Virus or proxy hijack help needed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Dipys100, Jun 11, 2014.

  1. Dipys100

    Dipys100 Private E-2

    HI all,

    My daughters' laptop got infected with several viruses after downloading Adobe Flash Player 13 ActiveX.

    I have managed to get rid of almost all including Search protect, Reg Clean Pro; rqpbhevlkc64.exe, MyPC Backup, DMUninstaller, BlockAndSurf, FreeV_1.3, AnyProtect. Also Norton Security Scan was removed as we have Mcafee.

    When using HitmanPro_x64 two results are found to repair proxy server infected/hijacked by 127.0.0.1.59818
    After the next repair step these are removed form laptop.
    These then used to reappear after going on the internet using Firefox (I don't think it happened with Googlechrome or IE)

    This I think has stopped since resetting Firefox settings.


    They sometimes seem to reappear after restarting.
    But always reappear when using adwcleaner which prompts a restart (although this program doesn't find these two items)
    Adware finds two files in AppData one for Mozilla pref.js in Roaming and one for Google preferences in Local.

    They also don't show up in MaleWareBytes.

    I have Mcafee Livesafe Internet Security and Windows7

    I have also reset the Proxy settings using Microsoft fixit, with same results. (As It is a home computer it shouldn't have proxyserver)

    I have deleted the following in HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet settings.

    ProxyOverride (showing Loopback) - HitmanPro leaves this as is.
    ProxyServer (Showing http=127.0.0.1:59818;https=127.0.0.1:59818) - HitmanPro deletes this.


    I have changed the following in HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet settings
    ProxyEnable 1 to 0 -HitmanPro does the same.


    I have now gone through the required steps in order shown and posted the logs here.

    Hope someone is able to help, thanks.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the new RogueKiller log
    • C:\MGlogs.zip
     
  3. Dipys100

    Dipys100 Private E-2

    Hi Chaslang, thanks for looking into this.
    New logs attached.
     

    Attached Files:

  4. Dipys100

    Dipys100 Private E-2

    Hi,
    I checked the laptop y going onto BBC site and backusing all three browsers, and also rebooting, registry was ok.

    Then 2 hours later .......
    just came to browse this site using laptop and Firefox, and the registry files are back, :mad.
    attaching log and pic. (To show error 2 while deleting, same 1st time round but was clear after erboot)

    I will go over again as per last post to delete and check with Google Chrome
     

    Attached Files:

    Last edited: Jun 12, 2014
  5. Dipys100

    Dipys100 Private E-2

    Just checked BBC site with google Chrome , this time I lingered a bit longer and the registry files are back.
     
  6. Dipys100

    Dipys100 Private E-2

    Also came across the following site, although not directly relevent to me, I thought it might help someone else.

    Not sure if I could just post the link to - remove proxy server 127.0.0.1:8118;https=127.0.0.1:8118, so have taken pic.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  8. Dipys100

    Dipys100 Private E-2

    I had contacted HitmanPro and email back says -
    "You can manually remove the 'pref.js' and 'Preferences'.
    It could be that they are set to cause these issues."
    Although there doesn't seem to be anything there related to 127

    When searching this problem I have seen a few logs posted with this virus/hijack in them, but the forums don't appear to realise this is also a problem and stick to answering the original virus question.

    Can you tell me what this virus is doing?

    Also similar problem here in Mozilla forum - search - Proxy resets to HTTP Proxy 127.0.0.1 Port 52848 This is not good

    Farbar log attached.
     

    Attached Files:

    Last edited: Jun 13, 2014
  9. Dipys100

    Dipys100 Private E-2

    Ok in addition to this, I would like to know your opinion on the attached pics.
    I believe the file in c:\....Tasks - {A0...} is legit but needs editing to rid of SearchProtect (Not sure how)

    Also think that the three APS files need deleting.

    The other files that I remember tryiing to uninstall or delete were Wajam and Speedial (this I saw in here while searching for viruses and have deleted)

    P.S. I saw thread - Cursor flashes when writing or runnig tools.... - I couldn't post on there, but I think if he moves the cursor to bottom or far left then he would be able to use the keyboard/tab to get around as a temporary measure.
     

    Attached Files:

    Last edited: Jun 13, 2014
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually there are more of them. Delete all of the below:

    C:\Windows\Tasks\APSnotifierPP1.job
    C:\Windows\Tasks\APSnotifierPP3.job
    C:\Windows\Tasks\APSnotifierPP2.job
    C:\Windows\System32\Tasks\APSnotifierPP1
    C:\Windows\System32\Tasks\APSnotifierPP3
    C:\Windows\System32\Tasks\APSnotifierPP2

    The RogueKiller again and remove the same registry entries I had you remove previously ( that is if they still exist ) and then reboot. See if the files above or registry entries come back.
     
  11. Dipys100

    Dipys100 Private E-2

    so the APS file are gone, but the 127 virus is still there.
    Report of RogueKiller after pressing delete attached.

    What about the SearchProtect in previous post, do I just go in there in delete line?
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was just a line inside the files you already deleted just like AnyProtectEx. You can check to see if the folders exist in C:\Program Files (x86) but they are probably already gone based on last logs.

    Run RogueKillere and have it fix all those registry items related to proxy settings again and then do the below. NOTE: Do not run AdwCleaner anymore unless requested!



    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows and continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  13. Dipys100

    Dipys100 Private E-2

    Just to give you an idea of how crafty this is before I go and run Fixlist....

    I deleted with RogueKiller and rebooted twice to be sure it was gone, then went onto internet twice each - 1st with Google then IE then FF and each time I checked and rebooted. No 127, great I thought, then 2 hours later checked registry, nothing, went onto the internet and there it was BACK!!!!

    Any will be back soon with the logs, and thanks for your help so far.
     
  14. Dipys100

    Dipys100 Private E-2

    ok latest logs attached.

    This time after rebooting from Frst scan and fix and checking that registry was clean, I rebooted and checked to find it's back.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then based on all of your logs I don't feel that this is a malware problem. It is starting to look like that port is used by some software that you use/run on this PC. I'm not exactly sure which software. It could be for a game. It could even be related to McAfee ( but not really sure they would do this unless it is part of some new safe surfing type protection ).

    Ignoring this loopback port setting, are you actually having any problems?
     
  16. Dipys100

    Dipys100 Private E-2

    Thing is although no notice-able problem, this showed up after all the previous virus infections when downloading/installing Adobe Flash Player 13 ActiveX.

    The other computer on win7 is virtually same and doesn't show this in the registry and another laptop on Vista hasn't got this 127 virus/hijack on it either.

    If related to Mcafee I could uninstall and re-install, although can't see it as again the other two computers don't show it in the registry.

    Also I contacted Mcafee user forum about it and was told to try a forum like this to find the problem (search Mcafee Virus or Hijack help needed)

    What do you make of the pic attached when running RogueKiller (Could be just stopping Mcafee while doing the scan, not sure)
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I see you post. It was a waste of time for them to tell you to use HijackThis as it is not very helpful these days. The problem still seems to be related to some software base on what I see thus far but we will try another scan or two. Are you telling me that 100% the same software is installed and running on the other PCs? And I mean 100%. Game software, programs,......etc?

    Just a false detection of your McAfee software.



    Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.
    • Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.
    • After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
    • If after running Combofix you discover none of your programs will open up because you receive the following error:
      • Illegal operation attempted on a registry key that has been marked for deletion
    • Then you will need to reboot your computer which will normally fix this problem.
    Now please run the below:

    Using ESET's Online Scanner

    Note Eset will mention something about the process.exe program used by MGtools. It is not a problem. It is a false detection.
     
  18. Dipys100

    Dipys100 Private E-2

    Regarding games software, not sure what you mean, but they all have the same default Windows games.

    The only things on here and not on others is the last download when the viruses were installed and that is Adobe Flash Player 13 ActiveX.

    The other two are Dell related to this laptop - Roxio and Renesas Electronics.

    Log attached and will now run ESET scan
     

    Attached Files:

  19. Dipys100

    Dipys100 Private E-2

    Ooops forgot to mention in last post that the other computers also don't have Google Chrome.

    Should I have run RogueKiller to delete the 127 virus before running this?

    Also a different result yesterday.
    With internet disabled and removing 127 I rebooted several times and no sign of it. When enabled and rebooted without going on internet it was back.

    Eset scan results attached.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In your installed programs list I see the below installed:

    Performancer

    See if you can unintall it. If it does not uninstall then use the below Revo Uninstaller to get rid of all of Performancer:

    http://www.majorgeeks.com/files/details/revo_uninstaller.html

    Take care when installing Revo that you do not allow the 3rd party junkware to install.

    Also run this >> Reset Chrome to Defaults

    Now reboot after the above and then check to see if any folders like below exist. Delete them if found:

    C:\Program Files (x86)\Performancer
    C:\ProgramData\Performancer

    See if this changes anything as it is the only item left that I see that could potentially cause a problem.
     
  21. Dipys100

    Dipys100 Private E-2

    Hi Chaslang, Thanks for all your help.

    Performancer had remnants left (found by Revo), probably from me deleting it as it didn't uninstall.

    Uninstalled Mozilla, GoogleChrome, Adobe FP13 Activex, cleaned registry files and still there.

    Any idea what it is actually doing?
    I am a bit confused as I thought personal laptops/computers wouldn't have this ProxyServer enabled. I don't know what or how they work.
    I might have a better chance of isolating it if I knew I guess.
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I was saying earlier, I believe it is due to some software you are running on the PC. Some software will establish a proxy setting to provide updates or special configurations. It is not really a proxy server being setup for all of your internet connections. It is only using a loopback port for that one port ( 59818) As I was saying earlier is really does not seem to be malware related based on everything we have done thus far.

    The RegMon command that is part of Microsoft's SysInternals software ( http://www.majorgeeks.com/files/details/microsoft_sysinternals_suite.html ) is sometimes useful to try and configure monitoring of various registry keys in an attempt to track which software is modifying the registry key. But it could be that you have some software hooks already into your browser/browsers and it may just show that your browser is modifying the registry. If you still have Firefox and Chorme unintalled ( if not, uninstall again ) and then try resetting Internet Explorer back to defaults too to see what happens after cleaning out the registry entries again.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds