Jump to content

Proxy server keeps turning on

lesmoque
 Share

Recommended Posts

lesmoque

lesmoque

Posted
Posted

Hi,

 

I wonder if someone could help me with a potential malware/unwanted program issue. I've noticed recently that in my computer's proxy settings, in 'Manual proxy setup', the 'Use a proxy server' setting continually switches back on, and displays Proxy IP address as 'http://https=localhost' and a Port as 2520 (although that number sometimes changes. A lot of apps (e.g., Mail, etc.) are suddenly now saying 'Proxy error' and not connecting. Microsoft Safety Scanner and other malware/virus scans haven't shown any problems yet, but after reading about this online, I have some reason to believe that some proxy malware may be the issue. Could anyone help me find out how to diagnose/fix the problem? I would be very grateful.

 

Many thanks.

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

@lesmoque

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case.

 

Thank you

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please get me the following other logs as well

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you for the logs. That is the Scan log for AdwCleaner but if the other does not exist we can ignore for now. @lesmoque

The logs indicate that you're running a VERY OLD version of Trend Micro antivirus. Is this a paid version? Are you still using it?

If you're not going to keep it up to date I'd recommend you uninstall it and use the built-in Windows Defender which will be much more capable than an old version of Trend Micro

 

Link to post
Share on other sites
lesmoque

lesmoque

Posted
  • Author
Posted

Hi again. That Trend Micro/Apex One antivirus not a paid version, no. I wasn't aware it was out of date, since it seems to still be updating its virus definitions, etc (see attached screenshot). But I'd be happy to uninstall it if you think that's best.

 

Should I take further steps to resolve the proxy server issue after uninstalling Trend Micro, or is that likely what's causing the issue? I wasn't sure what you meant by "if the other does not exist"; if I should re-send any of the logs of the scans you asked for, I'd be happy to do that.

trend micro updates.png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Personally I would uninstall it and restart the computer. Windows Defender is going to be a much better antivirus from Microsoft than an old product version of Trend Micro.

After you uninstall and reboot, please get me a new set of logs @lesmoque

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites
lesmoque

lesmoque

Posted
  • Author
Posted

OK thank you so much. I remembered that the reason I had Trend Micro was that my employer had a license for it a few years, and I didn't realize it was no longer current. I uninstalled it, Windows Security/Windows Defender then immediately detected and quarantined a severe threat, a trojan (screenshot below). For what it's worth, the powershell process that's referred to in that screenshot showed up for me, earlier, as associated with that port number that the proxy server kept setting itself to, no matter what I did.

I've also attached the new set of logs that you requested, using the Malwarebytes Support Tool. I've also run another Malwarebytes scan, FRST scan, and Security Check scan, and I've attached those results too. The AdwCleaner scan again shows no items to clean, so I haven't attached a clean log for that.

threatblocked.png

mbst-grab-results.zip Malwarebytes Scan Report 2024-04-25 021114.txt FRST1.txt Addition1.txt SecurityCheck1.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you for the logs @lesmoque

Are you using the following software?

  • Avast SecureLine VPN

 

[ 1 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • CCleaner (computer experts no longer recommend using this program)
  • CCleaner Browser  (computer experts no longer recommend using this program)      

 

[ 2 ]

The following files are certificate files and normally should not be stored here. Did you save them there yourself and know what they're for?

2024-03-30 20:16 - 2024-04-24 21:27 - 000000004 _____ () C:\Users\duibh\AppData\Local\rootCert_lock.pfx
2024-03-30 20:16 - 2024-03-30 20:16 - 000002536 _____ () C:\Users\duibh\AppData\Local\WindowsUpdateCertificate.pfx

 

[ 3 ]

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\duibh\OneDrive\Desktop\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
lesmoque

lesmoque

Posted
  • Author
Posted

Thank you. That FRST fix ran successfully, and I've attached the fixlog txt file here.

 

In answer to your other questions:

 

(0) No, I don't currently use Avast VPN. (I've just uninstalled it.)

(1) I've also uninstalled CCleaner and CCleanerBrowser as you suggested.

(2) No, I don't know what those certificate files are, and I don't believe I saved them there myself.

 

Fixlog.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you. Overall the fix ran well and also found and fixed some other Windows issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please go ahead and run the following

 

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

Link to post
Share on other sites
lesmoque

lesmoque

Posted
  • Author
Posted

Thank you. I took the steps in your message, and ran a Microsoft Safety Scanner full scan, and it took several hours. It showed some apparent detections during it, but then the final message was 'No unwanted files' found. Unfortunately, it seems that a log file (msert.log) wasn't created after the scan. I've looked in the C:/Windows/debug folder for the log as instructed above, and also searched for it in Windows explorer. But it doesn't seem to have been created. Is there another scan I should run, or other steps I should now take?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please RESTART the computer, then get me a new, fresh set of logs and we'll see if the proxy change has returned or not

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The Proxy Server settings are back.

Do you use Proton VPN ?

Please power cycle your router or modem

 

 

NEXT

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\duibh\OneDrive\Desktop\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
lesmoque

lesmoque

Posted
  • Author
Posted

Yes, I use ProtonVPN. Could you explain how to cycle my router/modem?

Also, I'm actually not now seeing the the same proxy server settings as before. In the 'Proxy settings' dialog box, the 'Manual proxy setup' is now off, and only the 'Automatically detect settings' box is checked. (Screenshot attached.) Also the apps that were previous not connecting and displaying 'Proxy error' messages (e.g., Mail, etc.) In light of those facts, should I still run the fix above? I could instead just try unchecking that box in the 'Proxy settings' box.

proxysettings.png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The Farbar log shows that there are still proxy entries

ProxyServer: [S-1-5-21-339218627-1117237075-3130030999-1001] => https=localhost:10233

 

This would does not appear to be set but normally is not shown in logs unless someone is playing with it

FF NetworkProxy: Mozilla\Firefox\Profiles\x5sow75v.default-release -> type", 0

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, currently it says no Proxy is set.

Current WinHTTP proxy settings:

    Direct access (no proxy server).

 

Let's go ahead and run a 3rd party antivirus scan to double-check

 

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.