Jump to content

Recommended Posts

I've tried several upon several anti-malware cleanup programs and they all worked to delete certain harmful files. Malwarebytes seems to delete the problem every time but every time I reboot the computer and scan again the same problems arise. It just keeps coming back. I need help getting rid of this for good. FRST.txtFRST.txt

malwarebyteslog.txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
===

If the problem persists and Chrome is Synced with other Devices check this out.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.

Restart the computer normally.
===========

Please let me know if the problem is solved.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Hi,

Did you reset the Sync on Chrome as suggested.

Please restart the computer and post fresh logs.

Can't understand why nothing was found in your fixlog.txt

 

Share this post


Link to post
Share on other sites

I was unable to reply because I was getting the notification that my message "contained wording consistent with spam".

The fixlog I replied with was the second one because the first one was lost however it seemed to have successfully deleted what it was supposed to.

However, after reboot Malwarebytes keeps detecting the same sorts of files no matter how many times I quarantine and delete everything it finds.

I have reset my Sync in Chrome as suggested but the problem still persists.

Share this post


Link to post
Share on other sites

Hi,

I may found a bad DNS entry.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Edited by nasdaq

Share this post


Link to post
Share on other sites

Hi,

The items found by Malwarebytes and possibly Avast are remnant entries from an old infection.

The Internet Explorer proxy settings must be removed.

How to Remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:xxxxx if found, then uncheck "Use a proxy server" and check "Automatically detect settings".

If required press the Apply button.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
<<<>>>

Syncing Internet Explorer.

If the problem persists in IE and you are using the Sync with other devices, disable the Sync.
https://www.thewindowsclub.com/sync-internet-explorer-settings-windows-8-1-devices

close IE.

Restart the computer and re-sync you devices if you need them.
<<<>>>

Let me know if the computer is running well but the reports from MBAM and AVAST are the same.
 

 

Share this post


Link to post
Share on other sites

Hi,
I have followed the instructions and rebooted my PC. My computer seems to be running fine but Avast is still giving be notifications about detecting "JS:Proxy-B (Trj)".
However, if I'm not wrong it seems like I am getting significantly less Avast Pop-Ups than I used to. I used to get around 5 at a time but now I'm getting only one every once in a while.

Share this post


Link to post
Share on other sites

Update : Still getting multiple pop-ups at a time as I did before. Computer still running fine but the pop-ups didn't change still.

Share this post


Link to post
Share on other sites

Here are just 2. The 'process' section on the bottom usually is programs that are currently running such as chrome and razer (as seen on the screenshots) and others like Nvidia. Chrome isn't giving me any notifications it's Avast that keeps detecting whatever this is. I can disable the notifications without a problem but it still looks concerning. When I open Avast after like 30 minutes I see around 21 notifications of it blocking the same thing.

popup1.PNG

popup2.PNG

Share this post


Link to post
Share on other sites

Hi,

Navigate to this page.

https://www.pcworld.com/article/3105998/disable-wpad-now-or-have-your-accounts-and-private-data-compromised.html

Look at the Image located to the left of this string.

A rogue web proxy would allow attackers to intercept and modify non-encrypted HTTP traffic, ect...

If this box is checked the box "use a proxy server"  remove the check mark.

Leave the check on  "automatically detect settings" just delete the use a proxy server.

Click the OK button.

Restart the computer normally.

How is it now?

Share this post


Link to post
Share on other sites

Hi,

You may want to check your settings In Internet Explorer  and see they have returned.
===

Avast is reporting that this program is using the wpad.dat file.
(Razer USA Ltd. -> Razer Inc.) C:\Program Files (x86)\Razer\Razer Services\Razer Central\Razer Central.exe

Check with the Razer forum is this  wpad.dat file required.

Scan the file in bold at Virus Total.
https://www.virustotal.com/gui/home

C:\Program Files (x86)\Razer\Razer Services\Razer Central\Razer Central.exe
===

Lets check the the file.

Download the Systemlook appropriate for you system.

SystemLook (32-Bit Version) or SystemLook (64-Bit Version)

  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :regfind  
    wpad.dat
    :filefind
    wpad.dat
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


===


 

Share this post


Link to post
Share on other sites

I have checked the Internet Explorer settings and yes somehow the previous settings have returned. I unticked "Use atuomatic configuration script" once again. Virus Total also didn't detect anything after scanning Razer Central.exe. 

SystemLook.txt

Share this post


Link to post
Share on other sites

Hi,

Just for my information when you delete the Proxy in Internet explorer do you click the OK or the Apply button before closed IE?

The attached Fixlist.txt will remove the items from the registry and restart the computer.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me if your problem is solved.

fixlist.txt

Share this post


Link to post
Share on other sites

I ran the fixlist and rebooted and still getting the Avast popups 😕
As to the internet explorer settings. There is no Apply button in the LAN Settings window. There is on once you close it but that can't be pressed, I have also double checked and the settings look the same as I left them with no proxy address. 

Share this post


Link to post
Share on other sites

Hi,

Please run the SystemLook and search for this:

:regfind  
wpad.dat

Let me know if it's clean or you get the same results.

Share this post


Link to post
Share on other sites

Hi
Lets try this way to remove the items from the registry.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file run it as an Administraror if you can, and allow it to merge with the registry.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr\{10ABFF81-1678-4B0D-9026-3F129330CDD7}]
"AutoConfigUrl"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr\{51CDD54C-1B9F-4C0A-9210-04ABAB67C7A9}]
"AutoConfigUrl"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr\{10ABFF81-1678-4B0D-9026-3F129330CDD7}]
"AutoConfigUrl"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr\{51CDD54C-1B9F-4C0A-9210-04ABAB67C7A9}]
"AutoConfigUrl"=-
[HKEY_USERS\S-1-5-21-1747705853-2947177505-3204008702-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-

Restart the when completed.

You can delete the fixme.reg file when done.

How is it now?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.