Potential Malware Issue - Proxy Server Message

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DBean, Nov 11, 2014.

  1. DBean

    DBean Private E-2

    I'm on an HP AMD A6-4400M APU laptop that now runs on Windows 8.1, with 8 GB, and a 64-bit OS with an x64-based processor.

    My issue just turned up tonight for me when I tried to go online that I've never seen before. That message was "The proxy server isn't responding" when I used Firefox. A similar one came up in IE. After doing the Read & Run Me, I'm able to get online with Firefox, but the problem still persists in IE.

    I don't think I'm anywhere in the clear even if it was working fine as I had a page open up on me after using Roguekiller that mentioned rootkit. As instructed by the Read & Run Me guide, I ran the five scans and obtained their logs.

    Let's see what I've gone and done wrong to the computer this time around.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before we take any steps, what is the below stuff? Did you knowingly install this?

    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2831931749-3833700357-1592384844-1002\Software\Microsoft\Windows\CurrentVersion\Run | ClickfreeMonitor : c:\programdata\Clickfree\cfagent.exe -> Found
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2831931749-3833700357-1592384844-1002\Software\Microsoft\Windows\CurrentVersion\Run | SacReminderHDDV2 : C:\ProgramData\Clickfree\HDDV2USB3\reminder\SacReminder.exe -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2831931749-3833700357-1592384844-1002\Software\Microsoft\Windows\CurrentVersion\Run | ClickfreeMonitor : c:\programdata\Clickfree\cfagent.exe -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2831931749-3833700357-1592384844-1002\Software\Microsoft\Windows\CurrentVersion\Run | SacReminderHDDV2 : C:\ProgramData\Clickfree\HDDV2USB3\reminder\SacReminder.exe -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CFUACProxy_hddv2usb3 ("C:\ProgramData\Clickfree\HDDV2USB3\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\HDDV2USB3") -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CFUACProxy_hddv2usb3 ("C:\ProgramData\Clickfree\HDDV2USB3\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\HDDV2USB3") -> Found
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ah I see that Clickfree is some USB drive used for backup! That's a strange way to install software.

    Rerun RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

    Are you still having problems?
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Isn't it just! We were just saying the same thing. I had a little look at their website.
     
  5. DBean

    DBean Private E-2

    Never look a Christmas gift horse in the mouth, especially when it's from a family member. I think they found it on one of those shopping channels a couple of years back, but I can't complain. That Clickfree device works well enough as a storage/storage transfer unit for larger files between computers.

    Anyway, I ran the first scan and deleted what I could from the ten lines you gave me. After that, I rebooted and ran the second scan. That's the log I've posted. Two of those ten lines decided they want to replace themselves instead of being deleted altogether:

    Not sure what to do about them. At least it didn't open up a site like it did last time, so I guess that's a positive. I did check after the scan to see if either the Firefox or IE browsers were still having issues, but both were able to load up the page I wanted without that blasted proxy server message there. What should I do about those two lines, if anything?
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is probably not worth the effort in trying to fix them if everything is working okay now. If RogueKiller could not fix those two items than any patch we give you would not work either. Which means you would have to manually edit the registry to change the value of ProxyEnable from 1 to 0. And you will not be able to find both a 64bit and 32bit (x86) location because Microsoft has made it extremely difficult to deal with x64 vs x32 in the registry. You will only find the one entry in the path noted. If you feel comfortable editing the registry you can try changing this value.
     
  7. DBean

    DBean Private E-2

    I do not feel comfortable in doing that after the last few months I've had with the machine. Knowing my luck, I'd mess something up worse. Should I just finish and/or repeat any steps in the Read & Run Me guide and report back to you all then?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's run the below before getting to final instructions.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
  9. DBean

    DBean Private E-2

    I ran JRT, but I also noticed that the proxy server message had come back for IE when I turned this computer back on. I guess I might have to wind up editing the registry in the end after all. Oy-vey. Anyway, the log of the scan is attached.
     

    Attached Files:

    • JRT.txt
      File size:
      1.5 KB
      Views:
      4
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which proxy server settings in particular do you mean came back?

    How do you know? What was showing you this info?
     
  11. DBean

    DBean Private E-2

    In IE, I have "The proxy server isn't responding" message. That was temporarily gone after the second RogueKiller scan we ran two days ago, but it's back on IE when I went to check and see if things would run fine now. Worse, when Trend Micro was wanting to update, I had "You need an Internet connection to check for updates" message appear when Firefox is able to let me use said internet.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What about Firefox?


    Please download ( only download right now ) the below OTL program and save it to your Desktop:

    OTL by OldTimer


    Please do the below for IE:

    Reset Internet Explorer 9, 10, and 11 to Defaults

    And then do the below for Firefox:

    Reset Firefox to Defaults


    Now reset your PC and after reset check to see how things are working and now run the below whether the internet works or not.

    • Right click on the OTL icon on your desktop and select Run as Administrator to run it.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  13. DBean

    DBean Private E-2

    Before I do this step, I want to answer your first question before asking one of my own.
    Firefox is giving me no trouble. IE only started to work when I went into LAN and checked off the proxy server box. That said, the Trend Micro issue was still there about not downloading because "I need an Internet connection".

    Now my question is after downloading and resetting IE and FF. I know how to do all that. When you say "reset your computer", you don't mean reboot in this case? You literally mean to perform the instructions to reset it like on this page after doing all the steps you're asking?

    http://windows.microsoft.com/en-us/windows-8/restore-refresh-reset-pc

    If that is the case, should I back up any important information beforehand that might not be saved elsewhere to an external drive or would that just cause further complications down the road? I have to make sure this is right first since I don't want to lose anything that I might not be able to get back otherwise.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then only reset IE to defaults and leave Firefox alone. But if TrendMicro is not finding an internet connection while Firefox is then your problem may be in TrendMicro and it may need to be uninstalled/reinstalled.

    Sorry! Just a basic reboot .
     
  15. DBean

    DBean Private E-2

    That's why I'm glad I asked. Okay then. Here's the report. I also had an Extras.txt pop up, but since I wasn't asked to include it, I didn't.

    Firefox still works fine after auto-detecting proxy settings for the network. Internet Explorer keeps defaulting to "Proxy Server - Use a Proxy Server for your LAN". When it's checked, the internet will not work on it, and I'll get that "proxy server isn't responding" message. Since it keeps checking off that box, it remains a pain.
     

    Attached Files:

    • OTL.Txt
      File size:
      306.3 KB
      Views:
      2
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So even after resetting IE to defaults you still have the issue with the proxy? If so, it is possibly that Trend Micro is blocking the change.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run the below.

    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    PRC - [2014/10/21 14:02:50 | 000,305,664 | ---- | M] (Wajam Internet Technologies Inc.) -- C:\Program Files (x86)\WajaIE\WajaIE Internet Enhancer\InternetEnhancerService.exe
    SRV - [2014/10/21 14:02:50 | 000,305,664 | ---- | M] (Wajam Internet Technologies Inc.) [Auto | Running] -- C:\Program Files (x86)\WajaIE\WajaIE Internet Enhancer\InternetEnhancerService.exe -- (Internet Enhancer Service)
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{831729C5-C75F-4072-B4EC-F34E1F708862}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    IE - HKLM\..\SearchScopes\{831729C5-C75F-4072-B4EC-F34E1F708862}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
    IE - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63615;https=127.0.0.1:63615
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63615;https=127.0.0.1:63615
    IE - HKU\S-1-5-21-2831931749-3833700357-1592384844-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    [2014/10/24 00:18:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WajaIE
    
    :Files
    C:\Program Files (x86)\WajaIE
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  18. DBean

    DBean Private E-2

    Ran the scans as instructed with reboots after each of them. Same issues with IE and Trend Micro persist. That's a bummer. Here are the logs as requested.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please uninstall TrendMicro and then reboot. After reboot rerun my whole previous fix and let's see what happens.
     
  20. DBean

    DBean Private E-2

    There's hope this time around as currently, IE is not giving me the proxy server message of frustration after the uninstall of Trend Micro and the subsequent reboots after that and the scans. Here are the logs.
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well I still see signs of it. I'm starting to wonder if the ClickFree software ( which uses the word proxy ) is the cause or is this just a coincidence.

    Keep TrendMicro uninstalled for now because it was like causing us problems and it was broken anyway.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:63615;https=127.0.0.1:63615
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>

    After clicking Fix, exit HJT.

    Run a new scan with RogueKiller and if you see any of those Proxy items show up, select them and allow RogueKiller to fix them. Then immediately reboot. After reboot run a new scan with both RogueKiller and Hitman and attach the new logs.

    Has the problem returned or are things still good?
     
  22. DBean

    DBean Private E-2

    RogueKiller looks like it managed to clear out the proxies that were previously refusing to be deleted. HitmanPro had a pretty normal scan, too. Even better, I was able to run Hitman without having to turn on the EWS, something I had to do when I originally had this issue. I'm hoping this means my problem is almost solved. You've been a huge help so far.

    Anyway, here are the logs.
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Looks good now.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  24. DBean

    DBean Private E-2

    Done and done... outside of knowing what Anti-Virus software to use in Step #8 you gave me. Not sure Trend Micro was really cutting it. Do you have a personal best for those five that are recommended on the page? From the list, it looks like Microsoft Security Essentials would do the job okay enough.

    Either way, thanks for your help the last week here. It's embarrassing to mess things up like this, and 8.1 has given me issues that 8.0 wasn't. Hopefully, I can keep this PC clean now because this definitely gets tiresome!
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    TrendMicro is okay. If you paid for it and it has not expired there is no reason to drop it. Just reinstall and update. It seemed to be broken before.

    MSE is okay but may not be rated as high as TrendMicro. But MSE is free. Avast is another good choice.

    You're welcome.
     
    Last edited: Nov 22, 2014
  26. DBean

    DBean Private E-2

    Okay. I wound up choosing to go back to Trend Micro. Hopefully, it won't give me any trouble like it was doing previously. In any case, I think that about covers it since the machine is running fine now thanks to your assistance. Let's hope I don't have to come back here again anytime soon, but I'm glad I did here. Thank you!
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds