|
#1
01-15-2011, 09:01 PM
|
||||
|
||||
Hitman persistently finding proxy
I have a laptop in which had a fake AV infection. This was dealt with but Hitman kept finding an infected file and a proxy set on a 127.0.0.0:8074
I've checked it out with the usual array of AV tools like MBAM, SAS and Hitman and TDSSKiller. I reset the MBR both using MBRCheck and then again offline. Manual investigations with tools like Kernel Detective and Malware Defender and Autoruns have found no startup entries but a few inconclusive kernel hooks. Sigverif was finding an unsigned driver but not anymore. Offline scans found a rootkit and a trojan which were removed. The system seems to be running absolutely fine and there are no redirections going on. No virus scan finds anything. Various MBR checkers come up clean. However, Hitman still claims IE is connecting to the internet via the 127.0.0.0:8074 proxy after each reboot. There is no sign of this proxy in Internet Options or in the related registry keys. I'm trying to work out whether the infection is still present or whether this is a Hitman Pro bug. 
|
|
#2
01-15-2011, 09:16 PM
|
||||
|
||||
|
Do you mean 127.0.0.1:8074 MT? There is reference to it in this link
http://forums.malwarebytes.org/index...howtopic=71871 You could run Wireshark and see if there is an ip of that address and port?
__________________
![[HTML]http://www.hobit.co.uk[/HTML}](image.php?s=c3e9b41c5ebb537653874839d336caf4&u=13062&type=sigpic&dateline=1306863816) Computer & Laptop Repairs Leighton Buzzard Virus Removal Leighton Buzzard Laptop Screen Replacement Leighton Buzzard
|
|
#4
01-15-2011, 11:02 PM
|
|||
|
|||
|
do they have Gadu-Gadu installed?
Also check this in the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8074 Last edited by TopLevelComp; 01-15-2011 at 11:04 PM.
|
|
#5
01-15-2011, 11:29 PM
|
||||
|
||||
|
As stated, I've done offline scans and they are now clean, and no proxy registry keys exist.
Martyn: yes sorry I meant 127.0.0.1 - no sign of that port being open according to wireshark or TCPview
|
|
#6
01-16-2011, 01:48 AM
|
||||
|
||||
|
Try running hijackthis. I know that even after I clear out that proxy field in IE, hijackthis still finds it in the registry.
|
|
#7
01-16-2011, 01:56 AM
|
|||
|
|||
|
I have seen this on several occasions. If you search the registry, you will find it and can delete the key. I can't remember the exact location in the registry, but my guess is that the malware not only puts the proxy in the current configuration, but it also puts it in IE's "default" settings. Therefore if you attempt to reset IEs settings (under the advanced tab) it will still have the proxy in place. This is just a guess and I have not tested it though.
|
|
#8
01-16-2011, 03:59 AM
|
|||
|
|||
|
Every time I have seen this it's in the Internet Options settings.
Internet Options - Connections - Lan Settings - Advanced The Advanced button will be greyed out, but check the "use proxy" box to make it active. I'll bet you find the port on the server list.
__________________
Steve Fox Valley  Computer ServicesTrying desperately to make a living in a failing industry in a failing economy.
|
|
#9
01-16-2011, 08:05 AM
|
||||
|
||||
|
As I said in the OP, I already checked the registry and IE's settings. There is no proxy set there. Therefore you won't be surprised to hear that tools like OTL or HJT don't find proxy settings either.
The only tool that finds the setting is Hitman Pro.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
