Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28524
  • Total Topics: 8240
  • Online Today: 993
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: unable to remove proxy 127.0.0.1:8080 (http and https secure)  (Read 15583 times)

0 Members and 4 Guests are viewing this topic.

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
FROM: http://fixedit.itxpress.biz/2014/10/08/unable-to-disable-windows-proxy-setting/

Unable To Disable Windows Proxy Setting

8 OCT
Browser Proxy
We had a system come in recently that had been heavily infected by the ZBot rootkit and a variety of Trojans. MS Security Essentials had cleaned some things off, but the system still had a lot of junk on it. The main problem, however, was the computer could not access the Internet. Many virus infections create proxy servers and then set Windows to route all web traffic through the virus proxy. When most anti-virus programs kill off a virus like this, they don’t clear the proxy setting. So you have no virus, but you also can’t access the Internet. This is understandable since messing with that proxy setting is dicey in a corporate environment where they get used heavily.

Easy enough – click Start -> Control Panel -> Internet Options -> Connections -> LAN Settings and uncheck the ‘Use proxy’ checkbox.

Still can’t access the Internet due to a Proxy error. What?

Go back to the Proxy setting and it’s checked. So I uncheck it and save. Open screen up? Still checked. I check for any rogue processes running that might be setting it as soon as I unset it. Nope. Now what?

Then I notice a yellow bar in Internet Options:
ProxySettingsThis user account had Admin rights, so that seemed strange. After some Google research, I came across some others who had the same issue and the techs at Bleeping Computer had given him some keys to remove – but none seemed to have any effect. Then I found this article dealing with the same problem:

With Internet Explorer 6.0 troubleshooting zones could be problematic if the administrator you are working with forgets to inform you that they have implemented “Security Zones: Use only machine settings” via GPO or a direct registry change.
Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Name: Security_HKLM_only
Type: REG_DWORD
Value: 1 <-Enabled 0 <-Disabled
By default the value is not present and thus is disabled by default. With Internet Explorer 7.0 the UI has been updated to reflect the presences of Security_HKLM_only and if the feature is ENABLED. The visual notification is a big win for IE7 troubleshooting. Note the yellow bar at the bottom of the dialog. “Some settings are managed by your system administrator”. This is your clue that you are dealing with Security_HKLM_only. The bonus is you can not make modifications to any of the zones, note the Custom level, Default level, and the Reset all zones to default level are grayed out.
Well, this computer I had was Windows 7 with IE 11, but I dove into the registry anyway. No luck. However, I did notice the following key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings -> ProxySettingsPerUser

And it was set to 0 (Disabled). I set it to 1 and the problem went away. The yellow warning bar disappeared and I could adjust the proxy setting and make it stick. Given how many viruses create proxy servers, I’m surprised I haven’t seen this before…
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info





devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #1 on: 13. December 2014., 12:21:54 »
Damn, seems you were right :)

Must be some kind of new virus that does this. Not a smart virus either, for I did not find many real problems (except for the usual 'toolbars' and stuff). And this. I was even lucky to notice it! I couldn't find a process accessing it either (how to check for that anyway XD).

Actually, despite that the proxy settings are correct now (will double check with reboot later), I still have 'something' running on 127.0.0.1:8080...

Fiddler Echo Service


GET / HTTP/1.0
Host: 127.0.0.1:8080
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
DNT: 1
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4

This page returned a HTTP/200 response
Originating Process Information: admunch:3640
To configure Fiddler as a reverse proxy instead of seeing this page, see Reverse Proxy Setup
You can download the FiddlerRoot certificate

I also found this link http://superuser.com/questions/135252/fiddler-not-working-in-windows-7-lan-settings-locked (not applicable for this problem), but I'm unable to find any fiddler file on the hard drive :(

So thanks, really really thanks for this solution. I'll post it on scforum.info too :) For now... wtf is running on localhost????

Devvie

twitter.com/devnullius



POST-EDIT: trying to post above text on the laptop with proxy problem (where I just set the registry key to 1), gives following (Dutch) error:
De server op fixedit.itxpress.biz kan niet worden gevonden, omdat de DNS-lookup is mislukt. DNS is de netwerkservice die de naam van een website vertaalt in het internetadres. Deze fout wordt meestal veroorzaakt door een verbroken internetverbinding of een verkeerd geconfigureerd netwerk. Deze kan ook worden veroorzaakt door een niet reagerende DNS-server of een firewall die de toegang van Google Chrome tot het netwerk blokkeert.

Klik op de knop 'Opnieuw laden' om de gegevens opnieuw te verzenden die nodig zijn om de pagina te laden.
Foutcode: DNS_PROBE_FINISHED_NXDOMAIN

(server cannot be found because DNS-lookup failed. DNS is the network service that translates the name of a website to the internet address. This error usually is configured by a broken internet connection or a wrongly configured network. This can also be caused by a non-respnoding DNS-server or a firewall that blocks the access of Google Chrome to the network.
Klik on the 'refresh' button to resend the information that is required to load this page. Error code: DNS_PROBE_FINISHED_NXDOMAIN).

Even googling won't work now. Double checking the registry key / IE settings (Windows 7)... All still good. Time for a reboot I suppose :(


POST-REBOOT: registry key is set back to "0" and proxy is running once more :(
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #2 on: 13. December 2014., 12:33:52 »
Just in case...

AV's used:

AVG was installed (I removed it).
I installed 360 Total Security (triple engine).
I did combofix.
I did superantispyware (including Repair Internet Zones).
I did Hitman Pro.

;p
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

jheysen

  • SCF Global Moderator
  • *****
  • Posts: 754
  • KARMA: 100
  • Gender: Male
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #3 on: 13. December 2014., 12:49:37 »
Run McAfee Stinger :p
and use Sysinternals TCPView to see what's listening on 8080, from there you can go with ProcessExplorer

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #4 on: 13. December 2014., 12:51:08 »
Hmm... I think I migh be the one to have introduced this problem... :/

I found the following registry key:
F2213D4E4B9927644873A749F2FDE319
value: C:\Program Files (x86)\KMSpico Updater\FiddlerCore3dot5.dll

I'm gonna remove that office crack / patch and see what that gives :)

Devvie
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

jheysen

  • SCF Global Moderator
  • *****
  • Posts: 754
  • KARMA: 100
  • Gender: Male
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #5 on: 13. December 2014., 13:00:59 »
I got bored trying to activate Office and now I'm a happy subscriptor of Office 365 :p

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #6 on: 13. December 2014., 14:09:05 »
First I had to go to Command Prompt Only boot (F8)

removed the filers in folder for KMSPico (which I got through torrent but tested clean by all online scanners).

Then started explorer.exe and removed the folder itself.

I ran Steven Gould's excellent Cleanup! Tool and manually searched registry for all containing fiddler or kmspico.

Reboot to normal mode.

I had to set registry key to '1' once more but this time it did not work.

Ok, the proxy was down but *something* kept changing the proxy settings back for Internet Explorer.

I solved that with this solution: http://www.bleepingcomputer.com/forums/t/531194/cannot-turn-off-proxy-use/page-2#entry3353528

Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
 
:Services
 
:OTL
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877
IE - HKLM\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptnrS=UXxdm011YYus&si=maps4pc&ptb=39822AA3-2FC7-49CE-B787-55E5A850DAF4&ind=2013112620&n=77fda92c&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877
IE - HKCU\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptnrS=UXxdm011YYus&si=maps4pc&ptb=39822AA3-2FC7-49CE-B787-55E5A850DAF4&ind=2013112620&n=77fda92c&psa=&st=sb&searchfor={searchTerms}
FF - prefs.js..extensions.enabledAddons: superfish%40superfish.com:1.2.0.19
[2014/04/26 07:10:30 | 000,000,000 | ---D | M] (WindowShopper) -- C:\Users\Chas\AppData\Roaming\Mozilla\Firefox\Profiles\s0802hyy.default\extensions\superfish@superfish.com
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2013/11/26 21:38:39 | 000,000,000 | ---D | M] -- C:\Users\Chas\AppData\Roaming\PC Utility Kit
 
:Files
ipconfig /flushdns /c
 
:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
Then click the Run Fix button at the top

DOWNLOAD:
http://oldtimer.geekstogo.com/OTL.exe

I'll reboot once more but it seems I finally removed that pesky mallware that uses public software to go undetected (it seems).

Devvie
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

vishwanath99

  • SCF Member
  • **
  • Posts: 61
  • KARMA: 6
  • Gender: Male
Re: unable to remove proxy 127.0.0.1:8080 (http and https secure)
« Reply #8 on: 13. December 2014., 18:20:44 »
Repair os with mcfee. Check disk and reindex os and check host file if it is XP os.
Else use power shell to repair it.
It maybe a keyloger within spyware capabilities

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising