• Page :
  • 1
  • Text Only
rated:
Windows XP, SP3, nothing out of the ordinary.

Yesterday I decided to update all of my 'cleaning' programs and scan the system, something I hadn't done on this system in several months. I use Spybot, Malwarebytes and CCleaner. For Spybot, I upgraded from v1.6 to v2.x. That was a fairly major change, and I think the program now has more functionality than it did before...

Malwarebytes seemed like just a database update.

CCleaner was an update from v3.x to v4.x, but the program still seems the same.

After installing various Windows Update critical updates and scanning with all three of the aforementioned cleaning programs, I could no longer access the internet. Turns out the culprit was my LAN settings - they were set to use a proxy server, which is something I never use. Specifically, they were set to use:

Address: localhost
Port: 21320

Could one of those three cleaning programs have changed this setting? If not, what program would change this on its own? I know for a fact that I didn't change it and nobody else uses this machine... All scanning came up clean, so I'm fairly certain I don't have any problems with the machine.

What would be the purpose of setting the proxy address to localhost (which I believe is the same as 127.0.0.1, and is also what Spybot puts in the hosts file when it runs immunization)? What is the significance of port 21320?

Member Summary
Thanks for visiting FatWallet.com. Join for free to remove this ad.

Lots of malware make changes to the proxy settings, but so do some good programs. By pushing everything through their own internal proxy they gain control of things to allow scanning and pushing you to their own sites. Spybot immunizes to 127 because that address is a loopback, so anything going there will go nowhere, stopping bad sites from being accessed.

There are some ports that are used for specific things, like 25 is SMTP, 21 is FTP, etc... but it's a fairly short list. All the other numbers are open and can be used for pretty much anything. 21320 isn't anything in and of itself, it's just the port that some program on your PC decided to use.

localhost port 80 would go nowhere because it's just a loopback, but when you set it to another port it could be intercepted by another program.

minidrag said:   localhost port 80 would go nowhere because it's just a loopback...
localhost/127.0.0.1 port 80 goes nowhere, unless you have a web server running on your machine. Then it loops back to that web server. The random high-numbered port was likely picked so it didn't interfere with any existing software.

It sounds very much like some malware installed a local proxy, and was routing all your web traffic through it. This may have been done simply to insert ads into all of the pages you visit. Or it could've monitored all your web traffic. Somehow the malicious proxy got removed, but the proxy setting stayed.

Are you certain all the scans you ran came up clean? I'd check the logs to see if one of the cleaners hadn't cleaned something up automatically. Another option is that one of the scanners read a file and triggered your real-time AV program, which then cleaned the file itself. You do have a real-time AV program always running, right?

From what I can tell, it's a function of the new Spybot version 2. I performed the same tasks on another machine (updating the cleaning utilities and running them) and saw the same thing. I went into the settings of Spybot and told it not to use "Spybot's" proxy and it fixed itself.

I just don't understand how it was supposed to work. With the first machine, when the proxy was enabled (localhost / 21320) I had no internet connection. Maybe I disabled something in Spybot that caused the proxy functionality to quit working without disabling it. That's definitely something I'd do as I'm always stripping programs and their functions down to a minimal level.

At any rate, all is well, no malware or spyware, I was just curious about the feature and what it was supposed to be doing.

Haven't really looked at Spybot in a while. Here's what it says on their site:
http://www.safer-networking.org/2013/spybot-av-2-1-released/
Internet Protection: an integrated proxy server blocks suspicious cookies and access to suspect URLs.

A little more info:
http://www.safer-networking.org/faq/why-are-some-of-my-favourite...

I found these same changes after installing Spybot 2.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014