Leftover proxy server problems from a malware issue

[Metanis]

Windows 10 machine upgraded in-place over Windows 7.

Long-time remote customer of mine, reasonably computer savvy, has 2 teenagers at home routinely on the PC, customer is good at running Malwarebytes on her own if she senses a problem.

After letting Malwarebytes clean up an infection she complained that PC would no longer "get on the Internet". I already had TeamViewer installed on her PC so we ran it and I was able to connect up just fine. But she was correct in the sense that neither Chrome nor Edge would connect to the Internet, both gave errors about a missing proxy server.

It seems that the infection cleared by Malwarebytes involved a local proxy server. I have since cleared the issues with Chrome and Edge, they both will connect directly now. But Windows Update and Avira AV will not connect.

Eventually I had the bright idea of installing my own proxy server on her machine. So I downloaded and installed a little freeware app called CCproxy. With that running as a service both Windows Update and Avira will connect just fine.

In the LAN settings options for the Internet there are no proxy connections configured. I can continue to remote in at will and both Chrome and Edge now continue to connect with zero proxy errors. But Avira AV and Windows Updates refuse to connect unless I run the CCproxy program.

Even "netsh winhttp show proxy" reports there is no proxy configured.

I've already explained to my customer that this problem will likely require a Windows repair installation. I just thought I'd do a Hail Mary out here and see if anyone has ever solved this issue before.

 

[ohio_grad_06]

Might run this on it.

http://www.tweaking.com/content/page/windows_repair_all_in_one.html

Uninstall the AV first, make sure you create a registry backup and system restore point as well. But I've had this solve weird issues, like Windows update not working etc. Can't say for sure it will but it's saved me from a reinstall a few times. Probably would not be a bad idea to bring the machine in shop for this, and create a good working image before you run that just in case so that you have a way to go back in case anything goes south.

 

[mrapoc]

Oaklabs and roguekiller for starts. There was another one i used for a stubborn redirector - can't remember it though

 

[ohio_grad_06]

Combofix? Though with Windows 10, not sure if combofix works or not. I know it did not like 8.

Agreed though, Rogue Killer is a good one, haven't used Oaklabs as much, need to test it.

 

[Metanis]

Might run this on it.

http://www.tweaking.com/content/page/windows_repair_all_in_one.html

Uninstall the AV first, make sure you create a registry backup and system restore point as well. But I've had this solve weird issues, like Windows update not working etc. Can't say for sure it will but it's saved me from a reinstall a few times. Probably would not be a bad idea to bring the machine in shop for this, and create a good working image before you run that just in case so that you have a way to go back in case anything goes south.

Tried this over the afternoon. And I did reboot into Safe Mode and ran all the recommended fixes. I was hopeful, but Windows Update still won't connect without the 3rd party proxy running.

Since the machine actually works pretty good and the problem won't actually matter until something or someone disables the proxy again, I'm parking this problem for a few days and scratching my head.

I didn't try ComboFix yet, maybe that's next.

 

[Markverhyden]

Did you record the proxy server info and then search the registry for that value?

 

[fencepost]

I think this MS article is exactly what you're looking for: https://support.microsoft.com/en-us/kb/900935

It notes that Windows Update doesn't have access to the user-level proxy settings, and has a variety of information on fixing or setting various Windows Update proxy settings on various OSes.

 

[TechLady]

In my experience the signs you're mentioning often mean there's still a rootkit in there. Teenagers = rootkits. (And if there's a rootkit in there, my policy is almost always to reformat). If no rootkit then very often Hijackthis, ADWCleaner and Combofix seems to nail proxies/redirects.

 

[ohio_grad_06]

Question, have you tried a bootable av? Might try Kaspersky rescue cd

 

[Metanis]

I think this MS article is exactly what you're looking for: https://support.microsoft.com/en-us/kb/900935

It notes that Windows Update doesn't have access to the user-level proxy settings, and has a variety of information on fixing or setting various Windows Update proxy settings on various OSes.

Actually I had found that article and I used the Netsh.exe commands given at the bottom of that article to confirm that NO proxy is configured. However if my custom proxy server software isn't running on the box then Windows Update still won't connect.

I believe I need to get this machine physically in my shop and run rootkit detection just like TechLady and ohio_grad_06 are recommending.

It will be a few days before I can follow up on this one.

 

[OaksLabs]

Combofix? Though with Windows 10, not sure if combofix works or not. I know it did not like 8.

Agreed though, Rogue Killer is a good one, haven't used Oaklabs as much, need to test it.

Well, the OaksLabs Removal Tool works on anything Vista or newer, and it will remove the IE proxy settings, and reset the Google Chrome web browser. If this proxy setting is somewhere else, let me know and I'll add it to the next release of ORT.

 

[Metanis]

Well, the OaksLabs Removal Tool works on anything Vista or newer, and it will remove the IE proxy settings, and reset the Google Chrome web browser. If this proxy setting is somewhere else, let me know and I'll add it to the next release of ORT.

Will do! The customer is bringing me her machine next week sometime, so it will probably be a week or more before I update this.

 

[Metanis]

IMHO, the ultimate problem with the machine was a corrupt Windows registry.

I had the machine in my possession and I performed all the suggested steps and more! Kaspersky Rescue CD found zero things. I even tried Microsoft's Windows Defender Offline and it reported zero problems.

Eventually I decided to reinstall Windows. First I did a repair of Windows 10. But later I performed a clean and fresh install because the clue was that I would follow markverhyden's advice to search the registry for either 127.0.0.1 or localhost and the search would never complete. This was true even after the repair re-installation. After doing the clean and fresh installation the machine works perfectly.

Thanks for the suggestions. I hated to throw in the towel on this one but the customer is very pleased with the performance of the clean Windows 10 install.

In my experience the signs you're mentioning often mean there's still a rootkit in there. Teenagers = rootkits.

Did you record the proxy server info and then search the registry for that value?

I think this MS article is exactly what you're looking for: https://support.microsoft.com/en-us/kb/900935/QUOTE]

Well, the OaksLabs Removal Tool works on anything Vista or newer,

Question, have you tried a bootable av? Might try Kaspersky rescue cd

 

[ComputerRepairTech]

Too bad you reinstalled

The problem here is you are all thinking like technicians (though markverhydens suggestion has a chance of working) and throwing various utilities at the problem. Sometimes when dealing with the unknown its best to step back and think about the situation.

Local proxy server right? Its probably not a rootkit because what rootkit would really need to resort to something that ghetto and if it was just a rootkit loading the malware he wouldnt have been able to clear the issue with chrome and edge without it coming back.

Consider the symptoms. Do you think the author of this ghetto malware intended to block windows updates by using a proxy? Highly unlikely there are much easier ways he could have gone about doing that. No what this ghetto malware author wanted to do was simply make sure the proxy settings applied to all users. We know he didn't use a single system registry setting in HKLM as OP was able to get chrome and edge working again but still problem applied to windows updates and avast.

So for fun what is the most likely method that this ghetto author used to apply the proxy settings? You don't have to guess the exact location because theres actually several possibilities but all of them will be in the same general area..

 

[OaksLabs]

Too bad you reinstalled

The problem here is you are all thinking like technicians (though markverhydens suggestion has a chance of working) and throwing various utilities at the problem. Sometimes when dealing with the unknown its best to step back and think about the situation.

I love the adventure of a new problem to solve just as much as the next guy (which is why I write things like ORT). However, at some point as a technician you must "call it" and reload the OS, just so you can get the computer out the door and paid in a timely fashion. It's just a reality that unless we image the drive for examination later, we just don't have unlimited time to look into an issue, and reloading the OS is a fast and relatively sure fix for the majority of software issues.

 

[Markverhyden]

I love the adventure of a new problem to solve just as much as the next guy (which is why I write things like ORT). However, at some point as a technician you must "call it" and reload the OS, just so you can get the computer out the door and paid in a timely fashion. It's just a reality that unless we image the drive for examination later, we just don't have unlimited time to look into an issue, and reloading the OS is a fast and relatively sure fix for the majority of software issues.

^^^ This. The OP is running a business not a third party funded research lab. As soon as I saw that the regedit search failed to complete it's a no-brainer. Consumer user so a nuke and pave was the smart business decision. Both for the OP and the customer.

 

[TechLady]

Local proxy server right? Its probably not a rootkit because what rootkit would really need to resort to something that ghetto and if it was just a rootkit loading the malware he wouldnt have been able to clear the issue with chrome and edge without it coming back.

Consider the symptoms. Do you think the author of this ghetto malware intended to block windows updates by using a proxy? Highly unlikely there are much easier ways he could have gone about doing that.

Whatchoo talkin' about, Willis?! Rootkits do this all the time.

And I agree the others, it starts getting hard to play Sherlock Holmes when you've got a dozen systems waiting on the bench. That's why I start with the utilities first, then get out the pipe and Ulster coat if that fails.

 

[ComputerRepairTech]

Whatchoo talkin' about, Willis?! Rootkits do this all the time.

Yes they can certainly block windows updates but they would never resort to using a proxy to do it.

 

[ComputerRepairTech]

No guesses? you guys are no fun. My guess is he did something ghetto like pull all the users in HKEY_USERS and copied over a DefaultConnectionSettings string into ALL HKEY_USERS like all of them including S-1-5-18. I guess DefaultConnectionSettings instead of the regular proxy server location because I don't think local system will use a proxy in the regular registry location but am pretty certain it will use one in DefaultConnectionSettings. So while the OP may have cleaned up the logged in users proxy and was able to use Chrome and Edge again the local system user still had the proxy settings.