Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93078 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Virus keeps ticking Proxy Server box [Solved]


  • This topic is locked This topic is locked
29 replies to this topic

#1 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 30 November 2013 - 05:55 AM

Hello,

I have a suspected virus which keeps ticking my Proxy Server box in IE. Initially this just stopped my internet access until I un-ticked the box.  Then after a while email access was effected and Windows become more sluggish.  I did a system restore which improved things but the Proxy Server issue is still there. I am running Windows 8.1

Attached are my OTL & HijackThis logs (pasting them did not work for some reason)

Any help would be much appreciated

Attached Files


    Advertisements

Register to Remove


#2 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 30 November 2013 - 09:09 AM

Hello shoggo147 and welcome to the WTT forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:
 

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I am looking at your logs now and will reply with instructions shortly.

Satchfan

 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#3 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 30 November 2013 - 09:24 AM

Hello again shoggo147

Please run these in the order given then cut and paste the logs into the post, not attach them.

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

Please run OTL again after you’ve completed the above.

Logs to include in the next post:

AdwCleaner log
JRT.txt
New OTL log

Thanks

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#4 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 30 November 2013 - 01:18 PM

Hi Satchfan,

 

Thanks for your help so far.

I have followed your instructions and attached logs from AdwCleaner, JRT and OTL

 

Regards,

Paul

Attached Files



#5 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 30 November 2013 - 05:26 PM

It appears that contrary to my advice, you have run scans on your own.

 

Please post the last Malwarebytes log after you ran it.

 

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#6 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 December 2013 - 04:53 AM

My apologies, must have done that before I saw your message not to run any other scans.

I did not save a log from that scan but it did not find anything

Do you want me to run it again and save a log?



#7 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 01 December 2013 - 07:14 AM

It appears that AdwCleaner sorted out some of the bad stuff but I’m not convinced that it has all gone so we’ll run some other checks.

Before that, some advice:

IObit Security 360 is a rogue security program known to cause system problems and that had stolen material from other computer security companies to use in their own program.

I recommend that you uninstall IObit. It is has been proved to be untrustworthy in its programming and is pretty ineffective now that it can no longer be propped up by MBAM

See:

http://forums.malwar...showtopic=29681
http://forums.malwar...showtopic=30989
http://forums.malwar...showtopic=33217


There is a company that has created a free program designed specifically to remove every last trace of the entries of IObit programs left behind if and when you had decided to uninstall one of them but I don’t think it’s compatible with Windows 8 so just uninstalling will have to do for now.


I also see you have RegClean Pro. It's not a good idea to use registry cleaners/boosters.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid and erroneous entries does not affect system performance but it can result in "unpredictable results". Unless you have a particular problem that requires a registry edit to correct it, (and you are expert in the registry), I would suggest you leave the registry alone.

I strongly advise you to get rid of RegClean Pro and any other cleaner/optimizer/booster/tuneup/tweak type utilities that you have on this or any other  computer.

One of the malware experts, miekiemoes, has an excellent write-up here
Another excellent article by Bill Castner is located here

===================================================

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop.

  • close all running programs
  • double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.
Please post the contents of the RKreport.txt in your next reply.

===================================================

Run DDS

Please download DDS by sUBs from the following link and save it to your desktop.
 

DDS.pif

  • Disable any script blocking protection (How to Disable your Security Programs)
  • double click DDS icon to run the tool (may take up to 3 minutes to run)
  • when done, DDS.txt will open.
  • after a few moments,  attach.txt will open in a second window.
  • save both reports to your desktop.
  • Post the contents of the DDS.txt and Attach.txt reports in your next reply.

Please POST the results of the 2 scans, NOT attach them – sorry about the capitals but I asked you before to copy/paste them and you went ahead and attached them.  :thumbdown:  :)

The logs to include are:

RKreport.txt
DDS.txt
Attach.txt


Can you also tell me how your computer is running now.

Thanks

Satchfan
 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#8 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 December 2013 - 12:55 PM

I tried uninstalling IObit and RegClean Pro but could find no entries in the Uninstall Programs list.  I did try a few programs to get rid of the suspected virus before contacting this forum (which I subsequently uninstalled) so maybe the entries are remnants from this.

 

I have run Rogue Killer as requested and tried to post the resulting text file directly but as before this did not work

I used the following procedure:-

In Notepad I used Edit > Select All then Edit > Copy to get the text

Back in the forum reply box I right clicked and selected Paste but nothing pasted in

I tried selecting/de-selecting word wrap but it made no difference, I also tried the Paste as Plain Test icon, but again no joy

This is the reason I attached the files in my last post rather than pasting them directly

 

I will await your suggestion before attaching anything

 

I also tried running the DDS.pif program but it just displayed the message 'DDS is not meant to run in 'Compatibility Mode' The program shall now exit.



#9 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 01 December 2013 - 01:10 PM

Which browser are you using?

 

If you used Internet Explorer or the dreaded Chrome, try using Firefox and see if you can paste the logs in that.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#10 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 December 2013 - 01:17 PM

I am using IE11, do you want me to download and install Firefox to see if that allows me to paste in the text?


    Advertisements

Register to Remove


#11 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 01 December 2013 - 01:21 PM

Yes please.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#12 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 December 2013 - 01:56 PM

Firefox did the trick, Rogue Killer results below:-

 

RogueKiller V8.7.9 _x64_ [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Paul [Admin rights]
Mode : Scan -- Date : 12/01/2013 18:15:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 99ef70066650b01898e1b185e5e6c276
[BSP] 2cdf211e660d5305180eab02b5106d4e : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12012013_181521.txt >>

 

Please advise if I am doing somthing wrong with DDS.pif, so I can also post reslts from this scan.



#13 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 01 December 2013 - 03:40 PM

The RogueKiller log looks OK.

 

Can you run DDS at all?

 

If not, try it in safe mode.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#14 shoggo147

shoggo147

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 03 December 2013 - 04:14 PM

Hi again,

Tried DDS in Safe Mode, it then ran OK but brought up a message saying its only compatible with Windows XP,Vista,7,8

I am running 8.1, so I guess its not compatible with this version



#15 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 December 2013 - 03:12 AM

Ok, let’s run OTL again to be sure that the proxy situation is resolved.

I’d also like a list of what is installed on your computer.


I should use Firefox to send these logs as there seems to be a problem “pasting” in IE at the moment.

Run HijackThis

  • click on Config and then on the Misc Tools button
  • if you're viewing HijackThis from the Main Menu, click on Open the Misc Tools Section
  • click on the Open Uninstall Manager button
  • click the Save List button.

Copy and paste that list here.

====================================================

OTL with Extras log

  • open OTL again, click on Extra Registry -> Use Safelist
  • then click Run Scan

You should get an Extras log as well as the OTL.txt log.

Can you tell me what the situation is now and if there are any outstanding problems.

Thanks

Satchfan
 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users