New virus that forces proxy enable

drpcfix

drpcfix

RepairShopr Founder & CTO
Vendor
Reaction score
183
Location
Kirkland WA
So I've had a few PCs come through my door the last couple days that all have been infected with a new sort of malware/spyware that has really thrown me though a loop.

I can't say specifically what triggers it, but the infected PC comes in with the symptom of not being able to connect to the internet. The icon on the taskbar indicates that it has a solid connection, but when using any of the browsers, it gives the error saying that it cannot connect to the proxy server.

This is caused by the proxy server being enabled in Internet settings with an address of 127.0.0.1 and port 62717. You can uncheck the option to use a proxy server and hit OK, but when you go back into the menu, it has re-enabled itself.
This issue affects all forms of safe mode as well. The computer has been completely cleaned of malware and junkware, but still this remains.
I've read many online posts that directed me to the internet settings keys in the registry, but none of them even show that the proxy server is enabled.

So far, the only thing I've been able to do to get rid of it has been to perform an in-place installation in Win 7 or with a Refresh in Win 8.

Any ideas?

Thanks in advance
 
Thanks a ton! I was about to happen upon that because I was a little confused as to why I couldn't access gpedit...

Much appreciated :)
 
I actually got smacked with a tricky one on one of my own test systems the other day, really rather unintentionally. What was strange was that the way it manifested was that I just couldn't install or uninstall anything, I kept getting a not-authorized issue for a few registry keys on installs/uninstalls. Extra oddly, those keys didn't exist. I ran a few tools including rkill and adwcleaner and jrt and roguekiller, and EACH saw scheduled tasks and some files, each said it cleaned, but problem persisted. Then I went looking for group policies, wiped them all myself from the admin account, but it STILL persisted. Then I went back and scanned again, and all the scheduled tasks were back as were group policies. So...I decided to actually pay attention and realized that the gp's were set with system privileges. I wanted to do that plus check perms, and the fastest and most complete way I know to do that is with the Tweaking.com tool.

Oddly, it didn't run any processes, system performance didn't change, really not much at all happened. I figured it may be a good avenue for a TDL or some other fancy rootkit, but I have no evidence of either of those things. Perhaps I caught and stopped it before it could trojan in its real payload? I dunno.
 
Hey guys- back with an update.

So after running the tweaking.com tool, it actually changed nothing.

So from there, I ran a repair installation of Windows 8. What happens then, is that it's fine on the first restart and everything seems to work. Scanned for malware and it seems to be clean. However, after restarting, it comes back and the proxy **** is back in full swing.
It seems like a rootkit, but TDSSkiller was clean.

Any ideas?
 
Try MBAR. I've much better results with it so I hardly use TDDS for rootkits anymore.

Before you run MBAR look for a small, rogue partition. I got burned once by a 1 MB partition that kept injecting its crap after a reboot. Do not delete the 100 MB System Reserved partition in Win 7. Win 8 also has a 128 MB MSR boot partition so be careful what you delete.

If your not sure just run MBAR first. It might find it if it's there.
 
drpcfix said:
Hey guys- back with an update.

So after running the tweaking.com tool, it actually changed nothing.

So from there, I ran a repair installation of Windows 8. What happens then, is that it's fine on the first restart and everything seems to work. Scanned for malware and it seems to be clean. However, after restarting, it comes back and the proxy **** is back in full swing.
It seems like a rootkit, but TDSSkiller was clean.

Any ideas?
Click to expand...

1. Run your favourite rootkit scanners (MBAR is quite good).
2. If still not fixed, reinstall Windows.
3. Get back to working on other machines.
 
What tool should I use for checking for rogue partitions? (and deleting them)
MBAR didn't find anything initially, so that sounds like a possibility.

Thanks

Edit:
Like the poster above said, I'm going to save time and just reinstall Windows.
However, I would like to be able to have a fix for this for future instances. I hope using fdisk in linux can help me next time.
Thanks
 
Last edited:
drpcfix said:
What tool should I use for checking for rogue partitions? (and deleting them)
MBAR didn't find anything initially, so that sounds like a possibility.

Thanks
Click to expand...

Fire up a linux distro disk. Go in with fdisk and check the partitions:

fdisk -l

or

fdisk /dev/sdx (or whatever your drive letter is [a,b,c]

then p to print the partition table.

I have been hit by the small partition of 1mg that keeps reloading. I had to delete the partition and then run a boot repair. Then added the free space back in to the system partition.

coffee
 
You must log in or register to reply here.

Similar threads

Rigo
Google phone support number? Email pwd issues
2
Replies
23
Views
2K
Rigo
Rigo
Diggs
Old frustrations with New Outlook
2
Replies
20
Views
2K
John Kennedy
John Kennedy
thecomputerguy
Do teams groups follow spam rules?
Replies
5
Views
474
Sky-Knight
Sky-Knight
BulletSponge
Techsuite vs. Malwarebytes TechBench
Replies
10
Views
848
AlexCa
AlexCa
HCHTech
Outlook New rant
Replies
12
Views
982
dcomp12
D
Back
Top