Hello,
I recently encountered a problem with proxy settings repopulating themselves with
http=127.0.0.1:8080;https=127.0.0.1:8080 -loopback
I went through several topics here looking at this, and it seems this may have quite a few different causes. At first, I manually located a weird InstallShield process in Task Manager and deleted file related to it. Later I ran ADWCleaner, which found
***** [ Tasks ] *****
PUP.Optional.PrxySvrRST, InstallShield® Update Service Scheduler
PUP.Optional.PrxySvrRST, Optimize Thumbnail Cache Files
Both of these were removed using ADWCleaner.
After restarting the PC, problem persisted. Scanning with Malwarebytes found things as follows:
Folder: 1
Trojan.BitCoinMiner, C:\USERS\RADEK\APPDATA\ROAMING\IDLE, Quarantined, [69], [470356],1.0.4130
File: 3
Trojan.BitCoinMiner, C:\USERS\RADEK\APPDATA\ROAMING\IDLE\IDLE.EXE, Quarantined, [69], [470356],1.0.4130
PUP.Optional.FFHijacker.Generic, C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\DEFAULTS\PREF\-1871373515.JS, Quarantined, [5837], [392915],1.0.4130
PUP.Optional.FFHijacker.Generic, C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\-1871373515.CFG, Quarantined, [5837], [392916],1.0.4130
All of these have been moved to quarantine and deleted. Sadly, the problem still occurs - proxy settings repopulate themself. Please note that "Use a proxy server" DOES NOT turn to on automatically. It previously did, but stopped after deleting suspicious InstallShield file (still got it in Recycle Bin).
Attaching FRST report, Addition and latest Malwarebytes Scan report.
Addition.txt
FRST.txt
Malwarebytes.txt