Firestone Technical Resources

"Personal service for your impersonal technology."

Brian Wright

President and CEO of Firestone Technical Resources, Inc. and primary blog contributor for technical solutions to computer problems.

His posts typically reflect real situations that required real solutions. Many of these solutions are compiled from several other blogs or just personal experience and put into a easy to follow process.
2 minutes reading time (386 words)

Can't remove proxy in Internet Explorer after malware infection

While cleaning up a client computer I found an issue with Internet Explorer where the proxy seeting could not be changed with out it automatically reverting back to its original setting. This persistant issue seemed related to a typical group policy setting but this was not possible because the system was running Windows 7 Home. Many others on the Internet had reported the issue with only one resolution, editing the registry.

The registry changes didn't seem to be long lasting until I found an article by Philip Turner that provided some additional registry keys that I was missing in my search.

  1. Open REGEDIT and browse to the following key: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  2. Change the "ProxyEnable" value from 1 to 0
  3. Delete the entry "ProxyOverride"
  4. Delete the entry "ProxyServer"
  5. Browse to the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings
  6. Change "ProxyEnable" value from 1 to 0
  7. Delete the entry "ProxyOverride"
  8. Delete the entry "ProxyServer"
  9. Browse to the key:
        HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\Parameters\Internet\ManualProxies
  10.  Double click on the "Default" entry and deleted the entire contents so that it is blank.
  11.  Browse to the key:
         HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet\ManualProxies
  12.  Double click the "Default" entry and deleted the entire contents so that it is blank.
  13.  Browse to to the key:
         HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  14.  Delete the key "DefaultConnectionSettings"
  15.  Delete the key "SavedLegacySettings"

NOTE: both of these keys had the proxy and loopback information embededed in their value data, which would not show up for a registry search for "127.0.0.1"

If you would prefer to use a registry file that has these changes already made, click the download and then go to where you saved the file and double cick to run it. We must notify everyone that modifying your registry could cause severe damage to the operation of your computer. Use these instructions or this file at your own risk.

In the case that I was working on, I also found that Symantec's Norton 360 Premium would cause these settings to become restored when the Firewall and Browser Protection settings were enabled. I am still investigating this issue. I don't typically recommend using this version of Norton Antivirus and recomend using just the basic version which doesn't cause this issue.

We hope that this information is helpful. Please let us know how this has helped you or if you have additional questions. As always Firestone Technical Resources, Inc. is here to help with your computer support issues - "Providing personal service for your impersonal technology."

10
How to fix Microsoft Exchange SMTP Transaction Tim...
Symantec BE.clound ends - Alternative options to B...

Related Posts

 

Comments 12

Already Registered? Login Here
Guest - GReg on Tuesday, 25 November 2014 11:20

Thanks for this, it looked really promising but unfortunately after making all the changes it still doesn't work for me Nothing changed, any more tips???

0
Thanks for this, it looked really promising but unfortunately after making all the changes it still doesn't work for me :( Nothing changed, any more tips???
Guest - Brian Wright on Friday, 28 November 2014 18:29

Sorry to hear that this was not helpful in resolving your issue. Not knowing the details of your situation GReg, it is difficult to provide addition assistance. If you didn't notice the ending comment I made above to the post, some antivirus applications will try to proxy all web traffic so that it can be analyzed. It may be that your system has this function configured. My last suggestion to ensure that your system is certainly fixed is to complete a factory restore which will basically reinstall your operating system from scratch. I found that this was the only option on one or more systems since posting this. Good Luck!

0
Sorry to hear that this was not helpful in resolving your issue. Not knowing the details of your situation GReg, it is difficult to provide addition assistance. If you didn't notice the ending comment I made above to the post, some antivirus applications will try to proxy all web traffic so that it can be analyzed. It may be that your system has this function configured. My last suggestion to ensure that your system is certainly fixed is to complete a factory restore which will basically reinstall your operating system from scratch. I found that this was the only option on one or more systems since posting this. Good Luck!
Guest - TC on Wednesday, 10 December 2014 15:41

Excellent post -- worked for me. BTW, there are a number of different ControlSet00x folders. Update all of them, as above

0
Excellent post -- worked for me. BTW, there are a number of different ControlSet00x folders. Update all of them, as above
Guest - Brian Wright on Wednesday, 10 December 2014 18:06

TC, under normal circumstances there should only be CurrentControlSet, ControlSet001, and ControlSet002. If you have additional ControlSet00x then making a change to them as well is advised.

0
TC, under normal circumstances there should only be CurrentControlSet, ControlSet001, and ControlSet002. If you have additional ControlSet00x then making a change to them as well is advised.
Guest - LittlBUGer on Friday, 19 December 2014 08:20

This only worked for me if I did the last step (deleting the DefaultConnectionSettings string, etc.) again in the Wow6432Node area of the same name. Even after doing all of the above and missing this one section, the proxy was still in effect, and this was after a very thorough malware/virus cleanup. Thanks for the tips though so that I was able to figure it out. :-)

0
This only worked for me if I did the last step (deleting the DefaultConnectionSettings string, etc.) again in the Wow6432Node area of the same name. Even after doing all of the above and missing this one section, the proxy was still in effect, and this was after a very thorough malware/virus cleanup. Thanks for the tips though so that I was able to figure it out. :-)
Phil Stevens on Friday, 09 January 2015 02:22

Superb advice, saved a reload as a rstore failed every time.
Many thanks for postingh.

Phil Stevens
Somerset UK

0
Superb advice, saved a reload as a rstore failed every time. Many thanks for postingh. Phil Stevens Somerset UK
Guest - Thomas on Sunday, 01 February 2015 01:09

I love you!

0
I love you!
Guest - Adrian G on Sunday, 01 February 2015 12:36

Worked for me too once I deleted the keys "DefaultConnectionSettings" and "SavedLegacySettings" from the Wow6432Node

0
Worked for me too once I deleted the keys "DefaultConnectionSettings" and "SavedLegacySettings" from the Wow6432Node
Guest - Ornella on Thursday, 07 May 2015 15:30

thank you a lot. I couldn't even use the windows store. Now it all looks fix.

0
thank you a lot. I couldn't even use the windows store. Now it all looks fix.
Colin Searle on Friday, 31 July 2015 04:29

search registry for DefaultConnectionSettings and SavedLegacySettings

Look for garbage key and export

SavedLegacySettings"=hex:46,00,00,00,43,10,00,00,03,00,00,00,2a,00,00,00,68,\
74,74,70,3d,31,32,37,2e,30,2e,30,2e,31,3a,34,39,36,36,38,3b,68,74,74,70,73,\
3d,31,32,37,2e,30,2e,30,2e,31,3a,34,39,36,36,38,0b,00,00,00,3c,2d,6c,6f,6f,\
70,62,61,63,6b,3e,00,00,00,00,00,00,00,00,00,00,00,00

Look for good key

"SavedLegacySettings"=hex:46,00,00,00,27,00,00,00,09,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,00,00,c0,a8,00,17,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

Export good key and modify address to bad key location - Import - Reboot

For example:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

0
search registry for DefaultConnectionSettings and SavedLegacySettings Look for garbage key and export SavedLegacySettings"=hex:46,00,00,00,43,10,00,00,03,00,00,00,2a,00,00,00,68,\ 74,74,70,3d,31,32,37,2e,30,2e,30,2e,31,3a,34,39,36,36,38,3b,68,74,74,70,73,\ 3d,31,32,37,2e,30,2e,30,2e,31,3a,34,39,36,36,38,0b,00,00,00,3c,2d,6c,6f,6f,\ 70,62,61,63,6b,3e,00,00,00,00,00,00,00,00,00,00,00,00 Look for good key "SavedLegacySettings"=hex:46,00,00,00,27,00,00,00,09,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,00,00,c0,a8,00,17,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 Export good key and modify address to bad key location - Import - Reboot For example: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Guest - Alberto Vicente on Tuesday, 18 August 2015 08:15

OMG really good!! I was looking for this for long time, thanks!!

0
OMG really good!! I was looking for this for long time, thanks!!
Guest - Jonah on Tuesday, 12 January 2016 18:23

Holy cow! This really saved my bacon! Thanks!

0
Holy cow! This really saved my bacon! Thanks!