Proxy hijack

[krisavi]

Hi,

I had recently some encounter with proxy hijacker malware.May have been some Hijack.AutoProxy

MalwareBytes was able to successfully restore the internet connection but the the hijack also locked my proxy settings, so I was not able to change them. So I removed it again.... After 4 years of no software (not even defender) only one malware. I would say it is quite good results for me. Of course for people who don't know as much things, I suggest to have something installed that has realtime protection. 

The message at that screen was something like: "Some settings are managed by your system adminstrator"

Well computer being personal computer, not using in any domain or connected to any work or school accounts, then it was odd. 

I left it alone. Didn't care much of the proxy configurations back then.

 

Today one of my friend had the same issue. Proxy changed to <-loopback>, http localhost:8000, https localhost:8080 and also settings having same lockdown.

Same case, computer used only personally. Since I wasn't able to download malwarebytes due to no access to interent, was fixing things by memory. Was able to fix proxy settings manually by deleting some of the registry keys for "Users/software/windows/currentversion/Internet Settings", same for machine and also checked the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet settings". Also removed suspicious scheduler job. Remembered those locations from time I had malwarebytes installed on my computer and it halfway removed it.

Everything seemed ok, but still no access to configuration, but at least access to interent. Installed her mb, scanned and scan showed up nothing. (probably because I removed all the keys it had created manually)

 

Since I have also Windows 10 Professional installed, I checked policy manager. All of the parameters there were "Not configured" both, (copmuter and user configuratsion) so the locking wasn't coming from there. 

After some digging around in registry found one key

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel

Over there the ConnectionSettings or something like that. After removing it the proxy config was accessible again under "Internet Options" -> Connection tab

I can't remember exact name because I removed it and hoped it works. Same key existed in her computer, removing it gave back the access to the connection settings.

 

My conclusion is, that if someone has the same kind of connections settings locking, then to check also that key. Maybe it ends up in the check at some point and can be fixed automatically. (Of course it might be intentional key on domain machines, so it can be hard to know if it is correct or not)

Hopefully it helps someone who has same issue. 

Operating with regedit be cautious, suggested to make backup of the key you are about to modify or delete. If you don't know what you are doing, you can mess up a lot there.

Edited May 13, 2018 by krisavi
tags