Idiots guide re downloading tools.

I'm not sure what is going on but those proxy server settings are back. OTL said that it fixed them but RogueKiller still sows them. This would mean that:

• There is some software on y our PC that needs them. But I don't see anything in your logs that I think uses a proxy.
• Protection software blocks the removal, but we removed protection software.
• The registry file is lock from writing but we unlocked files with Windows Repair

We have seen hundreds of problems with stubborn proxy changes in the last few months but the fixes we have tried here have always been successful until this case. It is almost like your SSD drived does not allow write access but that would not make sense since obviously you can save files to it. I want to try running ComboFix now because sometimes it uncovers things unseen by other tools.



Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.

• Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.
• After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
• If after running Combofix you discover none of your programs will open up because you receive the following error:
  • Illegal operation attempted on a registry key that has been marked for deletion
• Then you will need to reboot your computer which will normally fix this problem.

 

Oh and one more strange thing is that even though RogueKiller showed the Proxy settings, the last log from FRST no longer did so that makes it look like RogueKiller is reporting things that aren't there or..... something changed since the last FRST log.

 

Oh that's right I forgot that it is not compatibile with Windows 8. Let's try a different tool. Not sure if it supports Windows 8 yet either.

See if you can follow the below for running DDS

Scanning with DDS

 

Okay back to FRST again! Let's run it again but this time we will run the scan from normal boot mode instead of from the System Recovery Options menu. So right click on FRST and select Run As Administrator. Attach the log to your next message.

 

Wow. A whole bunch of items we already fixed are back again. This really does look like your file system and registry are just locked from making changes.

I want to try something with your browsers. Uninstall Chrome and Firefox ( if you have them still installed ). Don't use anything but Internet Explorer for now. Also uninstall Hitman Pro if it shows as installed and also uninstall Malwarebytes. After uninstalling all of them, continue on with the below where we will additionally be deleting folders and files related to them.

Disable Windows Defender now.


Download this >> View attachment fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.

Also at this point, I want to double check the status from the fix by having you run another scan with FRST like in my last message and attach the new FRST.txt log. I want to see if the same items show up as in the previous scan or if the items were really fixed.

Also if you have been copying MGlogs.zip to the below location, please stop doing this.

C:\Users\Jill\MGlogs.zip

 

I see what is going on with this now! You don't have your Windows Desktop on drive C. In fact you don't have many things for your user account on drive C. You moved your environment variables to point to drive D as below

Code:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    Desktop    REG_EXPAND_SZ    D:\
    Local AppData    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local
    Startup    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    Cookies    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies
    SendTo    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo
    Personal    REG_EXPAND_SZ    D:\Documents
    Recent    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
    Favorites    REG_EXPAND_SZ    D:\Favorites
    My Pictures    REG_EXPAND_SZ    D:\Pictures
    Start Menu    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu
    NetHood    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    My Music    REG_EXPAND_SZ    D:\Music
    My Video    REG_EXPAND_SZ    D:\Videos
    Cache    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache
    Programs    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    History    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Microsoft\Windows\History
    {374DE290-123F-4565-9164-39C4925E467B}    REG_EXPAND_SZ    D:\Downloads
    Templates    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates
    AppData    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming
    PrintHood    REG_EXPAND_SZ    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    {56784854-C6CB-462B-8169-88E350ACB882}    REG_EXPAND_SZ    D:\Contacts
    {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}    REG_EXPAND_SZ    D:\Links
    {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}    REG_EXPAND_SZ    D:\Saved Games
    {7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}    REG_EXPAND_SZ    D:\Searches

I assume you did this to not overload the SSD drive?

Is there anything that locks your SSD drive from being written to?

 

So are you saying the PC we have been working on is no longer having any problems even though these proxy settings keep showing up? JUst an FYI, that is the only item of concern. There are no real "infections". Just a proxy server setting which could have been the reason you could not access F-Secure's website.

 

I'm still waiting for you to complete the instructions in message # 58.

As I stated previously, this could be due to the proxy server setting that will not go away, but there is nothing showing on your PC for why it will not go away other than possibly Windows Defender being activated and blocking the change.


Do not reinstall F-Secure nor Comodo at this time but you could simply check if you can access their sites but again I still expect you to complete message # 58 and I wanted all browsers except Internet Explorer uninstall to make sure that some addon in the browsers are not causing the proxy to return.

 

Okay the fix log shows the proxy entries were removed, but the follow up scan shows they are still present.


Do you know how to run the registry editor? I want you to navigate to the registry keys show in your RogueKiller log to see if you actually see the ProxyEnable and ProxyServer entries and the values shown. I'm referring to the below


[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:52619;https=127.0.0.1:52619 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:52619;https=127.0.0.1:52619 -> Found

 

Try double clicking on the ProxyEnable value to bring up the Edit window. Change the Value Data to 0 and then click OK. Do the same for both locations with the ProxyEnable.

For the ProxyServer key, right click on it and select Delete. Again do this for both locations.

Let me know if you receive any error messages while doing the above. If it worked without any errors, then exit the registry editor and then restart it. Check to see if the values are still showing what we changed them to or did the bad values return. If still looking good then reboot your PC and after reboot check again. Let me know what happens.

Yes and that is what we have trying to change them back to.

 

Okay so now repeat the edits/changes and this time, reboot yout PC into safe boot mode and run the registry editor to check if the values are changed back in safe mode too.

 

Personally I don't think it will find anything wrong ( at least not related to the proxy settings ) because these can be normal things that people use.

I think it is due to some software that you are running. I don't know what but I suggest that you disable some items like Steam and maybe a few others and see what happens. Examples of items additional items besides steam that I would stop from loading using MSconfig as a debug aid are:

C:\Program Files (x86)\AutoSizer\AutoSizer.exe
C:\Windows\Prey\platform\windows\cronsvc.exe
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe

 

Let's try something else first. READ ALL OF THIS before doing anything.

Edit the registry entries again to the values we want.

Then in MSconfig ( System Configuration ), on the General tab, select the Diagnostic Startup radio button ( NOTE: this will restrict your ability to do very much after reboot so you will have to change back to normal mode later to come back here ) and then click Apply and then reboot in diagnostic mode. Did the registry values remain like we want or did they revert back?

If they stayed like we want, now in MSconfig, select Selective startup ( NOTE: this will restrict your ability to do very much after reboot so you will have to change back to normal mode later to come back here )and then uncheck the Load system services check box and click Apply and reboot. Did the registry values remain or did they revert back.

Let's see the results of the above before doing anything else.

 

Yes of course. The proxy setting is going to cause issues like this which is why we have been trying to get rid of it. We need to find out what is recreating it. It has to be something you run!

I'm not sure what you are saying/implying here! Are you saying that Steam was causing problems? It is still something I would like to see uninstalled for now until we clear up your problems. I know it is for your gaming but I have seen Steam cause problems in the past. Not necessarily this problem but we need to get rid of everything that is really unnecessary for now until we determine the source of your problem.

I would like to see Steam and Autosizer removed.

And do you have any idea what the below is from?

C:\Windows\Prey\platform\windows\cronsvc.exe

 

This does not make sense. Diagnostic Startup is even more restrictive than safe boot mode so I would not have expected this since in safe boot mode, the proxy settings did not return.

Can you please boot into safe mode and run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log before continuing on to the next steps which will overwrite this file:

• C:\MGlogs.zip

Then reboot in normal mode and run GetLogs.bat again. Start a new message and attach the ne MGlogs.zip file from normal boot mode. I want to see if I can find any obvious running process differences in the two modes.

 

I'm going thru the logs comparing differences and there are a lot. But two the standout are the cronsvc and also Teamviewer. Do you really need Teamviewer right now?



See the below links for what Prey is. Does this ring a bell?

http://en.wikipedia.org/wiki/Prey_(software)

https://preyproject.com/

 

Okay. In the meantime I'm just attaching here ( primarily for me ) a file containing a list of the differences from safe mode for processes, services, and drivers that I saw running when in normal mode. You don't need to do anything with this. It is for reference only right now.

 

Please run MGtools.exe on your other PC in normal boot mode and attach a log from it. if yu have all of these same processes running on your other PC it does not make sense that we would have to uninstall all these programs to try and find out if any of them are the cause of the proxy server returning. But there has to be something that runs that uses it so let's see what is on your other PC.


Also on the problem PC, do the below.

Download and run Autoruns ( you will have to extract the contents from the ZIP file into its a new folder you create for it ( like AutoRuns on your Desktop ) and keep the Everything tab selected in AutoRuns. Then click on the File menu selection and select Save. Save this log file in default format to your Desktop. The default format and filename should be AutoRuns.arn

Now put the AutoRuns.arn file into a ZIP file and attach this ZIP to your next message. ( you cannot attach the AutoRuns.arn file. It must be ZIP'ed ).

 

Your file is incomplete or corrupted. You need to wait for it to finish the initial scan. You file should be 5 to 6 times larger than it is.

It is not MGlogs it is MGtools.exe and there is nothing wrong with downloading it. It works perfectly fine. The problem is in whatever you are doing. You can simply copy the MGtools.exe file from your first PC to the second PC if you still have a problem.

 

Okay but I have tried it several times on different PCs even from different locations and it is working just fine. I even tried again just now. So whatever the issue is, it seems to be on your end.

 

There is still something wrong with your log from AutoRuns. It is not a valid file from AutoRuns. Are you modifying this file in anyway by copying it or loading it into an editor or other viewing program? And are you sure it is a complete file?

I should be able to directly load your log file into AutoRuns on my PC and see the info from your PC. I do this all the time. But your file is not viewable and also does not appear to even contain correct data.

 

Where exactly did you put MGtools.exe on this PC? It must be on the Windows boot drive.

If still having a problem, post a snapshot of the command prompt window.


For AutoRuns, you want to run to run autoruns.exe
It does not run instantly in any case that I have ever seen. It could be somewhat different on your SSD drive. But at the bottom left of the window, it will shows a status. Something like (Escape to Cancel) Scanning... is shown while still running. When it changes to Ready, it is finished.

When you save the log file you must wait for it to finish saving the file. If there is an egg timer or a not responding then the log will not be any good.