Can't change proxy

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by spl152db, Dec 17, 2014.

  1. spl152db

    spl152db Private E-2

    Recently found some unwanted programs installed, removed them and ran cleanup with Malwarebytes, superantispyware and avast. Still having an issue with proxy staying selected. I don't use a proxy so this is a problem. I've attached my logs from the 5 programs requested in the read me.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Rescan with Hitman and have it remove all that it finds.


    Reboot into safe mode to do this fix please.

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [Hj.RegVal] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_354F\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe -> Found
    • [Hj.RegVal] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_354F\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-4215168913-3230313550-3600441038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-4215168913-3230313550-3600441038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-4215168913-3230313550-3600441038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:9883 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-4215168913-3230313550-3600441038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:9883 -> Found
    • [PUM.HomePage] (X64) HKEY_USERS\RK_Pat_ON_D_5BC6\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.privitize.com/?aff=7 -> Found
    • [PUM.HomePage] (X86) HKEY_USERS\RK_Pat_ON_D_5BC6\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.privitize.com/?aff=7 -> Found
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine back into normal mode.


    Re scan with RogueKiller and attach new log.
     
  3. spl152db

    spl152db Private E-2

    ok so ran hitman and did all suggested items. it ignored 2 items. rogue killer is sitll finding this macrowizardx64 which from a quick google search turned up to be a keylogger. Am I right? also new logs attached. I was able to disable the proxy though.
     

    Attached Files:

  4. spl152db

    spl152db Private E-2

    whatever it was is now back again. :cry
     
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Temporarily uninstall Avast, as it's probably getting in our way of this fix.

    Now re run RogueKiller and remove all the proxy entries.
    Re run Hitman Pro and have it fix items on the "Repairs" tab.
    Rescan again (just scans) with both, and attach log.
     
  6. spl152db

    spl152db Private E-2

    avast wasn't installed. I disable the services javanetbridgeprot and macrowizardx64 in msconfig. It stopped. I backedup and removed the macrowizard as I found its folder. but can't find that javanet. logs attached.
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\macrowizardx64.exe (C:\Users\Shaunna\AppData\Local\macrowizardx64\macrowizardx64.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\macrowizardx64.exe (C:\Users\Shaunna\AppData\Local\macrowizardx64\macrowizardx64.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\macrowizardx64.exe (C:\Users\Shaunna\AppData\Local\macrowizardx64\macrowizardx64.exe) -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    Now re run RogueKiller and attach the new log.

    How are things running?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds