Please help with suspected malware issue "http://127.0.0.1:8080/proxy.pac"

Discussion in 'Windows 8 Help and Support' started by jwbon, Jan 19, 2016.

  1. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    Hi all. I am really hoping someone here can help me with a rather annoying issue i am currently experiencing. For some time now my windows explorer has not worked and would simple tell me "this page cannot be displayed". I have tried everything to try and fix this but have not been able to as of yet. In further investigating what could be causing the issue i have spotted a web address saved in LAN settings in internet explorer under the title "use automatic configuration script" (address:) http://127.0.0.1:8080/proxy.pac. I have tried to delete the address and changing the settings to automatically detect settings but the address can not be removed. I have searched for information on that particular address and it appears that it cause by malware however, a scan of malwarebytes cannot detect it. If anyone can help me out with this, it seriously would be greatly appreciated as i am currently as a loss of what to do.

    Regards
    John
     
  2. Josephur

    Josephur Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Aug 3, 2010
    Messages:
    1,018
    Likes Received:
    125
    John, you might try Hitman Pro as well, see if it finds anything.
     
  3. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,528
    Likes Received:
    312
    The 127.0.0.1 is a loopback address i.e, a file on your system (not the internet)
    as you have w8 this set of local files should be at
    Code:
    C:\Windows\System32\Drivers\etc
    a host entry infection/ attack is the most common and ime the hitman pro linked by Josephur above should be able kill it.
     
  4. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    Hi and thanks for the replies. I will try hitman pro and i will report back. :)
     
  5. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    I ran a scan and it found one threat which i cleaned and i restarted my computer. However, the loopback address is still in internet explorer and i cannot access the internet from there.
     
  6. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    Open an elevated powershell prompt (Press Windows Key, type powershell, right click powershell and select Run As Administrator)
    Run the following commands and post the output
    • Get-Process | FT Name, Path
    • Netstat -anob
     
  7. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    PS C:\Windows\system32> Get-Process | FT Name, Path

    Name Path
    ---- ----
    3D Live Pool C:\Program Files (x86)\Arcade Tribe\Game\3D Live Poo
    arcadetribe C:\Program Files (x86)\Arcade Tribe\arcadetribe.exe
    audiodg
    CAudioFilterAgent64 C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFi
    ClassicStartMenu C:\Program Files\Classic Shell\ClassicStartMenu.exe
    conhost C:\Windows\system32\conhost.exe
    conhost C:\Windows\system32\conhost.exe
    csrss
    csrss
    CxAudMsg64 C:\Windows\system32\CxAudMsg64.exe
    dasHost C:\Windows\system32\dashost.exe
    dwm C:\Windows\system32\dwm.exe
    Energy Management C:\Program Files (x86)\Lenovo\Energy Management\Ener
    ETDCtrl C:\Program Files\Elantech\ETDCtrl.exe
    ETDCtrlHelper C:\Program Files\Elantech\ETDCtrlHelper.exe
    ETDIntelligent C:\Program Files\Elantech\ETDIntelligent.exe
    ETDService C:\Program Files\Elantech\ETDService.exe
    explorer C:\Windows\Explorer.EXE
    firefox C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    fmapp C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
    GWX C:\Windows\system32\GWX\GWX.exe
    HeciServer C:\Program Files\Intel\TXE Components\TCS\HeciServer
    Idle
    igfxCUIService C:\Windows\system32\igfxCUIService.exe
    igfxEM C:\Windows\system32\igfxEM.exe
    igfxHK C:\Windows\system32\igfxHK.exe
    lsass C:\Windows\system32\lsass.exe
    MsMpEng
    NisSrv
    powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershel
    PresentationFontCache C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\Presen
    PWRISOVM C:\Program Files\PowerISO\PWRISOVM.EXE
    Rainmeter C:\Program Files\Rainmeter\Rainmeter.exe
    RuntimeBroker C:\Windows\System32\RuntimeBroker.exe
    SASrv C:\Windows\SysWOW64\SAsrv.exe
    SearchIndexer C:\Windows\system32\SearchIndexer.exe
    services
    SkyDrive C:\Windows\System32\skydrive.exe
    smss
    spoolsv C:\Windows\System32\spoolsv.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\System32\svchost.exe
    svchost C:\Windows\System32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\System32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    svchost C:\Windows\system32\svchost.exe
    System
    taskhostex C:\Windows\system32\taskhostex.exe
    TeamViewer_Service C:\Program Files (x86)\TeamViewer\TeamViewer_Service
    utility C:\Program Files (x86)\Lenovo\Energy Management\util
    VfConnectorService C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConn
    Viber C:\Users\Johnny\AppData\Local\Viber\Viber.exe
    wcmmon C:\Program Files (x86)\WebcamMax\wcmmon.exe
    wininit C:\Windows\system32\wininit.exe
    winlogon C:\Windows\system32\winlogon.exe
    wlanext C:\Windows\system32\WLANExt.exe
    wuauclt C:\Windows\system32\wuauclt.exe
    WUDFHost C:\Windows\System32\WUDFHost.exe


    PS C:\Windows\system32> Netstat -anob

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 804
    RpcSs
    [svchost.exe]
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    Can not obtain ownership information
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 604
    [wininit.exe]
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 916
    EventLog
    [svchost.exe]
    TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 968
    Schedule
    [svchost.exe]
    TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 1372
    [spoolsv.exe]
    TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 708
    [lsass.exe]
    TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING 700
    Can not obtain ownership information
    TCP 127.0.0.1:1245 127.0.0.1:1246 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1246 127.0.0.1:1245 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1247 127.0.0.1:1248 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1248 127.0.0.1:1247 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1249 127.0.0.1:1250 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1250 127.0.0.1:1249 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1251 127.0.0.1:1252 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1252 127.0.0.1:1251 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1253 127.0.0.1:1254 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1254 127.0.0.1:1253 ESTABLISHED 4388
    [Viber.exe]
    TCP 127.0.0.1:1994 127.0.0.1:1995 ESTABLISHED 4436
    [firefox.exe]
    TCP 127.0.0.1:1995 127.0.0.1:1994 ESTABLISHED 4436
    [firefox.exe]
    TCP 127.0.0.1:5939 0.0.0.0:0 LISTENING 1956
    [TeamViewer_Service.exe]
    TCP 127.0.0.1:30666 0.0.0.0:0 LISTENING 4388
    [Viber.exe]
    TCP 127.0.0.1:45112 0.0.0.0:0 LISTENING 4388
    [Viber.exe]
    TCP 192.168.0.12:139 0.0.0.0:0 LISTENING 4
    Can not obtain ownership information
    TCP 192.168.0.12:1037 157.56.124.150:443 ESTABLISHED 2400
    [Explorer.EXE]
    TCP 192.168.0.12:1992 52.0.253.148:443 ESTABLISHED 4388
    [Viber.exe]
    TCP 192.168.0.12:2019 52.34.46.156:443 ESTABLISHED 4436
    [firefox.exe]
    TCP 192.168.0.12:2419 74.125.24.189:443 ESTABLISHED 4436
    [firefox.exe]
    TCP [::]:135 [::]:0 LISTENING 804
    RpcSs
    [svchost.exe]
    TCP [::]:445 [::]:0 LISTENING 4
    Can not obtain ownership information
    TCP [::]:1025 [::]:0 LISTENING 604
    [wininit.exe]
    TCP [::]:1026 [::]:0 LISTENING 916
    EventLog
    [svchost.exe]
    TCP [::]:1027 [::]:0 LISTENING 968
    Schedule
    [svchost.exe]
    TCP [::]:1028 [::]:0 LISTENING 1372
    [spoolsv.exe]
    TCP [::]:1029 [::]:0 LISTENING 708
    [lsass.exe]
    TCP [::]:1031 [::]:0 LISTENING 700
    Can not obtain ownership information
    UDP 0.0.0.0:500 *:* 968
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:4500 *:* 968
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:5355 *:* 1080
    Dnscache
    [svchost.exe]
    UDP 0.0.0.0:49223 *:* 2516
    [arcadetribe.exe]
    UDP 0.0.0.0:52626 *:* 2516
    [arcadetribe.exe]
    UDP 0.0.0.0:52627 *:* 2516
    [arcadetribe.exe]
    UDP 0.0.0.0:60098 *:* 1956
    [TeamViewer_Service.exe]
    UDP 127.0.0.1:1900 *:* 2268
    SSDPSRV
    [svchost.exe]
    UDP 127.0.0.1:53124 *:* 2268
    SSDPSRV
    [svchost.exe]
    UDP 192.168.0.12:137 *:* 4
    Can not obtain ownership information
    UDP 192.168.0.12:138 *:* 4
    Can not obtain ownership information
    UDP 192.168.0.12:1900 *:* 2268
    SSDPSRV
    [svchost.exe]
    UDP 192.168.0.12:5353 *:* 1956
    [TeamViewer_Service.exe]
    UDP [::]:500 *:* 968
    IKEEXT
    [svchost.exe]
    UDP [::]:4500 *:* 968
    IKEEXT
    [svchost.exe]
    UDP [::]:5355 *:* 1080
    Dnscache
    [svchost.exe]
    UDP [::]:60099 *:* 1956
    [TeamViewer_Service.exe]
    UDP [::1]:1900 *:* 2268
    SSDPSRV
    [svchost.exe]
    UDP [::1]:5353 *:* 1956
    [TeamViewer_Service.exe]
    UDP [::1]:53123 *:* 2268
    SSDPSRV
    [svchost.exe]
    UDP [fe80::32:30a2:a69a:d158%4]:546 *:* 916
    Dhcp
    [svchost.exe]
    UDP [fe80::31bb:c3c5:6a7d:5fba%5]:546 *:* 916
    Dhcp
    [svchost.exe]
    UDP [fe80::31bb:c3c5:6a7d:5fba%5]:1900 *:* 2268
    SSDPSRV
    [svchost.exe]
    PS C:\Windows\system32>
     
  8. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    If you're unable to uncheck "Use automatic configuration script" I would suggest resetting Internet Explorer. Under the Internet Properties window click on the Advanced tab and click Reset...
     
  9. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    Hi ya. yep, i done that yesterday but it did nt help.
     
  10. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    But did you do it after removing the infection it could have simply re-written the data, also is this a Pro or Enterprise version of Windows?
     
  11. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    Before. I done it there but still same result. No access to internet and the address is still in same place. This operating system is pro version.
     
  12. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    You may want to look in gpedit.msc and see if you have any settings enabled and set them to Not configured
    • Press Windows key + r
    • Type gpedit.msc
    • Expand Computer Settings and User Settings (Administrative Temples in each) click on All Settings and sort by State
     
  13. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    everything was set to "not configured".
     
  14. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    Can you create a new user and see if the same settings are enabled with that user? This will help narrow down whether it's a user or computer wide setting.
     
  15. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    Hmm I'm wondering if this is the same issue. Could be possible that whatever the infection you removed had a registered dll, this sounds like the same problem you are having. https://support.microsoft.com/en-us/kb/315054 If you can get the name of the infection possibly from Hit Man Pro or a log then maybe we can figure out if it has a DLL and unregister it.
     
  16. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    I tried the new user suggestion and everything was set to "not configured". When looking through hitman log, this is what came up
    Malware remnants ____________________________________________________________

    HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}\ (Jotzey) -> Deleted
     
  17. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
  18. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    here is a screenshot of the results
     

    Attached Files:

  19. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,378
    Likes Received:
    360
    Hmm, those all appear to be normal. Look in the registry for FeatureControl and see if you have a key called FEATURE_AUTOCONFIG_BRANDING and if it contains iexplore.exe
     
  20. jwbon

    jwbon New Member

    Joined:
    Jan 19, 2016
    Messages:
    17
    Likes Received:
    0
    which part of the registry would i look in ?
     

Share This Page

Loading...