Proxy Virus - need help eliminating

[themetallikid]

Ok...so I've paid for the minimal version of Rogue killer as I couldnt exterminate it otherwise...still no help.  Downloaded Adaware and Malwarebytes and Ucheck...and no luck.  Adaware and Malwarebytes do not detect anything.  RK detects 3 things, it cleans them then they return. 

I've tried going into the registry to deactivate the Proxy (change 1 to 0) and also deleting the one entry and disabling things that look not 'right' to me based upon online research...but still no luck after a reboot....IT RETURNS!!!   I've tried doing the cmd prompt to see what is listening on 8080, and I get an error when doing that (I'm not really trained so Im assuming its something that I'm doing wrong....maybe?)

Anyway, I reran the scan in RK, here is the log from that.  I'd really like to get this cleaned up as its not causing 'harm' necessarily, but it is a pain in the ass cause its affecting my internet connections and speed.  I started noticing it when I switched internet carriers, though not sure how/why that would be linked....

RogueKiller Anti-Malware V13.4.2.0 (x64) [Aug  9 2019] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.18362) 64 bits
Started in : Normal mode
User : theme [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190812_111803, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/08/12 23:07:49 (Duration : 01:30:45)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> R5 - Proxy
  [PUM.Proxy (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-965646632-1427897047-1661301400-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyEnable -- 1 -> Found
  [PUM.Proxy (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-965646632-1427897047-1661301400-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer -- http=localhost:64550;https=localhost:64550 -> Found
  [PUM.Proxy (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies| -- 1http=localhost:64550;https=localhost:64550 -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

[Curson]

Hi themetallikid,

Welcome to Adlice.com Forum.
This proxy is not necessary malicious. We need to check this manually.

Please follow the following process :
1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"

Do not close the command prompt !

2) A new file named netstat.txt should has been created on your desktop. Please attach it with your next reply.

Regards.

[themetallikid]

ok, stopped home on lunch....

this is what I copied and the result:

C:\Users\theme>netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

[Curson]

Hi themetallikid,

Could you please chech you executed the command line prompt as Administator ?
How to Run Command Prompt as an Administrator.

Regards.

[themetallikid]

took me a minute to find how to do that...I'm not completely illiterate, but win 10 moves some functions and never had to do that yet.  I did open it as administrator and noticed the beginning of the prompt had changed, lol.....I found the cmd program in the start menu, right clicked>more>run as administrator

however, I get the same result:

C:\WINDOWS\system32>netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

C:\WINDOWS\system32>netstat -abn > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

The first was my highlighting/copying/pasting, the 2nd was using that little link that copies directly. 

[Curson]

Hi themetallikid,

Let's try another way.
Please follow the following process :

1) Download TCPView (CLI version) and save it to your desktop.
2) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

"%USERPROFILE%\Desktop\tcpvcon.exe" -a > "%USERPROFILE%\Desktop\netstat.txt"

Do not close the command prompt !

2) A new file named netstat.txt should has been created on your desktop. Please attach it with your next reply.

Regards.

[themetallikid]

I clicked your link, a program downloaded/installed/ran....to my untrained eyes, it looked like it was scanning ports/processes??  no?

after it finished, I closed/opened (as admin) cmd.exe....again copied/pasted the command you gave using both methods (select link and copy/paste with mouse)...

here is what I get....I dont see a file on the desktop like you suggest....

Microsoft Windows [Version 10.0.18362.267]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>"%USERPROFILE%\Desktop\tcpvcon.exe" -a > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

C:\WINDOWS\system32>"%USERPROFILE%\Desktop\tcpvcon.exe" -a > "%USERPROFILE%\Desktop\netstat.txt"
The system cannot find the file specified.

C:\WINDOWS\system32>

[Curson]

Hi themetallikid,

There seems to be something wrong with your system.
Could you please copy/paste the following command in the admin command prompt ?

Code: [Select]

echo %SYSTEMDRIVE% %SYSTEMROOT% %USERPROFILE% > C:\varpath.txt
This time a file named varpath.txt should have been created at the root of your system drive (C:\).
Please attach it with your next reply.

Yes, TCPView is able to list opened ports / established connections on the local machine. It should help us understand which process is listening on the proxy port detected by RogueKiller.

Regards.

[themetallikid]

yes, this worked.  YAY!!  lol.....

just in case it didnt attach right, here is what is listed



C: C:\WINDOWS C:\Users\theme

[Curson]

Hi themetallikid,

This is quite strange.
Could you please copy/paste the following command in the admin command prompt and check if a netstat.txt file is now located on your C:\ drive as well ?

Code: [Select]

netstat -abn > C:\netstat.txt
If that's the case, please attach it with your next reply.

Regards.

[themetallikid]

Yes, that worked....attached

[Curson]

Hi themetallikid,

The proxy set on port 64550 is only establishing connections with local processes on your system and all these processes are safe. This is probably a proxy used by your antivirus engine to analyse system behaviour. In my opinion, you can be at ease and don't worry about it.

What is really strange is why the command lines using environment variables are failling on your system. It's the first time I observed such behaviour, but I advise you to not worry about it either, if your system is globally running fine.

Regards.

[themetallikid]

well the behavior that is triggering my searching and interest is that for the past month or 2 at most internet pages have been loading very poorly.  its not a speed thing cause I can stream other devices fine, I can game/download updates with xbox fine, its only on my laptop.

Here is a few scenarios I've noticed:

1) check my gmail so I can get my nfl pools up and running this year...type in gmail.com.  Previously it would be up and running in maybe 1-2 seconds...now, my browser tab spins for anywhere from 5-10 seconds.  Then one of 2 things happens (really 3 things), a) the page loads fine, b) the page displays an error that says "<insert website name here> failed to send any data".  Now...the tab is still spinning when that pops up so the b1)error is that it will stop there and nothing happens, b2) error pops up, tab is still spinning and ultimately (another 5-10 seconds it will load the page fine).  I've noticed this with random web pages at random times.  I just tried the gmail.com website and it loaded fine within about 3-4 seconds (acceptable).  But...while waiting for responses on this thread (playing Madden on xbox) I was shopping for my wife's birthday this weekend and had a hell of a time loading search results on google for an item I'm looking for.  I found an item, looked like it was via amazon.com and clicked on the item description, picture, item title....all of them seemed to want to link to Amazon's website...but all failed to load the page and ultimately stopped running. 

2) While surfing my guitar/gear forums...among the issues in number one intermittently happening...when I CAN load a thread....and someone has posted a youtube video or similar...those will show up as the same error as number one...only way to load it (its like a game of roulette) is to refresh the page...which then might not even refresh resorting back to issue 1.  This was particularly frustrating last night as I was trying to purchase something from the website https://www.3sigmaaudio.com/electric-impulses/  As you can see on that site (if you dont want to go its fine....there are several windows where you can 'add to cart' that also included a short audio sample which I had a hell of a time getting to work right...but even then when I was convinced I wanted to purchase some of the files...i spent 30 minutes trying to get the 'add to cart' links to work right.  I eventually got 3 of the 4, but could not get the last one to load/add correctly.

3) while using my credit union's online banking, again the web page has the issues in #1...the place where I enter id/password will pop up with the same issue as number 2, and if left alone for a minute will eventually load...or need to be refreshed...resorting back to the issues in number 1.

This is all new behavior since I switched internet companies...again, no idea why that matters when i'm connected to the same router/modem as other devices and nothing on my laptop was touched during installation.  Its not normal for this machine either as I've had it around a year-ish...

I'm open to any ideas....that could be causing it cause its very time consuming and frustrating.  I unfortunately did not have the 'restore' function turned on prior to the issues happening so a simple system restore isnt an option...if that would even be an possible solution.

[Curson]

Hi themetallikid,

Just to make sure, we will be doing a full system investigation.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here using the "Attachments and other options > Attach" feature.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
  

Regards.

[themetallikid]

Ok, so I downloaded it....reference issues from #1 of my previous post, lol...but i got it.

started the scan as admin (right click, run as admin)...let it do its thing, at the end it said that the FRST log was created in the same directory as the .exe (or something similar to what you posted....it then opened a notepad window with an error, and another window that said created addition.txt file in the same directory as FRST.  Only button to click on was ok, which then brought the 'active' window to the 2nd notepad screen, which is blank...with an error that says could not locate the frst.txt file...do I want to create one?  I click yes, and both notepads are blank....

I reran the scan again, and got the same issue..  when I have the C:\Users\theme\Desktop window open, I can see the initial FRST program link there....but nothing else after that when sorted by time/date modified.