Returning Malware

[PredAlienXXD]

I've tried several upon several anti-malware cleanup programs and they all worked to delete certain harmful files. Malwarebytes seems to delete the problem every time but every time I reboot the computer and scan again the same problems arise. It just keeps coming back. I need help getting rid of this for good. FRST.txtFRST.txt

malwarebyteslog.txt FRST.txt Addition.txt

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
===

If the problem persists and Chrome is Synced with other Devices check this out.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.

Restart the computer normally.
===========

Please let me know if the problem is solved.

 

fixlist.txt

[PredAlienXXD]

 

mbamlog.txt Fixlog.txt Fixlog.txt

[PredAlienXXD]

 

mbamlog.txt Fixlog.txt Fixlog.txt

[nasdaq]

Hi,

Did you reset the Sync on Chrome as suggested.

Please restart the computer and post fresh logs.

Can't understand why nothing was found in your fixlog.txt

 

[PredAlienXXD]

I was unable to reply because I was getting the notification that my message "contained wording consistent with spam".

The fixlog I replied with was the second one because the first one was lost however it seemed to have successfully deleted what it was supposed to.

However, after reboot Malwarebytes keeps detecting the same sorts of files no matter how many times I quarantine and delete everything it finds.

I have reset my Sync in Chrome as suggested but the problem still persists.

[PredAlienXXD]

Here are logs from the latest FRST and Malwarebytes scans I did.

Have to put it in a separate reply or else it wouldn't let me post for some reason.

mbamlog.txt Addition.txt FRST.txt

[nasdaq]

Hi,

I may found a bad DNS entry.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Edited November 25, 2019 by nasdaq

[PredAlienXXD]

Still getting the alerts from Avast. No change.

Fixlog.txt

[nasdaq]

Hi,

The items found by Malwarebytes and possibly Avast are remnant entries from an old infection.

The Internet Explorer proxy settings must be removed.

How to Remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:xxxxx if found, then uncheck "Use a proxy server" and check "Automatically detect settings".

If required press the Apply button.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
<<<>>>

Syncing Internet Explorer.

If the problem persists in IE and you are using the Sync with other devices, disable the Sync.
https://www.thewindowsclub.com/sync-internet-explorer-settings-windows-8-1-devices

close IE.

Restart the computer and re-sync you devices if you need them.
<<<>>>

Let me know if the computer is running well but the reports from MBAM and AVAST are the same.
 

 

[PredAlienXXD]

Hi,
I have followed the instructions and rebooted my PC. My computer seems to be running fine but Avast is still giving be notifications about detecting "JS:Proxy-B (Trj)".
However, if I'm not wrong it seems like I am getting significantly less Avast Pop-Ups than I used to. I used to get around 5 at a time but now I'm getting only one every once in a while.

[PredAlienXXD]

Update : Still getting multiple pop-ups at a time as I did before. Computer still running fine but the pop-ups didn't change still.

[nasdaq]

Hi,

Are the popups coming from Push Notifications?

Check all your browsers.
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

If this is not the solution if you can post an image of the popup?

[PredAlienXXD]

Here are just 2. The 'process' section on the bottom usually is programs that are currently running such as chrome and razer (as seen on the screenshots) and others like Nvidia. Chrome isn't giving me any notifications it's Avast that keeps detecting whatever this is. I can disable the notifications without a problem but it still looks concerning. When I open Avast after like 30 minutes I see around 21 notifications of it blocking the same thing.

[PredAlienXXD]

Here is the number of notifications after about an hour of just me being on Chrome not doing anything. 

[nasdaq]

Hi,

Navigate to this page.

https://www.pcworld.com/article/3105998/disable-wpad-now-or-have-your-accounts-and-private-data-compromised.html

Look at the Image located to the left of this string.

A rogue web proxy would allow attackers to intercept and modify non-encrypted HTTP traffic, ect...

If this box is checked the box "use a proxy server"  remove the check mark.

Leave the check on  "automatically detect settings" just delete the use a proxy server.

Click the OK button.

Restart the computer normally.

How is it now?

[PredAlienXXD]

I have done this already when you asked me to remove the reference to 127.0.0.1:xxxxx. 

[nasdaq]

Hi,

You may want to check your settings In Internet Explorer  and see they have returned.
===

Avast is reporting that this program is using the wpad.dat file.
(Razer USA Ltd. -> Razer Inc.) C:\Program Files (x86)\Razer\Razer Services\Razer Central\Razer Central.exe

Check with the Razer forum is this  wpad.dat file required.

Scan the file in bold at Virus Total.
https://www.virustotal.com/gui/home

C:\Program Files (x86)\Razer\Razer Services\Razer Central\Razer Central.exe
===

Lets check the the file.

Download the Systemlook appropriate for you system.

SystemLook (32-Bit Version) or SystemLook (64-Bit Version)

• Double-click SystemLook.exe/SystemLook_x64.exe
• to run it.
• Copy and paste the content of the following bold text into the main textfield:
  :regfind  
  wpad.dat
  :filefind
  wpad.dat
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  
• Note: The log can also be found on your Desktop entitled SystemLook.txt.
  

===

 

[PredAlienXXD]

I have checked the Internet Explorer settings and yes somehow the previous settings have returned. I unticked "Use atuomatic configuration script" once again. Virus Total also didn't detect anything after scanning Razer Central.exe. 

SystemLook.txt

[nasdaq]

Hi,

Just for my information when you delete the Proxy in Internet explorer do you click the OK or the Apply button before closed IE?

The attached Fixlist.txt will remove the items from the registry and restart the computer.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me if your problem is solved.

fixlist.txt

[PredAlienXXD]

I ran the fixlist and rebooted and still getting the Avast popups 😕
As to the internet explorer settings. There is no Apply button in the LAN Settings window. There is on once you close it but that can't be pressed, I have also double checked and the settings look the same as I left them with no proxy address. 

[PredAlienXXD]

Sorry forgot to attach the fixlog here it is.

Fixlog.txt

[nasdaq]

Hi,

Please run the SystemLook and search for this:

:regfind  
wpad.dat

Let me know if it's clean or you get the same results.

[PredAlienXXD]

Same results. The internet settings also reset back to the wpad address and had to change it again.

SystemLook.txt

[nasdaq]

Hi
Lets try this way to remove the items from the registry.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file run it as an Administraror if you can, and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr\{10ABFF81-1678-4B0D-9026-3F129330CDD7}]
"AutoConfigUrl"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr\{51CDD54C-1B9F-4C0A-9210-04ABAB67C7A9}]
"AutoConfigUrl"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr\{10ABFF81-1678-4B0D-9026-3F129330CDD7}]
"AutoConfigUrl"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr\{51CDD54C-1B9F-4C0A-9210-04ABAB67C7A9}]
"AutoConfigUrl"=-
[HKEY_USERS\S-1-5-21-1747705853-2947177505-3204008702-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-

Restart the when completed.

You can delete the fixme.reg file when done.

How is it now?