cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jcolpean
Engaged Sweeper II
I have performed a search for this topic on this site with no true success.

I've had some infected computers that were cleaned...yet the cleaning process did not detect nor reset the browser proxy settings that were set to 127.0.0.1. Yes....I know this is bad.

Goal: Using Lansweeper, display know computers that have a browser with this (or any..but distinguished)proxy setting. This could help identify infected computers that have yet to cause the user enough grief to contact IT Department.

Issues I suspect that need to be considered:
- Browsers could be IE (6 through 8), Firefox, Chrome
- Setting may be linked to the current user

Preventing Proxy Changes with GPO may be worth considering. However, there are some limited conditions here in which some users have legitimate purpose for the change.

Similarily, if there are other valuable checks to detect the possible hole/tunnel in the routes...I welcome your response. For instance, the existance of any type of vpn tunneling protocol/configuration detected or file replication technology such as MS Live Sync (yes I know the SW inventory hits that specific one).
2 REPLIES 2
Hemoco
Lansweeper Alumni
You won't be able to scan the HKEY_CURRENT_USER key with registry scanning.
jcolpean
Engaged Sweeper II
Mozilla settings look to be stored in a file called prefs.js.
On my system it was located here:C:\Users\MYUSERNAME\Application Data\Mozilla\Firefox\Profiles\a68dhkmj.default\prefs.js.

The profile directory name (a68dhkmj.default) appears to be unique and maybe randomly generated.

A profile for the current user can be accessed here: "%APPDATA%\Mozilla\"

Accessing "%APPDATA%\Mozilla\" resulted in the profile being found in the subdirectory: Firefox\Profiles\a68dhkmj.default

The file "profiles.ini" exists in the directory Roaming\Mozilla\Firefox. It contains the lines:
Name=default
IsRelative=1
Path=Profiles/a68dhkmj.default

Within the file: prefs.js is the following line:
user_pref("network.proxy.http", "127.0.0.1");

XXXXXXXXXXXXXX

IE appears to store the proxy settings in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80
AND
HKEY_USERS\S-1-5-21-1993962763-1123\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80[size=8][/size]