Loopback Proxy Server

OMGHA · Jan 7, 2015

Seem to be Trojan on my laptop, it keeps changing all browser settings to use 127.0.0.1:8080 as a proxy.

See attachments

TimW · Jan 7, 2015

Need the log from running RogueKiller.

OMGHA · Jan 8, 2015

I am sorry, I thought I attached that one, too

TimW · Jan 8, 2015

Please disable your AV software while we do the following:

Rerun RogueKiller and have it fix these items:

Code:

¤¤¤ Registry : 28 ¤¤¤
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8080;https=127.0.0.1:8080 -> Found
[PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8080;https=127.0.0.1:8080 -> Found

Reboot and rescan with RogueKiller and attach the new log.

Tell me how things are running now.

OMGHA · Jan 8, 2015

Clicked on delete in Rogue, but looks like those entries are right back there.

TimW · Jan 8, 2015

Did you disable your AV software? Try it again, but make sure your AV software is disabled. We may need to uninstall it to get RogueKiller to work.

Delete these items:

Code:

¤¤¤ Registry : 28 ¤¤¤
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8080;https=127.0.0.1:8080  -> Found
[PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8080;https=127.0.0.1:8080  -> Found

Reboot and rescan with RogueKiller and attach the new log.

OMGHA · Jan 9, 2015

Uninstalled both AV and Malwarebytes, removed registry entries, reboot and rescanned. Yet, it appears once again.

Kestrel13! · Jan 9, 2015

Re run Hitman Pro and have it remove all that it finds... FRST.exe is not a problem, but we don't need it.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the area. Do not include the word Code.
Code:
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-21-1992856194-2626363674-791745257-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=-
"SavedLegacySettings"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:00000000 

:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now re run RogueKiller and attach new log.

OMGHA · Jan 9, 2015

Deleted all from Hitman Pro, even FRST64.exe, and attached all logs. Still no go.

chaslang · Jan 9, 2015

Uninstall Avast and then reboot your PC.

After reboot repeat the RogueKiller fix from message # 6 ( don't forget new scan log after the reboot ).

DId the proxy items go away, if not then repeat the OTM fix from message #8.

OMGHA · Jan 9, 2015

As I stated earlier, the AV has been uninstalled from the System, including Malwarebytes. I have redone the recommended scans and fixes, attached are the logs. Proxy still shows up.

OMGHA · Jan 9, 2015

Latest HitmanPro log shows nothing else needed to be deleted expect proxy server to be repaired.

Kestrel13! · Jan 9, 2015

Try running the SAME fix again but in safe mode this time... then run RK again - attach log.

OMGHA · Jan 9, 2015

Ran HitmanPro, RogueKiller and OTM in safe mode. Rescanned after deleting entries and applying code in normal start and still no luck.

Attached new logs.

chaslang · Jan 9, 2015

Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)

Now select the Start Repairs tab.

The click the Start button.

Create a System Restore point if prompted.

On the next screen, click the Unselect All button to first deselect all repairs.

Now select the following repair options:

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Repair Windows Firewall

Remove Policies Set By Infections

Repair Winsock & DNS Cache

Repair Proxy Settings

Repair Windows Updates

Set Windows Services To Default Startup

Now on the lower right side check the box to Restart/Shutdown System When Finished

Then make sure the Restart System radio button is enabled.

Shutdown any other programs that you are running now before continuing.

Now click the Start button.

Be patient while the tool repairs the selected items.

It should reboot automatically when finished. If it does not then reboot it yourself.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\MGlogs.zip

The above will not change anything to do with the proxy settings. We are just trying to fix possible permissions issues and then get updated logs to check status.

OMGHA · Jan 10, 2015

Log after running Windows Repair and MGtools

chaslang · Jan 10, 2015

I see a couple items from Avast that are still loading.

Also I see a few VPN type programs like below:

O23 - Service: OpenVPN Service (OpenVPNService) - The OpenVPN Project - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: SoftEther VPN Client (SEVPNCLIENT) - SoftEther VPN Project at University of Tsukuba, Japan. - C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe

Do either of these programs require use of a Proxy Server setting?

Please download OTL by OldTimer.
Save it to your desktop.

Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)

Check the "Scan All Users" checkbox.

Check the "Standard Output".

Change the setting of "Drivers" and "Services" to "All"
Copy the text in the code box below and paste it into the text-field.
Code:
activex
netsvcs
drives
Now click the button.

One report will be created:

OTL.txt <-- Will be opened

Attach OTL.txt to your next message. (How to attach)

OMGHA · Jan 10, 2015

Uninstalled both VPN processes, but doubt they use Proxy.

Here is the new log

chaslang · Jan 10, 2015

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
SRV - [2014/11/14 00:29:40 | 000,035,328 | ---- | M] (InstallShield) [Auto | Running] -- C:\Program Files (x86)\avast! Updater\Updater.exe -- (Updater.exe)
DRV:[b]64bit:[/b] - [2014/12/20 20:55:42 | 000,028,768 | ---- | M] (SoftEther VPN Project at University of Tsukuba, Japan.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Neo_0057.sys -- (Neo_VPN)
DRV:[b]64bit:[/b] - [2014/12/20 20:12:25 | 000,038,240 | ---- | M] (SoftEther VPN Project at University of Tsukuba, Japan.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\see.sys -- (SEE)
DRV:[b]64bit:[/b] - [2014/11/05 16:46:32 | 000,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:[b]64bit:[/b] - [2013/10/16 05:14:42 | 000,042,184 | ---- | M] (Anchorfree Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss6.sys -- (taphss6)
DRV:[b]64bit:[/b] - [2010/08/03 16:25:30 | 000,030,720 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tapoas.sys -- (tapoas)
IE:[b]64bit:[/b] - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:[b]64bit:[/b] - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE:[b]64bit:[/b] - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8080;https=127.0.0.1:8080
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8080;https=127.0.0.1:8080
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1992856194-2626363674-791745257-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1992856194-2626363674-791745257-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1992856194-2626363674-791745257-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
[2014/12/22 14:33:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2014/12/20 20:55:42 | 000,028,768 | ---- | C] (SoftEther VPN Project at University of Tsukuba, Japan.) -- C:\windows\SysNative\drivers\Neo_0057.sys
[2015/01/06 13:05:45 | 000,000,074 | ---- | M] () -- C:\windows\avast5.ini
[2015/01/06 13:05:45 | 000,000,002 | ---- | M] () -- C:\windows\SysWow64\avast5.ini
[2015/01/06 12:00:00 | 000,000,488 | ---- | M] () -- C:\windows\tasks\avast! Updater.job
[2014/12/20 20:55:42 | 000,028,768 | ---- | M] (SoftEther VPN Project at University of Tsukuba, Japan.) -- C:\windows\SysNative\drivers\Neo_0057.sys
[2014/12/20 20:12:32 | 000,135,736 | ---- | M] (SoftEther VPN Project at University of Tsukuba, Japan.) -- C:\windows\SysNative\vpncmd.exe
[2014/12/20 20:12:25 | 000,038,240 | ---- | M] (SoftEther VPN Project at University of Tsukuba, Japan.) -- C:\windows\SysNative\drivers\see.sys

:Files
C:\windows\system32\tasks\avast! Updater
C:\ProgramData\AVAST Software
C:\Program Files (x86)\avast! Updater
C:\Program Files (x86)\ESET
C:\windows\avast5.ini
C:\windows\SysNative\drivers\3FCE11B4.sys
C:\windows\SysNative\drivers\7521297E.sys

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-21-1992856194-2626363674-791745257-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
"DefaultConnectionSettings"=-
"SavedLegacySettings"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:00000000
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the log from OTL
C:\MGlogs.zip

Make sure you tell me how things are working now!

chaslang · Jan 10, 2015

I have a feeling that you installed software using a proxy to hide yourself on the internet. I see the below installed

c:\users\omgha\documents\anti-filter\fg742p.exe
C:\users\omgha\documents\anti-filter\grangorz.exe
c:\program files (x86)\your freedom\freedom.exe

See the below links:

http://www.businesswire.com/news/home/20070924006377/en/Dynamic-Internet-Technology-Alleges-Skype-Redirects-Users

http://download.cnet.com/Freegate/3000-2085_4-10415391.html

OMGHA · Jan 10, 2015

Seem likes the issue has been resolved and the Trojan is no more. Btw, I am currently in Iran, visiting from Canada, and those items are to bypass local filtering. I doubt they are the reason for this mess, since I have downloaded them from the source.

I am mostly using Freedom now and could get rid of the rest.

See attached logs.

chaslang · Jan 10, 2015

Excellent new.

Please run one more scan now with RogueKiller and attach the new log.

OMGHA · Jan 10, 2015

Indeed, Excellent News

chaslang · Jan 10, 2015

Looks good!

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:

Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore

What we want you to do is to first disable System Restore to flush restore points some of which could be infected.

Then we want you to Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Loopback Proxy Server

OMGHA Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

OMGHA Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

OMGHA Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

OMGHA Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

OMGHA Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches