Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

My problem is a hijack of the proxy settings and I cannot remove it even by editing pref.js file. It just keeps restoring the use manual proxy settings.

  • 41 பதிலளிப்புகள்
  • 42 இந்த பிரச்னைகள் உள்ளது
  • 83 views
  • Last reply by betabeta1

I had the cycbot trojan and have removed it. However my browser will not connect to the Internet unless I manually select no proxy in the connection settings. then on restart of firefox the settings change back to a manual proxy.

I had the cycbot trojan and have removed it. However my browser will not connect to the Internet unless I manually select no proxy in the connection settings. then on restart of firefox the settings change back to a manual proxy.

தீர்வு தேர்ந்தெடுக்கப்பட்டது

I think what you can do here is to go to about:config and then in the filter at the top, enter each of those entries one at a time, then right click them and choose Reset. This should restore their default values.

So network.proxy.http_port should revert to '0' when you do that instead of its current value of 64586.

Read this answer in context 👍 3

All Replies (20)

According to Symantec, it listens on TCP port 50730. See Backdoor.Cycbot

So the first thing to do is to block that port with your firewall if you haven't done so already.

Then click the Firefox button, go to Options | Options | Advanced and in the Network tab, click the Settings button. In there, checkmark the option called "Use system proxy settings". This affords you some degree of protection since Firefox connects to itself on localhost (port 127.0.0.1).

If you think prefs.js is corrupted, rename it to prefs.jsOLD and Firefox will create a new one the next time you restart.

Hi, Thanks for the suggestions. I tried renaming the prefs.js file and when I started firefox I got the same result. I looked at the proxy settings and it still says 127.0.0.1 with an odd port number. Checking the new prefs it has created it still contains the wrong info so it must be pulling it from somewhere else.

This is what I cannot get rid of.

user_pref("network.cookie.prefsMigrated", true); user_pref("network.http.max-connections", 48); user_pref("network.http.max-connections-per-server", 16); user_pref("network.http.max-persistent-connections-per-proxy", 16); user_pref("network.http.max-persistent-connections-per-server", 8); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 64586); user_pref("network.proxy.type", 1);

Incidently it has allowed me to create a new profile which if I choose that then the network is good. However I then do not have the other contents of my old profile like passwords and bookmarks.

Thoughts?

If a new Profile fixes the problem, then you can move your data from the old one quite easily actually. See Profile Manager - Create, remove or switch Firefox profiles

that may well be the route I take thank you. However I am puzzled by the automatic writing of those network settings into the pref.js file. Where are they coming from?

I think you still have this piece of malware on your system. See this report: http://www.threatexpert.com/report.aspx?md5=c5270e75e811141e97fa754bd1d534f7

The TCP port mentioned in your prefs.js file can be seen in there.

Have a look at the registry settings mentioned there.

Any files which won't 'delete' can be erased with this utility: http://www.heidi.ie/eraser/

That is certainly what I had. Although I cannot find thosee files now since the AV cleared them away. The registry appears clean of that IP and Port after I just searched. All that keeps happening is the persistant re-entry of those settings back into the pref.js. it's the one in my default profile. I only had the one at the time. I created a new one and as I said thats clean. But I am still worried by the persistance of the settings. I know that they are not coming by magic... but from where?

I did just find that the profiles are under a roaming directory not sure if that is normal as I have never dived this deep into firefox.

தீர்வு தேர்ந்தெடுக்கப்பட்டது

I think what you can do here is to go to about:config and then in the filter at the top, enter each of those entries one at a time, then right click them and choose Reset. This should restore their default values.

So network.proxy.http_port should revert to '0' when you do that instead of its current value of 64586.

Is there a user.js file in that old Profile? If so, open that user.js file see if those prefs are in there.

Unless you are using that user.js file for some other prefs, just delete it.

user.js is "read" after the prefs.js file abd the prefs in it are written to the prefs,js file.

I tried about:config and reset everything to default. Closed firefox and still no joy. I stillget connection denied proxy error. Then I looked at the user.js and there are no network settings in their to speak of. removing it made no difference.

Hmmm..

Yippeee I fixed it.

So here's what I did.

knowing that the new profile works and the default did not.

I opened both profiles and moved all the contents of default into a scratch folder I then copied all the contents of the new profile folder into the now empty default profile folder

Started firefox using the default profile (via profile manage) That worked (as I suspected) presuming that nasty files are now in the scratch folder

There were some spurious network entries but this time About:config let me edit the settings back to default. tested it a couple of times and all good. So I copied the now refreshed prefs.js into the scratch folder.

deleted all the contents of the defaulf folder

copied the entire scratch folder back

It now works as it should.

I can only suspect some jedi type file corruption ??

Vulnerabilities in your system as far as Firefox is concerned currently lie with your Plugins. The following are out of date.

It's difficult to see whether any of the others are out of date because I can't see the versions. So a visit to the Plugins Check page is in order I think.


Also, I notice you have Foxit Reader installed. Did you opt out of the Ask Toolbar installation which comes bundled with that? If not, then you'll find the Ask Toolbar by clicking the Firefox button, then Add-ons | Extensions. Remove it in there. See http://kb.mozillazine.org/Problematic_extensions

Ask(dot)com directs your searches to its advertiser database before displaying any neutral results like Google does. Some of those may come from dubious sources.


This particular Trojan incorporates a keylogger, so it's advisable to change all your passwords now. A good external password manager is "Keepass", free from http://keepass.info/


Last but not least, install this add-on: https://addons.mozilla.org/en-US/firefox/addon/quickjs/ It adds a button to the toolbar which you can use to disable/enable Javascript on the fly. Disable it before you visit any sites you haven't been to before. This will prevent so called drive-by downloads when you inadvertently visit a site which has been compromised.

I appreciate the additional tips, thank you. Although I am puzzled by how you know that I have Foxit and that my Adobe is out of date?

Click the link called "More System Details", top right ;)

I have just checked running processes etc and I have csrss.exe running. I believe that this can become compromised. Do you know how I can validate effectivley that this file is still good?

The default locations for this file are:

  • C:\WINDOWS\system32

  • C:\WINDOWS\ServicePackFiles\i386

The file size for both is 6KB

If it says "SYSTEM" in the Processes tab in Task Manager, then it's OK. Open Task Manager by right clicking a blank part of the Windows Taskbar.

Upload it to http://virusscan.jotti.org/en for peace of mind.

I have two instances of it running in task manager and both say system, mine is 8k in size (I'm running win 7 64bit)

Oddly although I can locate it in explorer I cannot see it when using the file upload and browsing to the system32 folder.

I copied it to desktop and then sent it to the scanner and it came back clean.

cool

Thanks again

Another useful security tool for you is Microsoft's Process Explorer. You can use it to check what's happening on the fly by right clicking the process, go to Properties and for example, see if the file is connecting to the Internet. See screenshot of csrss.exe running on my own system.

Download from: http://technet.microsoft.com/en-us/sysinternals/bb896653

  1. 1
  2. 2
  3. 3