PDA

View Full Version : Hitman persistently finding proxy


MobileTechie
01-15-2011, 09:01 PM
I have a laptop in which had a fake AV infection. This was dealt with but Hitman kept finding an infected file and a proxy set on a 127.0.0.0:8074

I've checked it out with the usual array of AV tools like MBAM, SAS and Hitman and TDSSKiller. I reset the MBR both using MBRCheck and then again offline. Manual investigations with tools like Kernel Detective and Malware Defender and Autoruns have found no startup entries but a few inconclusive kernel hooks. Sigverif was finding an unsigned driver but not anymore. Offline scans found a rootkit and a trojan which were removed.

The system seems to be running absolutely fine and there are no redirections going on. No virus scan finds anything. Various MBR checkers come up clean. However, Hitman still claims IE is connecting to the internet via the 127.0.0.0:8074 proxy after each reboot. There is no sign of this proxy in Internet Options or in the related registry keys.

I'm trying to work out whether the infection is still present or whether this is a Hitman Pro bug.

Martyn
01-15-2011, 09:16 PM
Do you mean 127.0.0.1:8074 MT? There is reference to it in this link

http://forums.malwarebytes.org/index.php?showtopic=71871

You could run Wireshark and see if there is an ip of that address and port?

iisjman07
01-15-2011, 10:06 PM
Have you performed offline virus scans? You mention the machine had a rootkit, a part of me is thinking it (or another) could still be there

TopLevelComp
01-15-2011, 11:02 PM
do they have Gadu-Gadu installed?

Also check this in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8074

MobileTechie
01-15-2011, 11:29 PM
As stated, I've done offline scans and they are now clean, and no proxy registry keys exist.

Martyn: yes sorry I meant 127.0.0.1 - no sign of that port being open according to wireshark or TCPview

arrow_runner
01-16-2011, 01:48 AM
Try running hijackthis. I know that even after I clear out that proxy field in IE, hijackthis still finds it in the registry.

BigMac
01-16-2011, 01:56 AM
I have seen this on several occasions. If you search the registry, you will find it and can delete the key. I can't remember the exact location in the registry, but my guess is that the malware not only puts the proxy in the current configuration, but it also puts it in IE's "default" settings. Therefore if you attempt to reset IEs settings (under the advanced tab) it will still have the proxy in place. This is just a guess and I have not tested it though.

stevenamills
01-16-2011, 03:59 AM
Every time I have seen this it's in the Internet Options settings.

Internet Options - Connections - Lan Settings - Advanced

The Advanced button will be greyed out, but check the "use proxy" box to make it active. I'll bet you find the port on the server list.

MobileTechie
01-16-2011, 08:05 AM
As I said in the OP, I already checked the registry and IE's settings. There is no proxy set there. Therefore you won't be surprised to hear that tools like OTL or HJT don't find proxy settings either.

The only tool that finds the setting is Hitman Pro.