Please help with suspected malware issue "http://127.0.0.1:8080/proxy.pac"

#1
Hi all. I am really hoping someone here can help me with a rather annoying issue i am currently experiencing. For some time now my windows explorer has not worked and would simple tell me "this page cannot be displayed". I have tried everything to try and fix this but have not been able to as of yet. In further investigating what could be causing the issue i have spotted a web address saved in LAN settings in internet explorer under the title "use automatic configuration script" (address:) http://127.0.0.1:8080/proxy.pac. I have tried to delete the address and changing the settings to automatically detect settings but the address can not be removed. I have searched for information on that particular address and it appears that it cause by malware however, a scan of malwarebytes cannot detect it. If anyone can help me out with this, it seriously would be greatly appreciated as i am currently as a loss of what to do.

Regards
John
 


Josephur

Windows Forum Admin
Staff member
Premium Supporter
#2
John, you might try Hitman Pro as well, see if it finds anything.
 


ussnorway

Windows Forum Team
Staff member
Premium Supporter
#3
The 127.0.0.1 is a loopback address i.e, a file on your system (not the internet)
as you have w8 this set of local files should be at
Code:
C:\Windows\System32\Drivers\etc
a host entry infection/ attack is the most common and ime the hitman pro linked by Josephur above should be able kill it.
 


#4
Hi and thanks for the replies. I will try hitman pro and i will report back. :)
 


#5
I ran a scan and it found one threat which i cleaned and i restarted my computer. However, the loopback address is still in internet explorer and i cannot access the internet from there.
 


Neemobeer

Windows Forum Team
Staff member
#6
Open an elevated powershell prompt (Press Windows Key, type powershell, right click powershell and select Run As Administrator)
Run the following commands and post the output
  • Get-Process | FT Name, Path
  • Netstat -anob
 


#7
PS C:\Windows\system32> Get-Process | FT Name, Path

Name Path
---- ----
3D Live Pool C:\Program Files (x86)\Arcade Tribe\Game\3D Live Poo
arcadetribe C:\Program Files (x86)\Arcade Tribe\arcadetribe.exe
audiodg
CAudioFilterAgent64 C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFi
ClassicStartMenu C:\Program Files\Classic Shell\ClassicStartMenu.exe
conhost C:\Windows\system32\conhost.exe
conhost C:\Windows\system32\conhost.exe
csrss
csrss
CxAudMsg64 C:\Windows\system32\CxAudMsg64.exe
dasHost C:\Windows\system32\dashost.exe
dwm C:\Windows\system32\dwm.exe
Energy Management C:\Program Files (x86)\Lenovo\Energy Management\Ener
ETDCtrl C:\Program Files\Elantech\ETDCtrl.exe
ETDCtrlHelper C:\Program Files\Elantech\ETDCtrlHelper.exe
ETDIntelligent C:\Program Files\Elantech\ETDIntelligent.exe
ETDService C:\Program Files\Elantech\ETDService.exe
explorer C:\Windows\Explorer.EXE
firefox C:\Program Files (x86)\Mozilla Firefox\firefox.exe
fmapp C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
GWX C:\Windows\system32\GWX\GWX.exe
HeciServer C:\Program Files\Intel\TXE Components\TCS\HeciServer
Idle
igfxCUIService C:\Windows\system32\igfxCUIService.exe
igfxEM C:\Windows\system32\igfxEM.exe
igfxHK C:\Windows\system32\igfxHK.exe
lsass C:\Windows\system32\lsass.exe
MsMpEng
NisSrv
powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershel
PresentationFontCache C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\Presen
PWRISOVM C:\Program Files\PowerISO\PWRISOVM.EXE
Rainmeter C:\Program Files\Rainmeter\Rainmeter.exe
RuntimeBroker C:\Windows\System32\RuntimeBroker.exe
SASrv C:\Windows\SysWOW64\SAsrv.exe
SearchIndexer C:\Windows\system32\SearchIndexer.exe
services
SkyDrive C:\Windows\System32\skydrive.exe
smss
spoolsv C:\Windows\System32\spoolsv.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\System32\svchost.exe
svchost C:\Windows\System32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\System32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\system32\svchost.exe
svchost C:\Windows\system32\svchost.exe
System
taskhostex C:\Windows\system32\taskhostex.exe
TeamViewer_Service C:\Program Files (x86)\TeamViewer\TeamViewer_Service
utility C:\Program Files (x86)\Lenovo\Energy Management\util
VfConnectorService C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConn
Viber C:\Users\Johnny\AppData\Local\Viber\Viber.exe
wcmmon C:\Program Files (x86)\WebcamMax\wcmmon.exe
wininit C:\Windows\system32\wininit.exe
winlogon C:\Windows\system32\winlogon.exe
wlanext C:\Windows\system32\WLANExt.exe
wuauclt C:\Windows\system32\wuauclt.exe
WUDFHost C:\Windows\System32\WUDFHost.exe


PS C:\Windows\system32> Netstat -anob

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 804
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 604
[wininit.exe]
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 916
EventLog
[svchost.exe]
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 968
Schedule
[svchost.exe]
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 1372
[spoolsv.exe]
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 708
[lsass.exe]
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING 700
Can not obtain ownership information
TCP 127.0.0.1:1245 127.0.0.1:1246 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1246 127.0.0.1:1245 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1247 127.0.0.1:1248 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1248 127.0.0.1:1247 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1249 127.0.0.1:1250 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1250 127.0.0.1:1249 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1251 127.0.0.1:1252 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1252 127.0.0.1:1251 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1253 127.0.0.1:1254 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1254 127.0.0.1:1253 ESTABLISHED 4388
[Viber.exe]
TCP 127.0.0.1:1994 127.0.0.1:1995 ESTABLISHED 4436
[firefox.exe]
TCP 127.0.0.1:1995 127.0.0.1:1994 ESTABLISHED 4436
[firefox.exe]
TCP 127.0.0.1:5939 0.0.0.0:0 LISTENING 1956
[TeamViewer_Service.exe]
TCP 127.0.0.1:30666 0.0.0.0:0 LISTENING 4388
[Viber.exe]
TCP 127.0.0.1:45112 0.0.0.0:0 LISTENING 4388
[Viber.exe]
TCP 192.168.0.12:139 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 192.168.0.12:1037 157.56.124.150:443 ESTABLISHED 2400
[Explorer.EXE]
TCP 192.168.0.12:1992 52.0.253.148:443 ESTABLISHED 4388
[Viber.exe]
TCP 192.168.0.12:2019 52.34.46.156:443 ESTABLISHED 4436
[firefox.exe]
TCP 192.168.0.12:2419 74.125.24.189:443 ESTABLISHED 4436
[firefox.exe]
TCP [::]:135 [::]:0 LISTENING 804
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING 4
Can not obtain ownership information
TCP [::]:1025 [::]:0 LISTENING 604
[wininit.exe]
TCP [::]:1026 [::]:0 LISTENING 916
EventLog
[svchost.exe]
TCP [::]:1027 [::]:0 LISTENING 968
Schedule
[svchost.exe]
TCP [::]:1028 [::]:0 LISTENING 1372
[spoolsv.exe]
TCP [::]:1029 [::]:0 LISTENING 708
[lsass.exe]
TCP [::]:1031 [::]:0 LISTENING 700
Can not obtain ownership information
UDP 0.0.0.0:500 *:* 968
IKEEXT
[svchost.exe]
UDP 0.0.0.0:4500 *:* 968
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:* 1080
Dnscache
[svchost.exe]
UDP 0.0.0.0:49223 *:* 2516
[arcadetribe.exe]
UDP 0.0.0.0:52626 *:* 2516
[arcadetribe.exe]
UDP 0.0.0.0:52627 *:* 2516
[arcadetribe.exe]
UDP 0.0.0.0:60098 *:* 1956
[TeamViewer_Service.exe]
UDP 127.0.0.1:1900 *:* 2268
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:53124 *:* 2268
SSDPSRV
[svchost.exe]
UDP 192.168.0.12:137 *:* 4
Can not obtain ownership information
UDP 192.168.0.12:138 *:* 4
Can not obtain ownership information
UDP 192.168.0.12:1900 *:* 2268
SSDPSRV
[svchost.exe]
UDP 192.168.0.12:5353 *:* 1956
[TeamViewer_Service.exe]
UDP [::]:500 *:* 968
IKEEXT
[svchost.exe]
UDP [::]:4500 *:* 968
IKEEXT
[svchost.exe]
UDP [::]:5355 *:* 1080
Dnscache
[svchost.exe]
UDP [::]:60099 *:* 1956
[TeamViewer_Service.exe]
UDP [::1]:1900 *:* 2268
SSDPSRV
[svchost.exe]
UDP [::1]:5353 *:* 1956
[TeamViewer_Service.exe]
UDP [::1]:53123 *:* 2268
SSDPSRV
[svchost.exe]
UDP [fe80::32:30a2:a69a:d158%4]:546 *:* 916
Dhcp
[svchost.exe]
UDP [fe80::31bb:c3c5:6a7d:5fba%5]:546 *:* 916
Dhcp
[svchost.exe]
UDP [fe80::31bb:c3c5:6a7d:5fba%5]:1900 *:* 2268
SSDPSRV
[svchost.exe]
PS C:\Windows\system32>
 


Neemobeer

Windows Forum Team
Staff member
#8
If you're unable to uncheck "Use automatic configuration script" I would suggest resetting Internet Explorer. Under the Internet Properties window click on the Advanced tab and click Reset...
 


#9
Hi ya. yep, i done that yesterday but it did nt help.
 


Neemobeer

Windows Forum Team
Staff member
#10
But did you do it after removing the infection it could have simply re-written the data, also is this a Pro or Enterprise version of Windows?
 


#11
Before. I done it there but still same result. No access to internet and the address is still in same place. This operating system is pro version.
 


Neemobeer

Windows Forum Team
Staff member
#12
You may want to look in gpedit.msc and see if you have any settings enabled and set them to Not configured
  • Press Windows key + r
  • Type gpedit.msc
  • Expand Computer Settings and User Settings (Administrative Temples in each) click on All Settings and sort by State
 


#13
everything was set to "not configured".
 


Neemobeer

Windows Forum Team
Staff member
#14
Can you create a new user and see if the same settings are enabled with that user? This will help narrow down whether it's a user or computer wide setting.
 


Neemobeer

Windows Forum Team
Staff member
#15
Hmm I'm wondering if this is the same issue. Could be possible that whatever the infection you removed had a registered dll, this sounds like the same problem you are having. https://support.microsoft.com/en-us/kb/315054 If you can get the name of the infection possibly from Hit Man Pro or a log then maybe we can figure out if it has a DLL and unregister it.
 


#16
I tried the new user suggestion and everything was set to "not configured". When looking through hitman log, this is what came up
Malware remnants ____________________________________________________________

HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}\ (Jotzey) -> Deleted
 


Neemobeer

Windows Forum Team
Staff member
#19
Hmm, those all appear to be normal. Look in the registry for FeatureControl and see if you have a key called FEATURE_AUTOCONFIG_BRANDING and if it contains iexplore.exe
 


#20
which part of the registry would i look in ?
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.