Hijacked proxy settings, lots of ADs

BubbaJay89 · May 4, 2014

Hello there MajorGeeks Helper,

for the first time of my life, I'm experiencing a malware problem, I'm not able to get handled myself.

Scince may 1, I get a lot of ads shown in all my browsers. Most of them are embedded ads, but sometimes links, that should've been clean are redirecting to an ad.

After my first investigations I noticed, that my browsers now tend to use a proxy, but I can't find out which one. Proxy settings are set to 127.0.0.1:8118. I guess this 'hijacker' is using an installation of Privoxy, which I never installed in the first place. (It's running in background, able to see it in task manager. If killed, browser isn't able to connect to internet until i change proxy settings. It's not working for long, proxy settings will be reverted to the above after about 5 - 30 seconds.)

Please help, it's really annoying.

P.S.: Why aren't Grisoft AVG Free and IObit Malware Fighter able to handle such threads?

Best regards an a big tank you
BubbaJay

TimW · May 4, 2014

Fix these items in RogueKiller:

Code:

¤¤¤ Registry-Einträge : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : InetStat ("C:\Users\Jens\AppData\Roaming\InetStat\inetstat.exe" /c=5 [7]) -> GEFUNDEN
[RUN][SUSP PATH] HKUS\S-1-5-21-293272317-256204014-334039894-1001\[...]\Run : InetStat ("C:\Users\Jens\AppData\Roaming\InetStat\inetstat.exe" /c=5 [7]) -> GEFUNDEN
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:8118;hxxps=127.0.0.1:8118 [Country: (Private Address) (XX), City: (Private Address)]) -> GEFUNDEN
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyEnable (1) -> GEFUNDEN

Then reboot and see if the issue remains.

BubbaJay89 · May 4, 2014

Hi TimW,

thanks for your help. Didn't solve anything, ADs still occure and the proxy setting are still refreshing the same way alike.

TimW · May 4, 2014

Is this happening in all browsers? Which ones?

BubbaJay89 · May 5, 2014

Chrome, Firefox, IE, Opera...didn't test Safari yet

BubbaJay89 · May 5, 2014

Found sth interesting...

Proxy is Privoxy hooked at 127.0.0.1:8118

It's installed in C:\Program Files(x86)\MSR\

user.action
user.filter

Those two files contain code strangely looking like .htaccess entries. The Ads are hooked up in here (addelivery1.....). Tried swapping both files with empty ones, but after reboot they are back to "normal".

After deleting the whole Privoxy install my browser isn't able to open connections, obviously because the proxy is gone. Changing proxy settings still reverts back though. After reboot the installation is back, too.

TimW · May 5, 2014

Rerun RogueKiller and attach the new log.

BubbaJay89 · May 8, 2014

Rogue Killer log

TimW · May 8, 2014

Rerun RogueKiller and fix these items:

Code:

¤¤¤ Registry-Einträge : 12 ¤¤¤
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:8118;hxxps=127.0.0.1:8118 [Country: (Private Address) (XX), City: (Private Address)]) -> GEFUNDEN
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyEnable (1) -> GEFUNDEN

Reboot and tell me how things are running.

TimW · May 8, 2014

Does this exist in your Add/remove list:
System Update kb70007

If so, you need to delete it.

Log in or Sign up

Hijacked proxy settings, lots of ADs

BubbaJay89 Private E-2

Attached Files:

mbam-log-2014-05-04 (09-57-32).txt

TDSSKiller.3.0.0.34_04.05.2014_10.14.09_log.txt

HitmanPro_20140504_1020.log

MGlogs.zip

RKreport[0]_S_05032014_230154.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BubbaJay89 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BubbaJay89 Private E-2

BubbaJay89 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BubbaJay89 Private E-2

Attached Files:

RKreport[0]_S_05082014_151042.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member