Unable to deactivate - http://127.0.0.1:8080/proxy.pac

[Zero81]

I've been unable to keep this proxy setting unchecked. It keeps re activating itself.  It also seems to redirect web pages and outright stop some from working.

 

Not sure what else to add, haven't read any other posts except the stickies to see a general format for starting one.  

Addition.txt

FRST.txt

[kevinf80]

Hello and welcome to Malwarebytes.org

 

P2P/Piracy Warning:

 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Uninstall Microsoft Security Essential: http://www.bleepingcomputer.com/download/microsoft-security-essentials-removal-tool/

 

Next,

 

Follow the instructions in the following link to show hidden files:

 

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Follow the instructions in the following link to show hidden files:

 

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

Next,

 

Please open Malwarebytes Anti-Malware.

 

• 
  

On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may see this message box.
 
        'Could not load DDA driver'
 
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.
After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

If Malwarebytes is not installed follow these instructions first:

 

Download Malwarebytes Anti-Malware to your desktop.

• 
  

Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish. Follow the instructions abaove....

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• 
  

Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

Please download Junkware Removal Tool to your desktop.

• 
  

Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Post those logs to your next reply, also give an update on any remaining issues or concerns....

 

Thanks,

 

Kevin.

 

 

 

 

Fixlist.txt

[Zero81]

While I have it in my clipboard..:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 4/14/2015

Scan Time: 4:55:13 AM

Logfile: 

Administrator: Yes

 

Version: 2.01.4.1018

Malware Database: v2015.04.14.02

Rootkit Database: v2015.03.31.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: djopling

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 406645

Time Elapsed: 10 min, 51 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[Zero81]

# AdwCleaner v4.201 - Logfile created 14/04/2015 at 05:10:14
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : djopling - DJOPLING-PC
# Running from : C:\Users\djopling\Downloads\adwcleaner_4.201.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\DriverTuner_Init
Key Deleted : HKCU\Software\DriverTuner
Key Deleted : HKLM\SOFTWARE\DriverTuner_Init
Key Deleted : HKLM\SOFTWARE\DriverTuner

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689

-\\ Mozilla Firefox v

-\\ Google Chrome v

[C:\Users\djopling\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : booedmolknjekdopkepjjeckmjkdpfgl
[C:\Users\djopling\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : fjoijdanhaiflhibkljeklcghcmmfffh
[C:\Users\djopling\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : flpcjncodpafbgdpnkljologafpionhb
[C:\Users\djopling\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : dnmlhhbehhdmajijfenoldcajelckpmn
[C:\Users\djopling\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : oilkkkefbalmbfppgjmgjoefbclebkce
[C:\Users\djopling\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Default_Search_Provider_Data] :

-\\ Chromium v

*************************

AdwCleaner[R0].txt - [1919 bytes] - [01/02/2014 18:33:35]
AdwCleaner[R1].txt - [1053 bytes] - [28/03/2014 16:36:41]
AdwCleaner[R2].txt - [20417 bytes] - [01/04/2015 23:51:06]
AdwCleaner[R3].txt - [17347 bytes] - [14/04/2015 05:09:42]
AdwCleaner[s0].txt - [1984 bytes] - [01/02/2014 18:34:22]
AdwCleaner[s1].txt - [1125 bytes] - [28/03/2014 16:37:15]
AdwCleaner[s2].txt - [2040 bytes] - [14/04/2015 05:10:14]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [2099  bytes] ##########

[Zero81]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.5.4 (04.13.2015:1)

OS: Windows 7 Home Premium x64

Ran by djopling on Tue 04/14/2015 at  5:19:09.95

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] C:\ProgramData\pcdr

Successfully deleted: [Folder] C:\Users\djopling\AppData\Roaming\pcdr

Successfully deleted: [Folder] C:\Users\djopling\appdata\locallow\pcdr

Successfully deleted: [Folder] C:\ai_recyclebin

Successfully deleted: [Folder] C:\Windows\syswow64\ai_recyclebin

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{01AE2732-46D5-4B9D-BFDB-8532D6D397CB}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{03CF2E1D-5F07-4015-A7C6-D68D5168A286}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{0CD4F1D6-C4F3-4DE9-83E3-7B023348E342}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{1EC766C8-F2D3-4EEA-989B-D2622A98E680}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{330416DE-582F-4008-ACC7-72F943A16224}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{35119EDE-E789-47E3-8A87-B33AB48A3550}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{36E12995-25CB-4BEE-A5CA-97D61B1C5CEE}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{3913F19B-26D6-4F92-A2ED-3BC6C7ADDB84}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{4064B161-1B90-4E82-B698-DCEE686293FA}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{44573452-9A78-4E79-8074-72AA0DDDEC5A}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{484388CD-D836-4CD5-9B7A-F9BC4D70FE08}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{5AB583FC-419E-47DD-8CC7-5BB20E71FC84}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{66C83D94-B61A-4CB8-A750-02B740DFE617}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{6A6F115D-905C-4332-826B-82730CB83F5A}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{6CA0A19A-6FF5-467A-B776-1EFD9E670DDF}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{85493D4B-01E5-452F-A344-FB088812181C}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{8E121E5D-65B2-4FD2-AA0F-73A112BD0655}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{911599C2-8630-4C9E-BF91-11C9E43D68C6}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{9888F9BD-BB54-4E89-B625-0926D16BB447}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{A0FDDA36-CD66-421E-8C46-1254E38839C4}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{A96D0CC3-7E8B-487A-95BD-6C27C8D3241B}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{B03304D7-EEAC-49B5-85DA-1ADACBA92739}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{B5E099AB-F02C-4C7A-A222-F265141D9BA5}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{B98D6A24-BEDC-4007-AFA3-6AE4841A9ABC}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{CB0E6047-F236-4B21-912C-8F167D8703AB}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{D7CCFDBA-939C-4C81-B0C2-D863037A2F78}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{DCAE6DAF-7B10-43C0-9E51-63609DB2840E}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{DCEC6985-926E-49C5-9273-73CBEFD18B5A}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{E7104851-5537-4497-8859-EB9BD353BCB3}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{EFB72630-6CB4-4430-AD70-379C67E9DAED}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{F17C3ACE-BBE6-485C-B5E2-52B68D5A45FC}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{F2A359B2-C608-4970-A770-A9A5F4F50EFF}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{F812A1C2-BC75-4D1A-B319-3EF8B0FE5E7A}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{F8E8DED0-0D1B-46CE-BA85-D23839C3C85E}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{FABF9325-D4E3-42A0-9CFA-827D0FB1E26A}

Successfully deleted: [Empty Folder] C:\Users\djopling\appdata\local\{FF30365E-D92F-4225-862D-BA927D274178}

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 04/14/2015 at  5:21:21.69

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Zero81]

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.22, March 2015 (build 5.22.11203.0)

Started On Tue Apr 14 05:23:18 2015

 

Engine: 1.1.11400.0

Signatures: 1.193.1181.0

 

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 14 05:29:36 2015

 

 

Return code: 0 (0x0)

[Zero81]

Done with the instructions. So far the proxy isn't resetting itself back to the malicious one.  I will post back here if it happens to change back again.

 

Thanks a ton for the help

[kevinf80]

Can you also post the the log from FRST fix, Fixlog.txt

[Zero81]

I had to run it again, I didn't have the file saved. I hope it's still useful.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-04-2015

Ran by djopling at 2015-04-14 17:45:58 Run:2

Running from C:\Users\djopling\Downloads

Loaded Profiles: djopling (Available profiles: djopling)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

HKU\S-1-5-21-2746942690-2322423209-2196813568-1002\...\MountPoints2: {f5442e3a-5eb3-11e4-a3a8-180373422dfd} - F:\DriverPackSolution.exe

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Policy Restriction on ProxySettings)

AutoConfigURL: [HKLM] => http://127.0.0.1:8080/proxy.pac

AutoConfigURL: [HKLM-x32] => http://127.0.0.1:8080/proxy.pac

R2 Updater.exe; C:\Program Files (x86)\InstallShield\Updater.exe [37376 2015-01-01] (InstallShield) [File not signed] <==== ATTENTION

C:\Program Files (x86)\InstallShield

S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]

S3 cpuz137; \??\C:\Windows\TEMP\cpuz137\cpuz137_x64.sys [X]

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]

S3 NTIOLib_Flash; \??\C:\Users\djopling\AppData\Local\Temp\2WSX3EDC\NTIOLib_X64.sys [X]

2014-10-15 07:56 - 2014-10-15 07:56 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

C:\Users\djopling\AppData\Local\Temp\avgnt.exe

C:\Users\djopling\AppData\Local\Temp\drm_dyndata_7370014.dll

C:\Users\djopling\AppData\Local\Temp\drm_dyndata_7380014.dll

Task: {7331E323-89C7-4752-B103-B462EFC80F50} - System32\Tasks\InstallShield Updater => Wscript.exe //nologo //E:jscript //B "C:\Program Files (x86)\InstallShield\updater.ini" <==== ATTENTION

Task: C:\Windows\Tasks\InstallShield Updater.job => Wscript.exe L/nologo /E:jscript /B C:\Program Files (x86)\InstallShield\updater.ini <==== ATTENTION

Hosts:

EmptyTemp:

end

 

 

 

*****************

 

HKU\S-1-5-21-2746942690-2322423209-2196813568-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f5442e3a-5eb3-11e4-a3a8-180373422dfd} => Key not found. 

HKCR\CLSID\{f5442e3a-5eb3-11e4-a3a8-180373422dfd} => Key not found. 

HKLM\SOFTWARE\Policies\Google => Key not found. 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => Key not found. 

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => Value not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => Value not found.

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => Value not found.

Updater.exe => Service not found.

"C:\Program Files (x86)\InstallShield" => File/Directory not found.

BRDriver64_1_3_3_E02B25FC => Service not found.

cpuz137 => Service not found.

EagleX64 => Service not found.

GPUZ => Service not found.

NTIOLib_Flash => Service not found.

"C:\ProgramData\DP45977C.lfl" => File/Directory not found.

C:\Users\djopling\AppData\Local\Temp\avgnt.exe => Moved successfully.

"C:\Users\djopling\AppData\Local\Temp\drm_dyndata_7370014.dll" => File/Directory not found.

"C:\Users\djopling\AppData\Local\Temp\drm_dyndata_7380014.dll" => File/Directory not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7331E323-89C7-4752-B103-B462EFC80F50} => Key not found. 

C:\Windows\System32\Tasks\InstallShield Updater not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\InstallShield Updater => Key not found. 

C:\Windows\Tasks\InstallShield Updater.job not found.

"C:\Windows\System32\Drivers\etc\hosts" => Could not move.

Could not reset Hosts.

EmptyTemp: => Removed 176.8 MB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog 17:46:20 ====

[kevinf80]

As the log is from Run 2 the entries show "not found", obviously they were removed by first run.... if no remaining issues or concerns continue please:

 

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

 

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

 

Untick the option for any security scanner or toolbar if offered.

 

Download and install.

 

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Next,

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them. <<-- Very Important

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 

• 
  

    Remove disinfection tools
    Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present.
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

If no remaining issues or concerns are we ok to close out....

 

Kevin...

[Zero81]

All complete. Thanks again for your time and knowledge. It is greatly appreciated.

 

Take care

[kevinf80]

Thanks for the reply/update... It was apleasure to work with you.

 

Take care and surf safe,

 

Kevin...

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!