Forced malicious automatic configuration script download in LAN Settings (Win7)

Hi,

I’ve found a weird and potentially dangerous setting in my LAN settings in Internet Settings. I’m using Windows 7 64-bit Home Premium.

The menu is found in Control Panel → Internet → Internet settings → “Connections” tab → LAN settings.

“Käytä automaattista määrityskomentosarjaa” means “Use automatic configuration script”. The IP is located in Belarus and has been marked as spammer by some instances and might be related also to hacking of the Steam game service by Valve that I use. There are also game multiplayer servers that are being hosted from that IP, that might explain the relationship to the Steam.

I can’t remove the IP or change the settings. If I change them, the settings in the attached screenshot are restored when I try to save the changes. I have run full scans with Avast Free, Malwarebytes’ and some Kaspersky software, but they haven’t found anything. I have been googling for solution for hours now, but without result. I have tried some solutions, eg. registry editing but they haven’t helped at all so far.

Is it really dangerous? What to do next?

Kind regards,
Nonesp

Run this for me please

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[
]Report IE Proxy Settings
[]Reset IE Proxy Settings
[
]Report FF Proxy Settings
[]Reset FF Proxy Settings
[
]List content of Hosts
[]List IP configuration
[
]List Winsock Entries
[]List last 10 Event Viewer log
[
]List Installed Programs
[]List Devices
[
]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

Thanks for your time,

Result.txt is attached in this post.

Is the LAN proxy still there ?

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Hi,

Yes, the LAN proxy is still there. OTL.txt and Extras.txt are attached in this post.

Could you disable cFos and see if that allows you to change the LAN data

cFos disabled, the IP is still there.

Can you reboot to safe mode then go to control panel > internet option > advanced tab
Click Reset Internet Explorer settings
Then right click the IE shortcut and select Run as Administrator
From the tools menu select internet options then reset the LAN settings to automatically detect

Reboot to normal windows and confirm it has gone

Done as requested, but it’s still there. This seems to be tough one…

Could you download and run the small programme here and post the log on completion

http://www.tweaking.com/content/page/repair_proxy_settings.html

There’s the log, still no change. The IP stays in the IP field. If I delete it and save, it’s there again when I reopen the settings window.

[suspicious]Log:
Repair Proxy Settings
Start (13.5.2013 22:50:03)
Running Repair Under Current User Account
Running Repair Under System Account
Done (13.5.2013 22:50:09)

Total Repair Time: 00:00:06[/suspicious]

OK I will do a little rummaging on this as it is an unusual one

[suspicious]I got an idea – I have Microsoft EMET 3.0 enabled on my system, could it block the programs that you’ve offered? On the other hand, safe mode didn’t help either.[/suspicious]

That could well be worth a try … Let me know how it goes