Script To Turn Off Proxy Settings

[Comicsnut]

I have a problem PC that I've scrubbed clean with everything from Combofix to Ccleaner to Malwarebytes anti-rootkit, to JRT, to ADW, to TDSS, to rkill and beyond.

The only thing wrong with this PC is that, every few days the proxy settings are toggled on and I need to go turn them off.

I can find no trace of any malicious software on this machine at all, so while I do more research I want to write a script that will run every 10 minutes or so turning off Internet proxy settings.

Would any adventurous soul be willing to lend a hand in this one?

 

[TanyaC]

Hi,

Try this..

reg add "[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
" /v ProxyEnable /t REG_DWORD /d "0" /f

I have no idea if it works for FF or Chrome, but it does seem to work for IE, which is the only one I tried it on.

All you need to do it add that line to a .BAT/.CMD file, and set up a windows task to run when you want it.

A tutorial for that can be found here... http://www.sevenforums.com/tutorials/12444-task-scheduler-create-new-task.html#post176848

But I don't deserve credit for this... I simply Googled your request and got thousands of hits...

https://www.google.com.au/search?q=...hannel=sb&gfe_rd=cr&ei=zcaFU5L2NejM8gfR_oH4AQ

 

[UsernameIssues]

Comicsnut, TanyaC was kind enough to dig up some code for you, but the code should be all on one line. The line return probably came in via copy/paste from a website.

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d "0" /f

Also, there should not be brackets around the key name. The code quoted above has been tested using a Virtual Machine; however, it only turns off one of the ways to set a proxy. The code above will "uncheck" the Proxy server option, but not the "...script" option.



Is this on a customer's computer or on a computer that you own?


Take a look at the first video in this post where I have an AutoIt script constantly monitoring a few registry keys. When I use regedit to simulate some app making an unwanted change, the script halts with a message telling the user the time that the change happened.

If I change that script to watch for a change to the proxy settings in the registry, we can know exactly when the change happened. Add Process Monitor into the mix and we might know what app changed the setting. See this post for more info. That said, some apps just call WMI to make registry changes. Process Monitor might only show WMI and not the app that called it.

Running Process Monitor for weeks at a time might be problematic, but there are ways to set it up so that it should work. Just let me know if you want to bother with it.