Jump to content

hijack.autoconfigurl.prxysvrrst Malware

Jurionx
 Share

Recommended Posts

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

No I can help you to remove any of those left over services if they're still there.

Were you able to reset your browsers?

Please restart the computer one more time. Then run a new FRST scan and make sure to place a check mark in the Additions check box and post back both new logs and we'll see what we have now and go from there.

Do you have a strong password on your wireless router? Did you set it up?

 

 

 

Link to post
Share on other sites
Jurionx

Jurionx

Posted
  • Author
Posted

Yep my browsers have all been reset.

The wireless router password were set up by me, and the password is sufficiently strong. Do you think it could be the router? My other computers run fine though.

As of now, even though the malware is supposedly running, it does not seem to have any effect on my proxy settings anymore. But I would prefer a permanent removal and solution.

 

Thanks for all the help so far!

Addition.txt

FRST.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

No I don't think the router is involved, just wanted to make sure you had a strong password on it and not a default password. You should be good there.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

After that then please do a clean removal and reinstall of MBAM. The scheduler piece is having an issue running correctly and the clean removal and reinstall may correct it.

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x


Then after the reinstall please reboot the computer one more time and run the following scan for me.

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Link to post
Share on other sites
Jurionx

Jurionx

Posted
  • Author
Posted

Here you go Ron.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/5/2016
Scan Time: 3:55 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.11.01
Rootkit Database: v2016.05.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Junhao

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357621
Time Elapsed: 9 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

Fixlog.txt

Link to post
Share on other sites
Jurionx

Jurionx

Posted
  • Author
Posted

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/5/2016
Scan Time: 2:02 AM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.11.05
Rootkit Database: v2016.05.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Junhao

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358148
Time Elapsed: 10 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/server.pac, Quarantined, [673a379d6e2ba2949d2f5081d82b4eb2]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download the correct version of SystemLook for your computer and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit

SystemLook 32-bit x86 | or | SystemLook 64-bit x64

  • If using Windows XP just double click on SystemLook.exe to run it.
  • For all other versions of Windows, right click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it
  • Copy the contents of the following code box into the main text field - including the colon characters. 
    	:filefind
	*.pac
	settings.ini
	*wpad*
	:regfind
	wpad
	proxy.pac
	wpad.com
	wscript.exe
  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop named SystemLook.txt

 

 

Then let me also get new FRST logs. Please make sure to place a check mark in the Additions check box.

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please open REGEDIT and browse to the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings

Do you have an entry for "AutoConfigURL"

Restart the computer a couple times and recheck if it comes back or not.

 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Great, looks like we finally got rid of it for good. I'll go ahead and provide you with a closing speech. If it does come back though please let me know.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot


Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

This almost has to be some type of browser add-on, toolbar, redirect, etc. What browser or what application were you running just before you saw this happen?

Getting late for me so I'll have to check back sometime tomorrow. Let's go ahead and do a Full Scan with MBAM.

Please open MBAM and go to SCAN, Custom Scan, Configure Scan. Make sure all 4 scanning options are selected. Then place a check mark in the top of your C: drive to have it scan all files of the drive. Then click the Scan Now button and let it run. As it will now scan even zip files, and all files the scan can take a very long time but hopefully it will find something to help us track this down.

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

For the time being can you please do the clean up of Chrome and then fully uninstall Chrome. Make sure you export any bookmarks you want to keep.

Then run the computer for a couple of days without Chrome using either IE or Firefox and let me know if this comes back.

 

 

Link to post
Share on other sites
Jurionx

Jurionx

Posted
  • Author
Posted

I have been using Firefox, sadly, the malware comes back.

here's the latest MBAM scan.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 15/5/2016
Scan Time: 11:57 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.15.04
Rootkit Database: v2016.05.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Junhao

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 359763
Time Elapsed: 17 min, 36 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 2
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/server.pac, Quarantined, [6ac6f8de9bfe55e16c45b3220bf8da26]
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/server.pac, Quarantined, [74bc6571ebae05319819785d2dd6df21]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay there are a couple of ways we can track this down. One is quite a bit more complex so let's try an easier way first.

Please download and install WinPatrol (they should have a fee version)

http://www.winpatrol.com/startup.html

Then have it monitor your startup (typically does this by default) then make sure the auto config entry has been removed. Then let WinPatrol monitor it. As soon as a process tries to add it back then WinPatrol should alert and tell you what process is trying to add it back. Please let me know what it says when it tries to come back.

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.