Adlice forum

General Category => Malware removal help => Topic started by: themetallikid on August 13, 2019, 01:14:26 pm

Title: Proxy Virus - need help eliminating
Post by: themetallikid on August 13, 2019, 01:14:26 pm
Ok...so I've paid for the minimal version of Rogue killer as I couldnt exterminate it otherwise...still no help.  Downloaded Adaware and Malwarebytes and Ucheck...and no luck.  Adaware and Malwarebytes do not detect anything.  RK detects 3 things, it cleans them then they return. 

I've tried going into the registry to deactivate the Proxy (change 1 to 0) and also deleting the one entry and disabling things that look not 'right' to me based upon online research...but still no luck after a reboot....IT RETURNS!!!   I've tried doing the cmd prompt to see what is listening on 8080, and I get an error when doing that (I'm not really trained so Im assuming its something that I'm doing wrong....maybe?)

Anyway, I reran the scan in RK, here is the log from that.  I'd really like to get this cleaned up as its not causing 'harm' necessarily, but it is a pain in the ass cause its affecting my internet connections and speed.  I started noticing it when I switched internet carriers, though not sure how/why that would be linked....

RogueKiller Anti-Malware V13.4.2.0 (x64) [Aug  9 2019] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.18362) 64 bits
Started in : Normal mode
User : theme [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190812_111803, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/08/12 23:07:49 (Duration : 01:30:45)

いいいいいいいいいいいい Processes いいいいいいいいいいいい

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい
>>>>>> R5 - Proxy
  [PUM.Proxy (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-965646632-1427897047-1661301400-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyEnable -- 1 -> Found
  [PUM.Proxy (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-965646632-1427897047-1661301400-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer -- http=localhost:64550;https=localhost:64550 -> Found
  [PUM.Proxy (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies| -- 1http=localhost:64550;https=localhost:64550 -> Found

いいいいいいいいいいいい WMI いいいいいいいいいいいい

いいいいいいいいいいいい Hosts File いいいいいいいいいいいい

いいいいいいいいいいいい Files いいいいいいいいいいいい

いいいいいいいいいいいい Web browsers いいいいいいいいいいいい
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 13, 2019, 05:12:45 pm
Hi themetallikid,

Welcome to Adlice.com Forum.
This proxy is not necessary malicious. We need to check this manually.

Please follow the following process :
1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
Do not close the command prompt !

2) A new file named netstat.txt should has been created on your desktop. Please attach it with your next reply.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 13, 2019, 08:19:26 pm
ok, stopped home on lunch....

this is what I copied and the result:

C:\Users\theme>netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 13, 2019, 10:22:58 pm
Hi themetallikid,

Could you please chech you executed the command line prompt as Administator ?
How to Run Command Prompt as an Administrator (https://www.thewindowsclub.com/how-to-run-command-prompt-as-an-administrator).

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 14, 2019, 12:53:46 am
took me a minute to find how to do that...I'm not completely illiterate, but win 10 moves some functions and never had to do that yet.  I did open it as administrator and noticed the beginning of the prompt had changed, lol.....I found the cmd program in the start menu, right clicked>more>run as administrator

however, I get the same result:

C:\WINDOWS\system32>netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

C:\WINDOWS\system32>netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

The first was my highlighting/copying/pasting, the 2nd was using that little link that copies directly. 
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 14, 2019, 02:02:09 am
Hi themetallikid,

Let's try another way.
Please follow the following process :

1) Download TCPView (CLI version) (https://live.sysinternals.com/tcpvcon.exe) and save it to your desktop.
2) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
"%USERPROFILE%\Desktop\tcpvcon.exe" -a > "%USERPROFILE%\Desktop\netstat.txt"
Do not close the command prompt !

2) A new file named netstat.txt should has been created on your desktop. Please attach it with your next reply.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 14, 2019, 02:18:03 am
I clicked your link, a program downloaded/installed/ran....to my untrained eyes, it looked like it was scanning ports/processes??  no?

after it finished, I closed/opened (as admin) cmd.exe....again copied/pasted the command you gave using both methods (select link and copy/paste with mouse)...

here is what I get....I dont see a file on the desktop like you suggest....

Microsoft Windows [Version 10.0.18362.267]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>"%USERPROFILE%\Desktop\tcpvcon.exe" -a > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

C:\WINDOWS\system32>"%USERPROFILE%\Desktop\tcpvcon.exe" -a > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

C:\WINDOWS\system32>
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 14, 2019, 03:22:21 am
Hi themetallikid,

There seems to be something wrong with your system.
Could you please copy/paste the following command in the admin command prompt ?
Code: [Select]
echo %SYSTEMDRIVE% %SYSTEMROOT% %USERPROFILE% > C:\varpath.txt
This time a file named varpath.txt should have been created at the root of your system drive (C:\).
Please attach it with your next reply.

Yes, TCPView is able to list opened ports / established connections on the local machine. It should help us understand which process is listening on the proxy port detected by RogueKiller.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 14, 2019, 03:37:26 am
yes, this worked.  YAY!!  lol.....

just in case it didnt attach right, here is what is listed



C: C:\WINDOWS C:\Users\theme
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 14, 2019, 03:52:13 am
Hi themetallikid,

This is quite strange.
Could you please copy/paste the following command in the admin command prompt and check if a netstat.txt file is now located on your C:\ drive as well ?
Code: [Select]
netstat -abn > C:\netstat.txt
If that's the case, please attach it with your next reply.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 14, 2019, 03:57:51 am
Yes, that worked....attached
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 14, 2019, 04:23:34 am
Hi themetallikid,

The proxy set on port 64550 is only establishing connections with local processes on your system and all these processes are safe. This is probably a proxy used by your antivirus engine to analyse system behaviour. In my opinion, you can be at ease and don't worry about it.

What is really strange is why the command lines using environment variables are failling on your system. It's the first time I observed such behaviour, but I advise you to not worry about it either, if your system is globally running fine.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 14, 2019, 04:37:36 am
well the behavior that is triggering my searching and interest is that for the past month or 2 at most internet pages have been loading very poorly.  its not a speed thing cause I can stream other devices fine, I can game/download updates with xbox fine, its only on my laptop.

Here is a few scenarios I've noticed:

1) check my gmail so I can get my nfl pools up and running this year...type in gmail.com.  Previously it would be up and running in maybe 1-2 seconds...now, my browser tab spins for anywhere from 5-10 seconds.  Then one of 2 things happens (really 3 things), a) the page loads fine, b) the page displays an error that says "<insert website name here> failed to send any data".  Now...the tab is still spinning when that pops up so the b1)error is that it will stop there and nothing happens, b2) error pops up, tab is still spinning and ultimately (another 5-10 seconds it will load the page fine).  I've noticed this with random web pages at random times.  I just tried the gmail.com website and it loaded fine within about 3-4 seconds (acceptable).  But...while waiting for responses on this thread (playing Madden on xbox) I was shopping for my wife's birthday this weekend and had a hell of a time loading search results on google for an item I'm looking for.  I found an item, looked like it was via amazon.com and clicked on the item description, picture, item title....all of them seemed to want to link to Amazon's website...but all failed to load the page and ultimately stopped running. 

2) While surfing my guitar/gear forums...among the issues in number one intermittently happening...when I CAN load a thread....and someone has posted a youtube video or similar...those will show up as the same error as number one...only way to load it (its like a game of roulette) is to refresh the page...which then might not even refresh resorting back to issue 1.  This was particularly frustrating last night as I was trying to purchase something from the website https://www.3sigmaaudio.com/electric-impulses/  As you can see on that site (if you dont want to go its fine....there are several windows where you can 'add to cart' that also included a short audio sample which I had a hell of a time getting to work right...but even then when I was convinced I wanted to purchase some of the files...i spent 30 minutes trying to get the 'add to cart' links to work right.  I eventually got 3 of the 4, but could not get the last one to load/add correctly.

3) while using my credit union's online banking, again the web page has the issues in #1...the place where I enter id/password will pop up with the same issue as number 2, and if left alone for a minute will eventually load...or need to be refreshed...resorting back to the issues in number 1.

This is all new behavior since I switched internet companies...again, no idea why that matters when i'm connected to the same router/modem as other devices and nothing on my laptop was touched during installation.  Its not normal for this machine either as I've had it around a year-ish...

I'm open to any ideas....that could be causing it cause its very time consuming and frustrating.  I unfortunately did not have the 'restore' function turned on prior to the issues happening so a simple system restore isnt an option...if that would even be an possible solution.
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 14, 2019, 04:49:37 am
Hi themetallikid,

Just to make sure, we will be doing a full system investigation.

Please download Farbar Recovery Scan Tool (x64) (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to your Desktop.
Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 14, 2019, 05:25:45 am
Ok, so I downloaded it....reference issues from #1 of my previous post, lol...but i got it.

started the scan as admin (right click, run as admin)...let it do its thing, at the end it said that the FRST log was created in the same directory as the .exe (or something similar to what you posted....it then opened a notepad window with an error, and another window that said created addition.txt file in the same directory as FRST.  Only button to click on was ok, which then brought the 'active' window to the 2nd notepad screen, which is blank...with an error that says could not locate the frst.txt file...do I want to create one?  I click yes, and both notepads are blank....

I reran the scan again, and got the same issue..  when I have the C:\Users\theme\Desktop window open, I can see the initial FRST program link there....but nothing else after that when sorted by time/date modified.




Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 14, 2019, 05:17:14 pm
Hi themetallikid,

I believe your system to be really damaged, which prevents FRST to run normally. It also be may the root cause of the issues you described.
Let's try to repair it.

Copy/paste the following command in the admin command prompt :
Code: [Select]
DISM /Online /Cleanup-Image /RestoreHealth
Do not close the command prompt ! It may takes a few hours until the command finish.

When the repair is finished, please reboot your system.
How is your computer running now ?

Please attach those two files (if present) with your next reply :
Code: [Select]
C:\Windows\Logs\CBS\CBS.log
C:\Windows\Logs\DISM\Dism.log

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 15, 2019, 01:08:48 am
How do I know when its finished... there was a % that climbed up and it's been on the 100% for a bit, with the cursor flashing after the [=======100%=======] _


Is there more or is that "it" and I should restart, it maybe took about 15 min...
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 15, 2019, 01:25:09 am
so literally after I posted that last question...it went further and came up with this...I've attached what you asked that was available as well. 

Microsoft Windows [Version 10.0.18362.295]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>DISM /Online /Cleanup-Image /RestoreHealth

Deployment Image Servicing and Management tool
Version: 10.0.18362.1

Image Version: 10.0.18362.295

[==========================100.0%==========================]
Error: 0x800f081f

The source files could not be found.
Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077.

The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log

C:\WINDOWS\system32>
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 15, 2019, 01:38:45 am
its definately better...the one website I was trying to purchase those files from played the audio samples fine, added to cart fine...I had some issues checking out, not sure if it was cpu or website related....but its a move in the right direction. 

What do you see if anything in the logs, I'll continue to monitor tonight as I have plenty of stuff to catch up on. 
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 15, 2019, 06:43:30 pm
Hi themetallikid,

The logs show that DISM was able to repair some corrupted Windows files, but failed to repair all of it.
Quote
Error in operation: source for package or file not found, ResolveSource() unsuccessful. (CBS HRESULT=0x800f081f) - CCbsConUIHandler::Error

There is still something we can try, but I need some time and information to make a process.
Which edition of Windows (Home, Pro, etc.) are you using ?

Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
chkdsk C: /r /v /x
Please allow chkdsk to run on next reboot and restart the computer to perform the analysis.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 12:18:19 am
Completed, ran once...when I first got home, it either went really quick or took me longer than normal to change in to my relaxing clothes, lol...


Sat down and ran it again and it went through the 'repair' process. 

Not sure if there is something I should be looking for.  I know when I tried to pull up the forum here, I did initially get a proxy error, but eventually it loaded and seems ok. 

Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 12:32:08 am
Hi themetallikid,

Your system is not entirely repaired.
Which edition of Windows (Home, Pro, etc.) are you using ?

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 12:34:38 am
What came with the laptop when I purchased it is Windows 10 Home, 64 Bit (x64 based processor)
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 01:00:29 am
Hi themetallikid,

Please follow this process carefully.
If you don't understand a point or something went wrong, please let me know.

1) Download Windows 10 1903 ISO file (https://tb.rg-adguard.net/dl.php?go=cf6b84d9) and save it on your desktop
2) Right-click on the file and select "Mount". This will mount the image as a virtual disk. Please take note which letter the system assigned it (D, E, etc.)

3) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command but replace the Z letter by the one assigned by windows to your virtual disk :
Code: [Select]
DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:Z:\sources\install.wim:1 /LimitAccess
Do not close the command prompt ! It may takes a few hours until the command finish.

4) When the repair is finished, please reboot your system.
5) Please attach those two files (if present) with your next reply :
Code: [Select]
C:\Windows\Logs\CBS\CBS.log
C:\Windows\Logs\DISM\Dism.log

How is your computer running now ? Did the 0x800f081f error was displayed at the end of the process like last time ?

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 01:37:32 am
completed, didnt show any errors....this time.   restarted.....

I did get the proxy thing again when I first tried to load the forum, however, a simple refresh brought the page up fine.  I'll continue to browse a bit here....

Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 01:39:02 am
HEre are the logs
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 02:33:08 am
Hi themetallikid,

It looks way better.
Could you please try to run FRST again ?

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 03:00:48 am
I went back and tried to rerun the program, it kept wanting to update and wouldnt let me run it.  so I deleted it, and clicked the link to reinstall it.

I ran as administrator, i did not get the pop up this time at the beginning.  However...It ran, and I got the same results....

started the scan as admin (right click, run as admin)...let it do its thing, at the end it said that the FRST log was created in the same directory as the .exe (or something similar to what you posted....it then opened a notepad window with an error, and another window that said created addition.txt file in the same directory as FRST.  Only button to click on was ok, which then brought the 'active' window to the 2nd notepad screen, which is blank...with an error that says could not locate the frst.txt file...do I want to create one?  I click yes, and both notepads are blank....
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 03:41:47 am
Hi themetallikid,

It seems the repair was unsuccessful.
I hate to say this, but I'm now out of idea.

So, I advise you to open a new thread describing the issues you are experiencing with your system in a Windows repair specialized forum. You will find there people more qualified than me in this area of expertise. If you do so, please attach the latest CBS and DISM logfiles, it will help them to better understand the state of your system as is it now.

I'm sorry I wasn't able to help you with this.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 03:45:13 am
man, that sucks....do you have any ideas how/why this could have happened?  I literally use this to pay bills, run sound for my band and run some football pools. 

And its been fine til a few months ago....


With what is 'not' repaired at this point is there a risk of any catastrophic issues?  or is whats not working a minimal thing and for lack of a better word...cosmetic? 

I'll follow up on a windows forum, and great appreciate your help and expertise in trying to assist me. 
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 03:56:22 am
Hi themetallikid,

If you didn't experience issues before, corruption of the system may have happened during the upgrade to Windows Version 1903 (19H1). I have seen multiple computers experiencing unexpected behaviour after such upgrades, so it may be the case here.

No, I don't think you will experience catastrophic issues, only erratic behaviour.
However, please be sure to regularly make backup of your personal files on an external hard drive. I was not able to exactly determine what the issue is, so better be safe than sorry.

Thanks for your kind words.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 04:02:50 am
the upgrade your talking about is that an automatic one that windows did? 
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 04:08:50 am
Hi themetallikid,

Yes, probably : Microsoft is starting to auto-update Windows 10 Home, Pro users on 1803 or older to 1903 (https://www.zdnet.com/article/microsoft-is-starting-to-auto-update-windows-10-home-pro-users-on-1803-or-older-to-1903/).
Older builds of Windows 10 Home Edition did not have the option to pause updates.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 04:13:47 am
hmm....ok, I would imagine somewhere in my cpu there is a log of those updates....any idea where I can see if it was updated around that time?
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 04:31:19 am
Hi, themetallikid

You may have some clues with the windowsupdate.log file : Windows Update log files (https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs).

Please keep in mind that you may have to generate it and that it contains many information.
There should be a KB associated to the upgrade, but since I don't follow the Windows 10 lifecycle closely I don't know which one you should look for.

Regards.
Title: Re: Proxy Virus - need help eliminating
Post by: themetallikid on August 16, 2019, 04:36:20 am
ok....again thank you very much.   I didnt think it came from my behavior, it sounds like MS's behavior more and that I'll need to lean on their recommendations. 
Title: Re: Proxy Virus - need help eliminating
Post by: Curson on August 16, 2019, 04:42:34 am
Hi themetallikid,

You are very welcome again.
Best of luck in your endeavors.

Regards.