Jump to content

Proxy Server Changed


Recommended Posts

Howdy,

About a year ago, I had installed software in order to work with a survey company.  It did not install correctly, and they were not able to help.   I uninstalled it, but had problems.   Their "solution" was to reinstall the software I could not remove.  I did go through my library and remove as many references as I could find.

I now have a new Macbook Air and migrated my files over to it.  I've been having some internet connectivity problems.  In a call to Apple, we discovered that in System Preferences/Network/Advanced/ Proxy Servers, one was checked, which they tell me should not be checked.

It is Automatic Proxy Configuration.  The url is https://smartpanel.io/static/meter/proxy.pac

I unlocked Network, unchecked the Proxy Server, Applied the change and relocked it.  It was checked once again.  I also tried this with rebooting.

When I ran Wireless Diagnostics, one of the files called  confined-storelplist had four references to this internet address.

Malwarebytes says my computer is clean.

1) What do I do to remove the change in proxy and prevent it from happening again?

2) What may I have exposed myself to?  I could probably change the 17,000 passwords I have within the next light year or so.

3) When I search for reviews of this company, there are some complaining about software they could not remove, but any company that puts software on your computer that is hard to find/difficult to remove would be able to post lots of favorable reviews with no problems.  When I have tried to "report" companies or websites that install malware, there really does not seem anyone interested.  Local law enforcement does not have the capability.  Federal agencies just see to want to count how many people have problems and do little.  Norton/Symantec declares some sites to be clean, even when downloads ask for access to very sensitive irrelevent information (such as one's keychain).   I've even found malware at Apple, Cnet, and other sites I would hope had some integrity.  I know it can be hard to track down these folks and there's only so many hours in a day to find people in other countries, but there needs to be some action to keep the action down.  Is it just a waste of time to report these things?  Where is the best place to report them?

4. I have had trouble with my iPhone with my wifi as well.   Might this have changed something in my router/modem?  (Airport Extreme)

5. Searching for the name of the company in my library, I found two 220 byte document files called Network Persistent State.  The content is as follows: {"net":{"http_server_properties":{"servers":[{"https://smartpanel.io":{"supports_spdy":true}}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAISABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}files

Should I delete these?

6) What else should I do?

Macbook Air 13" 2019 running OSX 10.14.6

Thanks.

Link to post
Share on other sites

I suspect you won't hear from the staff until after the weekend, so hold off on doing anything until then as I think they will want additional information as well as a copy of one of those files you found.

1. I am fairly certain this will be resolved by #5.

2. Probably nothing. Appears to be a legitimate company (https://www.vertoanalytics.com/company/) that the Better Business Bureau give an A rating with low customer reviews and several complaints, most of which have been closed. I'm sure they know a lot about you, but doubt they would be in business to harvest passwords, etc.

3. I applied to get a copy of the software to see what it does, but not sure they are looking for someone like me with no present business ties and hard to say when I might hear back. Until we can determine whether this is malware, PUA or just PITA software, there won't be anybody interested in reporting it to anybody. I did take a look at the file downloaded by the URL you posted and it appears to have something to do with Siri and iOS 10, so it's possible the software does have some impact on your iPhone.

4. Without knowing exactly what issues you are having with the iPhone and WiFI, I can't rule it out, but I'm not aware of any malware capable of causing significant reconfiguration of an Apple router. There's a chance of something that was revealed this week, but we don't have any solid evidence of that yet. That's not something Malwarebytes will be able to deal with and we need to solve your computer problem first.

5. My initial thoughts are that those two files you found are what's responsible for your proxy servers (and a few other settings) being maintained after you disable them. We need to know the full path where they were found, to include wither it's in the /Users/<YourUserName>/Library or the root level /Library. I doubt that it could still be in your /Systems/Library now since that has been totally locked down in recent macOS versions.

6. Provide any new information and wait for the Staff to get back to you next week. I'll let you know if I am able to obtain the software and learn anything from it.

Link to post
Share on other sites

  • Staff

Hello @wauserfriendly,

It would be helpful if you provide us a system report created with the help of below article  (please don't post the zip file here)

https://support.malwarebytes.com/docs/DOC-3235

Instead,  log a support ticket with help of below link and attach the file with the email

https://support.malwarebytes.com/community/contactsupport/pages/home-support

Link to post
Share on other sites

15 hours ago, wauserfriendly said:

Howdy,

About a year ago, I had installed software in order to work with a survey company.  It did not install correctly, and they were not able to help.   I uninstalled it, but had problems.   Their "solution" was to reinstall the software I could not remove.  I did go through my library and remove as many references as I could find.

I now have a new Macbook Air and migrated my files over to it.  I've been having some internet connectivity problems.  In a call to Apple, we discovered that in System Preferences/Network/Advanced/ Proxy Servers, one was checked, which they tell me should not be checked.

It is Automatic Proxy Configuration.  The url is https://smartpanel.io/static/meter/proxy.pac

I unlocked Network, unchecked the Proxy Server, Applied the change and relocked it.  It was checked once again.  I also tried this with rebooting.

When I ran Wireless Diagnostics, one of the files called  confined-storelplist had four references to this internet address.

Malwarebytes says my computer is clean.

1) What do I do to remove the change in proxy and prevent it from happening again?

2) What may I have exposed myself to?  I could probably change the 17,000 passwords I have within the next light year or so.

3) When I search for reviews of this company, there are some complaining about software they could not remove, but any company that puts software on your computer that is hard to find/difficult to remove would be able to post lots of favorable reviews with no problems.  When I have tried to "report" companies or websites that install malware, there really does not seem anyone interested.  Local law enforcement does not have the capability.  Federal agencies just see to want to count how many people have problems and do little.  Norton/Symantec declares some sites to be clean, even when downloads ask for access to very sensitive irrelevent information (such as one's keychain).   I've even found malware at Apple, Cnet, and other sites I would hope had some integrity.  I know it can be hard to track down these folks and there's only so many hours in a day to find people in other countries, but there needs to be some action to keep the action down.  Is it just a waste of time to report these things?  Where is the best place to report them?

4. I have had trouble with my iPhone with my wifi as well.   Might this have changed something in my router/modem?  (Airport Extreme)

5. Searching for the name of the company in my library, I found two 220 byte document files called Network Persistent State.  The content is as follows: {"net":{"http_server_properties":{"servers":[{"https://smartpanel.io":{"supports_spdy":true}}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAISABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}files

Should I delete these?

6) What else should I do?

Macbook Air 13" 2019 running OSX 10.14.6

Thanks.

I just spent an hour responding to this with lots of references, but the system said my response was consistent with spam, logged me out and I don't have the desire to rewrite it guessing what I may have said wrong.  Here are the two attachements.

pers2.jpg

persistant1.jpg

Link to post
Share on other sites

  • Staff

It seems like you must have some software from Smart Panel still installed. What that is, I don't know, but if you respond to adas with the requested information, we'll be able to learn more.

I kind of wish you hadn't obscured the part of the path between "ext" and "def". Without that folder name, we can only say that the data you've found is associated with two Chrome extensions. We can't say what Chrome extensions. If the extensions in question are still installed, we'll be able to get more information from the data adas requested.

Link to post
Share on other sites

15 hours ago, treed said:

It seems like you must have some software from Smart Panel still installed. What that is, I don't know, but if you respond to adas with the requested information, we'll be able to learn more.

I kind of wish you hadn't obscured the part of the path between "ext" and "def". Without that folder name, we can only say that the data you've found is associated with two Chrome extensions. We can't say what Chrome extensions. If the extensions in question are still installed, we'll be able to get more information from the data adas requested.


Thank you.   I realized it meant something, but thought it might identify personal information about me.

By the way (to all).  Thank you.  I sent in the file to you the other night as requested.  I spent time on the phone with apple.  We removed the checkmark for the proxy which allowed me to connect without problems.  The advisor did not have me remove the abovenamed files, even though I did not feel comfortable with that on my computer, as we never found the code that went to them.   

At the end of the call, I decided I would reset Chrome to it's initial state and then import bookmarks, etc.,. as she indicated that a Chrome extension was responsible.  I haven't had a chance to do that yet.

Also, someone mentioned the Better Business Bureau.  I used to be one of their greatest fans.  Companies would jump through hoops.  But as customer service has fallen out of favor, I've had the BBB close cases.  A little further digging--the BBB does not require a resolution or customer satisfaction.  Brand new companies, if they pay fees to the BBB are automatically given an A+ rating.  Companies like the Ritz Carlton, that won't pay receive an F.  They used to at least be helpful.  But as eacjh "franchise" operates indepenently (some big lawsuits between them), perhaps my memory was based on a different franchise.  Or perhaps,. naive.

Back to the file paths,. the Advisor seemed to be concerned there were two and led me through removing one.  To me, it's the information that was in the file.  The process changed the path names, but I should still have my original pics.

 

Screen Shot 2019-08-05 at 8.56.58 PM.jpg

Screen Shot 2019-08-05 at 8.56.45 PM.jpg

Link to post
Share on other sites

42 minutes ago, wauserfriendly said:

I decided I would reset Chrome to it's initial state and then import bookmarks, etc.,. as she indicated that a Chrome extension was responsible.  I haven't had a chance to do that yet.

Resetting no longer seems to work for most of us any more. Malwarebytes and I recommend you "Nuke it" by using the instructions here or here, depending on what you are comfortable with.

I can usually determine the extension based on that file name, but nothing comes up for me on that one. Perhaps the staff will have better luck.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.