My connection turn on to a proxy server

Discussion in 'Malware Help (A Specialist Will Reply)' started by mardi, Apr 18, 2008.

  1. mardi

    mardi Private E-2

    Hello,

    I don't use a proxy server but my connection started to go through a proxy. I don't know for how long has it happend, I discovered it when a secure site warned me about it. It goes back to normal when I run Ccleaner or RegSupreme but after a while the connection becomes disconnected and when I connected again it's back to a proxy server.

    I have run all the steps in the guide for removing malware but it doesn't help. SuperAntiSpyware, Spybot Search & Destroy and Malwarebytes' AntiMalware doesn't find anything.

    Here is the ComboFix and MGtools logs. I hope you can help me.

    Thank you,
    Gloria
     

    Attached Files:

    mardi, Apr 18, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Next time please follow all instructions properly. You did not rename and run ComboFix as requested.

    Is drive E an external drive or USB drive? I see the below in your ComboFix log which indicates you were having an issue and tried to do a fix.
    Have you resolve this issue? Have you deleted knight.exe from ALL drives and including external drives?
     
    Last edited: Apr 19, 2008
    chaslang, Apr 18, 2008
    #2
  3. mardi

    mardi Private E-2

    Hello and thank you for the answer.

    I couldn't run Combofix as requested because when I tried to do it I get an error telling me that the fil was located on a remote drive or a network and it was not accessible, but it was located on my desktop. It's very stranger. I decide to follow the instruction on the bleeping computer site for running it.

    Drive E is an external DVD-/CD-ROM enhet with an USB connection to my computer.

    I did a search on my harddrives and didn't find the knight.exe file anywhere. I don't have any external drive.

    My connection is fine now, it doesn't connect through a proxy server anymore, but I'm not sure if the issue is totally solved. After I posted my problem here I change some antispyware programs and the firewall, following the steps in "How to Protect yourself from malware" post. I installed a-squared Free and it found 2 infected files and 49 traces, I quarentined them and attach the log here.

    After that I tried to run Combofix again following your instruction properly but I get the same error described above. I suspect something is still wrong. I will be very thankful if you could help me with this issue.

    Thanks again,
    Gloria
     

    Attached Files:

    mardi, Apr 19, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure that none of the DVD or CD that you have been putting into drive E have those files on them too.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 19, 2008
    #4
  5. mardi

    mardi Private E-2

    Hi,

    I hope I did it properly, I run Combofix two times because the first time I forgot to disable the antivirus, firewal and spyware terminator. After rebooting and when Combofix was preparing the log the startup programs start running, I disable them. I don't know if this afected Combofix. Should I let them run? The log attached is from the second time I runned it.

    I couldn't fix the register, I followed your instructions but when I double click the file I get a message telling me that the file wasn't a registerscript and could not be added to the register. I didn't know if I should continue with the rest of the steps, so I didn't.

    Thanks again for all help,
    Gloria
     

    Attached Files:

    mardi, Apr 20, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This means you did not follow the instructions properly. Try again. Make sure you included the REGEDIT4 line and that it is the first line.

    If you do not get the registry patch to work this time, continue on with all other steps anyway.
     
    chaslang, Apr 20, 2008
    #6
  7. mardi

    mardi Private E-2

    I get everything OK this time. Here is the logs. Thanks
     

    Attached Files:

    mardi, Apr 21, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. Are you having any current malware problems?
     
    chaslang, Apr 22, 2008
    #8
  9. mardi

    mardi Private E-2

    I'm not sure if I still have some malware problem but I would like a new HijackThis log to be checked if it is possible. I unistalled Live Messenger when I begun to have problems and installed it again yesterday. What I can see now is a lot of connections to the messenger, both TCP and UDP incoming and outgoing. I attach a new HijackThis log jus to be sure everything is fine now.

    Thanks for all help.
     

    Attached Files:

    mardi, Apr 22, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A HijackThis log will not show you anything related to what you are questioning. All of your logs are clean like they were before. If you are worried about the connections you are seeing, stop running BitComet and Messenger.

    If you are not having any other malware problems, it is time to do our final steps:
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    3. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    11. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    12. After doing the above, you should work thru the below link:
     
    chaslang, Apr 22, 2008
    #10
  11. mardi

    mardi Private E-2

    All done. Thanks again for all help! :)
     
    mardi, Apr 23, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Apr 23, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds