Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 01-15-2011, 10:01 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,353
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default Hitman persistently finding proxy

I have a laptop in which had a fake AV infection. This was dealt with but Hitman kept finding an infected file and a proxy set on a 127.0.0.0:8074

I've checked it out with the usual array of AV tools like MBAM, SAS and Hitman and TDSSKiller. I reset the MBR both using MBRCheck and then again offline. Manual investigations with tools like Kernel Detective and Malware Defender and Autoruns have found no startup entries but a few inconclusive kernel hooks. Sigverif was finding an unsigned driver but not anymore. Offline scans found a rootkit and a trojan which were removed.

The system seems to be running absolutely fine and there are no redirections going on. No virus scan finds anything. Various MBR checkers come up clean. However, Hitman still claims IE is connecting to the internet via the 127.0.0.0:8074 proxy after each reboot. There is no sign of this proxy in Internet Options or in the related registry keys.

I'm trying to work out whether the infection is still present or whether this is a Hitman Pro bug.
Reply With Quote
  #2  
Old 01-15-2011, 10:16 PM
Martyn's Avatar
Martyn Martyn is online now
Administrator
 
Join Date: Apr 2010
Location: Bedfordshire UK
Posts: 5,700
Martyn has a spectacular aura aboutMartyn has a spectacular aura about
Default

Do you mean 127.0.0.1:8074 MT? There is reference to it in this link

http://forums.malwarebytes.org/index...howtopic=71871

You could run Wireshark and see if there is an ip of that address and port?
Reply With Quote
  #3  
Old 01-15-2011, 11:06 PM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,045
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

Have you performed offline virus scans? You mention the machine had a rootkit, a part of me is thinking it (or another) could still be there
__________________
put that in your pipe and grep it
Reply With Quote
  #4  
Old 01-16-2011, 12:02 AM
TopLevelComp TopLevelComp is offline
 
Join Date: Sep 2010
Location: Victorville, CA
Posts: 828
TopLevelComp is on a distinguished road
Send a message via AIM to TopLevelComp Send a message via Skype™ to TopLevelComp
Default

do they have Gadu-Gadu installed?

Also check this in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8074

Last edited by TopLevelComp; 01-16-2011 at 12:04 AM.
Reply With Quote
  #5  
Old 01-16-2011, 12:29 AM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,353
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

As stated, I've done offline scans and they are now clean, and no proxy registry keys exist.

Martyn: yes sorry I meant 127.0.0.1 - no sign of that port being open according to wireshark or TCPview
Reply With Quote
  #6  
Old 01-16-2011, 02:48 AM
arrow_runner's Avatar
arrow_runner arrow_runner is offline
 
Join Date: Nov 2008
Location: Cincinnati, OH
Posts: 920
arrow_runner is an unknown quantity at this point
Send a message via AIM to arrow_runner Send a message via MSN to arrow_runner Send a message via Yahoo to arrow_runner
Default

Try running hijackthis. I know that even after I clear out that proxy field in IE, hijackthis still finds it in the registry.
Reply With Quote
  #7  
Old 01-16-2011, 02:56 AM
BigMac BigMac is offline
 
Join Date: Aug 2010
Location: North Carolina
Posts: 64
BigMac is on a distinguished road
Default

I have seen this on several occasions. If you search the registry, you will find it and can delete the key. I can't remember the exact location in the registry, but my guess is that the malware not only puts the proxy in the current configuration, but it also puts it in IE's "default" settings. Therefore if you attempt to reset IEs settings (under the advanced tab) it will still have the proxy in place. This is just a guess and I have not tested it though.
Reply With Quote
  #8  
Old 01-16-2011, 04:59 AM
stevenamills stevenamills is offline
 
Join Date: Jul 2008
Posts: 859
stevenamills is on a distinguished road
Default

Every time I have seen this it's in the Internet Options settings.

Internet Options - Connections - Lan Settings - Advanced

The Advanced button will be greyed out, but check the "use proxy" box to make it active. I'll bet you find the port on the server list.
__________________
Steve

Fox Valley Computer Services
The more I learn about people, the more I like my dog. –Mark Twain
Reply With Quote
  #9  
Old 01-16-2011, 09:05 AM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,353
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

As I said in the OP, I already checked the registry and IE's settings. There is no proxy set there. Therefore you won't be surprised to hear that tools like OTL or HJT don't find proxy settings either.

The only tool that finds the setting is Hitman Pro.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:24 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.