Windows – how to remove a Proxy Virus (127.0.0.1:8080) from windows 10

network-adapterPROXYproxy-serverwindowswindows 10

it seems that my proxy is always active. If I disable manual proxy configuration it turns on again. I've tried to delete some registry keys but the same keys appear again.

Here is the screenshot of Proxy Settings:

Proxy Settings

Here is the screenshot of Internet Option settings. In Connection tab Lan Settings Button is disabled.

Here is the regedit settings i've changed:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy
ProxyEnable (which is always set to 0)
ProxyHttp1.1 (which is always set to 0)
ProxyOverride (<-loopback>)
ProxyServer (which has the 127.0.0.1:8080 IP & currently I've deleted it)

Thanks for helping.

Best Answer

I assume you have run a full scan of your computer, and something like Malwarebytes?

Before you can clean up the proxy settings, you must remove the malware that is causing it.

Start an elevated command prompt
Run netstat -abno | findstr LISTENING | findstr :8080 and take a note of the last number on the displayed line. That is the PID of the process listening on that port.
Run task manager (Ctrl+Shift+Esc) and go to the Details tab. Find the process with the corresponding PID.
Right-click on the process you found and choose "Open file location".
Still in task manager, make sure the process is selected and click on "End task" to kill it.
Now delete the file that the process belonged to (explorer should have popped up with the file selected when you pressed "Open file location" earlier.
Now clean up the proxy settings

Some additional thoughts:

If the malware is more advanced, it might have a watchdog process that launches the proxy as soon as you kill it. A good way of detecting the watchdog is to use Process Monitor to see what the parent process is. You can also right-click on the processes and suspend them, so they are running, but unable to do anything.
The only 99% secure way of cleaning a computer from malware is to reinstall it. (there are some malware that infects the BIOS/UEFI, but that is unlikely here)

Related Solutions

How to diagnose proxy over ssh

The option -D is emulating the SOCKS proxy - thus I would rather remove the configuration from HTTP proxy fields and move it to the SOCKS proxy fields. I'm surprised it worked via putty.

Second thing, verify if the server can connect to the pages that you are trying to test. Try to establish a connection from the server somehow - lynx, links, or maybe firefox via VNC. If you don't have these, it would leave you with nc or telnet, which work as well but are harder to use.

Windows – Proxy keeps changing to 127.0.0.1:8118 automaticaly

Please check if any default url setup in below registry path

Left Pan

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr

Right Pan

AutoConfigUrl

If any default url setup, delete that and it should work.

Another option is simply copy the proxy URL which is being turned on automatically and search the same in the regedit, check where else the url is being used, delete that and keep the parameter value as blank and save and restart.

I tried many options changing ProxyEnabled to 0 and others but this one helped to get rid of the issue

Best Answer

Related Solutions

How to diagnose proxy over ssh

Windows – Proxy keeps changing to 127.0.0.1:8118 automaticaly

Related Question