Question Win10 Manual Proxy 127.0.0.1:8888

[Crimsom_247]

A variation on the Manual Proxy Hack has arrived and infected Win10 Edge’s Manual Proxy Settings. This is an unwanted nuisance for anyone working away from their office and using their smart device to surf the internet.

The malicious Win10 Manual Proxy Settings (https://ibb.co/F8xFK42) are:-

• Use a proxy server (__ON),
• Address [http=127.0.0.1:8888;https=127.0.0.1:8888],
• Port [____] i.e. empty, and
• Except for addresses [<-loopback>].

This Manual Proxy’s Hack and/or Virus attempts to block internet access to both http and https web addresses together with overloading the Laptop by putting Manual Proxy in a never ending internal loop back.

Laptop Operating System is Windows 10 Home (x64) Version 1909 (build 18363.592), Browser is Microsoft Edge 44.18362.449.0, Virus Protection is Windows Defender and Malware Real-Time Protection is Malwarebytes Anti-Malware and Zemana AntiMalware. Have also used standalone antimalware applications and these did not find any problems to correct.

This is a hack (not a regular virus or malware) and thereby evades detection by Virus and Malware Protection applications.

The 127.0.0.1 Hack and/or Virus is not new, but the 8888 variation is new. Have used the 127.0.0.1 information from the internet to edit and remove Registry entries from HKEY_USERS and HKEY_LOCAL_MACHINE. However, the Manual Proxy Hack is persistently reapplied to just the limited user account being used to surf the internet.

Have searched for the root source of this hack’s reapplied settings, installed by proxy strings in SocketsHttpHandler, etc. but this is not in my comfort zone, so do not know what Registry entries to look for.

Has anyone discovered how to remove the root source of this hack?

Thank you in anticipation. Kind regards.

 

[Ralston18]

May not be a virus or "hack" at all.

This:

"However, the Manual Proxy Hack is persistently reapplied to just the limited user account being used to surf the internet."

If the "hack" is persistently applied to just one limited user account then you will need help from whomever has full admin rights to the laptop.


That said:

First stay out of the Registry. Registry editing is a last resort and should be used only if the intended edit is a well known and well-documented solution. Rare for most problems. All too easy to make a mistake and make things worse.

Second, open the Hosts file - if you have the rights to do so. Make a backup copy before doing anything.

Reference:

https://www.lifewire.com/how-to-edit-the-hosts-file-153661

As always, be sure that all important data is backed up and verified both recoverable and readable.

Any related entries in the hosts file?

If so, what do you see?

 

[Crimsom_247]

Hello @Ralston18 thank you for your message #2.

You raise a number of points and we will try to fully address these in the same order as documented in your message:-
(1) Something installed Registry entries and it may not be active, however the hack remains active.
(2) We have full admin rights to this laptop. We do not use our admin account to surf the internet. We do not want the internet to infect our admin account, so we use a limited user account to surf the internet.
(3) Staying out of the Registry is good advice for people who do not have the appropriate skill set. Although we have the appropriate skill set, we know when to seek advice, as demonstrated in this thread. We like the Zemana Antimalware application because it creates a Registry restore point before the scan starts.
(4) The 127.0.0.1 Hack and/or Virus is not new, but the 8888 variation is new. Many of the well known earlier 127.0.0.1 Hack Registry entries were discoverable to edit and remove. The Manual Proxy Hack is persistently reapplied when the browser is used to surf the internet. When the hack kicks in, internet speed is suddenly very slow and the laptop's CPU is very busy doing nothing in particular.
(5) We have the skill set to create a host.txt copy from the original host file. Comparison with our most recent host backup file says that nothing has changed since our last visit. Access to the host file is shared by all users. As the hack is unique to only one user, we did not expect to see any changes to the host file. The host file has not been hacked.

We would prefer to remove the root source of this hack rather than having to keep deleting the browser's Manual Proxy Settings.

 

[Crimsom_247]

Now we are getting somewhere, this infection can be detected by RogueKiller Anti-Malware, click Here.

Evidently this infection is a PUM.Proxy, a 'Potentially Unwanted Modification' by a malware Registry entry to maliciously change the manual 'Proxy' settings, click Here. More specifically, our PUM.Proxy infection was only found in the Registry entry of the limited user account that is used to surf the internet. (This was determined by first undertaking a scan in the admin user account which did not detect this PUM.Proxy, followed by a second scan in the limited user account which detected and removed this PUM.Proxy.)

Detection of the PUM.Proxy did not include association with the Registry entry to impose the <-loopback> value, so this was manually deleted.

Did the anti-malware scan also detect and remove the root source of the persistently reapplied PUM.Proxy? There were three more Registry entries, two characterised as having a suspicious path and one characterised as a PUP.DriverAgent, click Here.

We will have to wait and see if the PUM.Proxy is reapplied.

18 April 2020 Update. The PUM.Proxy has been reapplied. RogueKiller Anti-Malware confirms that this is the only infection and removed a single Registry entry. So we are still mystified about the root cause of how this PUM.Proxy is reapplied.

 

[Crimsom_247]

RogueKiller Anti-Malware's real time protection is active, but it does not prevent the PUM.Proxy being applied or prevent changes to the Registry. Putting the CPU into an overdrive loop is trying to destroy the Laptop!

The original question "Has anyone discovered how to remove the root source of this hack?" remains unanswered.

Is there an application that can monitor the Registry and reveal what is imposing the following Registry entries?
HKEY_ USERS
…..ProxyOverride & ProxyServer = https://ibb.co/tz3XqXH
HKEY_LOCAL_MACHINE
…..ProxyBypass & StaticProxy (1) = https://ibb.co/N9wWVQN
…..ProxyBypass & StaticProxy (2) = https://ibb.co/Mc8mBsH

 

[Crimsom_247]

Continue to look for a Win10 advanced Registry monitoring tool complete with alert notification of unwanted modification of Registry entries. Message #5 lists the known unwanted changes, but the root source continues to be elusive.

Internet search found recommendation, click Here, for the Windows Sysinternals' Process Monitor, click Here. This Process Monitor claims to show real-time file system, Registry and process/thread activity. However, there are no deployment instructions and webpage defaults to saying: "the best way to become familiar with Process Monitor's features is to read through the help file and then visit each of its menu items and options on a live system".

Can anyone tell me how to switch on the real-time alert notification? Kind regards.

 

[Ralston18]

Have you tried Sysinternals Process Explorer?

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

As for monitoring/auditing the Registry consider Powershell.

References:

https://4sysops.com/archives/audit-changes-in-the-windows-registry/

View: https://www.reddit.com/r/PowerShell/comments/78ozdz/monitoring_registry_key/


https://www.solarwinds.com/topics/registry-monitoring


You can find other such links by googling "powershell monitor registry changes" or similar words and phrases as you deem appropriate.

Full disclosure: I have been exploring Powershell but have not applied any scripts to the Registry.

However, Powershell may prove directly useful or otherwise customizable to meet some specific need.

E.g., flagging an entry change.

 

[Crimsom_247]

Hello @Ralston18, thank you for your message #7.

Windows Sysinternals' RootkitRevealer, click Here, looks to be a more relevant security utility. Unwanted changes in Registry hive formats (entries and data) has been detected using manual search, see message #5. RogueKiller Anti-Malware revealed this unwanted nuisance to be a PUM.Proxy. This investigation is making some headway. However, the malware root source has not been found.

This is an interesting security problem and we continue to look for an application that can instantly detect these unwanted Registry changes and provide an alert notification in real-time.

 

[leftblank]

With the help of a Systems Engineer we figured out what was causing this. It was due to me running Telerik Fiddler which hijacks the proxy settings and the computer restarting overnight.

 

[Ralston18]

Thread is almost two years old.

Closing thread to further comment.