > type regedit in the search field and press Enter.

    • Expand the HKEY_CURRENT_USER hive by clicking on the "+" sign next to it. Continue expanding "Software," "Microsoft," "Windows" and "CurrentVersion," then click on the "Internet Settings" subkey or folder.
    • View the contents of the Internet Settings folder on the right pane. Double-click on the "ProxyEnable" DWORD value to open the "Edit DWORD Value" window. Change "Value data" to "1" and press "OK" to confirm.
    • Double-click on the "ProxyServer" string value.
    • Reboot the machine.
    • Has it gone now?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds