Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Hijacked network settings (proxy)

  • 5 replies
  • 68 have this problem
  • 9 views
  • Last reply by betabeta1

rpdenney
rpdenney
more options

I am running windows 7, and using Firefox 4.0b7.

Somehow I got a hold of the "backdoor:win32/cycbot.b". I ran "Dr.Web CureIt!" and then "MalwareBytes". It was found and removed, but now, whenever I open Firefox, the connection setting defaults to using http proxy of 127.0.0.1, with a port setting of 55030.

I have to go in, delete the proxy and reset every time I launch Firefox. IE, once backdoor was removed, is opening just fine and retains its settings.

I also noticed in the file named prefs.js, the following lines appear and can not be removed. When I do remove them, they reappear as soon as I launch FF.

user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 55030); user_pref("network.proxy.type", 1);

I am running windows 7, and using Firefox 4.0b7. Somehow I got a hold of the "backdoor:win32/cycbot.b". I ran "Dr.Web CureIt!" and then "MalwareBytes". It was found and removed, but now, whenever I open Firefox, the connection setting defaults to using http proxy of 127.0.0.1, with a port setting of 55030. I have to go in, delete the proxy and reset every time I launch Firefox. IE, once backdoor was removed, is opening just fine and retains its settings. I also noticed in the file named prefs.js, the following lines appear and can not be removed. When I do remove them, they reappear as soon as I launch FF. user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 55030); user_pref("network.proxy.type", 1);

Modified by rpdenney

Chosen solution

See if that happens with a new Profile - just test it, don't add anything to the new Profile.
http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows

Read this answer in context 👍 3

All Replies (5)

the-edmeister
the-edmeister
  • Moderator
more options

See if you have a user.js file in your Profile folder and if those prefs are there.

If so, delete those prefs from there.

rpdenney
rpdenney Question owner
more options

I do have a user.js file, but the contents are:

user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("nglayout.initialpaint.delay", 600);

Also in the internet settings, each time FF is launched, defaults to: "Manual Proxy Configuration" HTTP Proxy: 127.0.0.1 Port: 55030

the-edmeister
the-edmeister
  • Moderator
more options

Chosen Solution

See if that happens with a new Profile - just test it, don't add anything to the new Profile.
http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows

rpdenney
rpdenney Question owner
more options

PERFECT!!!! Thanks, this worked. Now, if I can only figure out "why" it acted like that in the first place.

betabeta1
betabeta1
more options

. . . I looked for files modified at the time I thought a similar Malware acted on my PC.



Found 3 lines added to the:




C:/users/xxxxxmyprofile/appdata/roaming/mozilla/firefox/profiles/xxxxx.default/extensionsfoxmarks@kei.com/default/preferences/prefs.js



I removed them, and I saved the prefs.js file again. They were like: user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 58505); user_pref("network.proxy.type", 1); More or less.




My suggestions: Check all *.js files in firefox/ subfolders, plugins included (in my case, as you can see, it was in foxmarks subfolder).



Took me a while, finally solved.

Modified by betabeta1