Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Raising awareness about the kb70007 / privoxy port 8118 ip address 127.0.0.1 virus that is going around
New Posts  All Forums:Forum Nav:

Raising awareness about the kb70007 / privoxy port 8118 ip address 127.0.0.1 virus that is going around

post #1 of 16
Thread Starter 
Hey guys, I recently got infected by a rather peculiar virus that was a real pain to remove. Virus software/malware removing software did not help me. The malware is being put into a lot of free software (I got mine from accidentally downloading dolphin from a website other than the official site) that is hosted on less reputable sites. The programs that did not remove the virus: spybot s+d, malwarebytes, avast, windows defender and comodo (obviously not all of these at once).

Anyway, I wanted to post a little guide on what happens and how to remove it.

What is the virus?

The virus is actually two different programs.

First, the virus reroutes your IP to a server using privoxy (which is actually a legitimate program for using vpns) so it doesn't get picked up by malware scanners after it has installed itself. This server will inject ads into all of your internet browsers.

The second program runs in the background as a fake windows update process that constantly scans your browser's default proxy settings. It will change your proxy settings to coincide with the privoxy configuration.

To remove the virus:

First, unplug your computer from the internet. I'm not really sure what information this virus sends out, but you are better off getting offline ASAP. Next, open the task manager (crtl alt delete and click open task manager). End all variations of microsoft or windows update/updater. I had several processes. If you have difficulty keeping them stopped, disable the services in the msconfig menu by hitting windows and typing msconfig (or run then type in msconfig.exe). Go to the service menu and disable all update services for the time being and any that have kb70007 in the name.

Next, navigate to C:\windows\microsoft . This folder will contain files that say kb70007 in it. The folder should not exist at all. Delete the contents of the folder. Now be careful because c:\windows\microsoft.net SHOULD exist and is needed to run many programs. Don't get them mixed up. Deleting this folder should stop your proxy settings in your browsers from being changed over and over again.

The next step is to remove privoxy. If you use privoxy for something else, just redownload it later. To find where the privoxy installation is (mine was in a really random directory), go to the task manager and find the privoxy process that is running. It will just be privoxy.exe. Right click and hit open location. Stop the process and delete this folder. This will stop the actual rerouting of your internet.

Now, all of your browsers will be trying to reroute to privoxy for a proxy server that no longer exists. Steam, origin, and all internet browsers will not work. In order to fix this, run internet explorer with administrative privileges. Go to settings: internet options: connections: lan settings. Delete all of the information under proxy server and uncheck the box for using a proxy server. This will fix steam, origin, and internet explorer.

To fix firefox, go to menu: options: advanced: connection settings: delete everything under proxy configuration and check the box that says no proxy connection.

I believe google chrome should resolve itself when you fix internet explorer (it uses internet explorer's proxy settings afaik).

Finally, I would run an antivirus scan along with malwarebytes or something along those lines just to clean up anything else lurking around.
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
post #2 of 16
Got a sample? smile.gif
post #3 of 16
Thread Starter 
Quote:
Originally Posted by The Hundred Gunner View Post

Got a sample? smile.gif

I used to lol. I might be able to find one online.

EDIT: See post below.
Edited by salamachaa - 5/18/14 at 7:43pm
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
post #4 of 16
Quote:
Originally Posted by salamachaa View Post

IIRC this should be it (I'm not running it to see if it is). The warning isn't for you, it's for anyone who googles and finds this thread.

Awesome, thanks. I only had a chance to take a quick look; it looks long, but not horribly complicated. Hopefully I'll have some time to look at it in more detail and maybe make a post on it.
post #5 of 16
I normally don't register in bulletin boards, but I just had to this time.. in order to especially thank salamachaa for his reply. This virus was driving me crazy. I had looked everywhere on the net.. tried all kinds of spyware and malware detectors and cleaners, but no luck. Finally I stumbled upon this post, and boy, it was amazing. Finally I got rid of the stupid kb70007 thing.

What is most irritating and astonishing for me is the fact how EASY it is for virii and infections to get into windows and stay there, resist all kinds of detections and removal, even in this day and age. I'm on an i7 ultrabook with Windows 8.1, and probably installed this virus by mistake on day of the purchase. Finally got rid of it on day 20 thanks to salamachaa's post.

Thanks!!
post #6 of 16
Thread Starter 
Quote:
Originally Posted by farhanarain View Post

I normally don't register in bulletin boards, but I just had to this time.. in order to especially thank salamachaa for his reply. This virus was driving me crazy. I had looked everywhere on the net.. tried all kinds of spyware and malware detectors and cleaners, but no luck. Finally I stumbled upon this post, and boy, it was amazing. Finally I got rid of the stupid kb70007 thing.

What is most irritating and astonishing for me is the fact how EASY it is for virii and infections to get into windows and stay there, resist all kinds of detections and removal, even in this day and age. I'm on an i7 ultrabook with Windows 8.1, and probably installed this virus by mistake on day of the purchase. Finally got rid of it on day 20 thanks to salamachaa's post.

Thanks!!

Glad I could help you out. To be honest, the only reason I made a post on OCN about it was because Google indexes OCN really well and I figured it would come up on a google search. Also, welcome to OCN.
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
post #7 of 16
post #8 of 16
Thank you so much for this, it really helped me out smile.gif
post #9 of 16
Thread Starter 
Quote:
Originally Posted by Dynac View Post

Thank you so much for this, it really helped me out smile.gif

You're welcome random citizen smile.gif
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
Cougartown
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k asrock extreme 4 z77 powercooler r9 290 Crucial Technology  
RAMHard DriveHard DriveOptical Drive
Crucial Technology  Ocz agility 3 240gb Samsung Spinpoint F4EG 2 TB SATA2 5400rpm 32 MB... Light-on drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper 212+ Windows 8.1 Seiki 39inch 4k television rosewill rk-9000 with cherry blues 
PowerCaseMouseMouse Pad
CORSAIR Gaming Series GS700 700W ATX12V v2.3 80... Cougar Evolution Goldensunksy gaming mouse 3 dollar mouse pad from target 
Audio
TV audio 
  hide details  
Reply
post #10 of 16
I wanted to post about this one after disassembling it, but it was pretty difficult to follow. I'm not sure if it's looking for a specific OS or is anti-VM, but it didn't seem to do anything on my system.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Windows
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Raising awareness about the kb70007 / privoxy port 8118 ip address 127.0.0.1 virus that is going around