I have something on my computer (I presume an infection) that every 5 to 10 hours changes the proxy settings in my MSIE (and only MSIE) to 128.0.0.1:59636. Nothing listens on that port, so IE (and anything that relies on WININET) just fails until I go in and change it back.
I did a few google searches and cannot find any reports of a virus that does this. Any of you guys know what’s going on?
Have you run Malwarebytes’ Anti-Malware?
If not, try that first. You can download the free version here.
After you’ve run that, let us know what (if anything) it finds.
Ran it. Didn’t help me much 
It found: PUM.bad.proxy - Wikipedia
I already know that the registry entry got changed and I know how to “fix” it (that is, turn off the proxy setting in IE). The problem is that something sets it again in a few hours, and that wiki entry (or Malwarebytes) doesn’t tell me what does it…
Running Malware Bytes in safe mode helps with most things. The virus usually doesn’t load since safe mode loads minimal drivers.
At work, if I spend more than an hour on it, I reformat and reinstall; I’m wasting my time and my employer’s money.
The idea upthread to boot Linux from a CD and save your files is excellent advice.
Does the proxy change when you are logged in as a non-admin?
Have you tried McAfee’s Stinger program (free)?
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
How about Windows Defender (free)?
http://www.microsoft.com/download/en/details.aspx?id=17
Are any files infected or programs acting strange, other than IE?..
Didn’t run those two in particular but I ran a slew of various others. Nothing found. Nothing acts strange except this annoying setting of the proxy in IE. A couple of my google searches uncovered some people suspecting that some MS Office programs are doing this in some circumstances. Am trying to chase that down.
You might try using Microsoft’s Process Monitor utility. I think you can tell it to watch all registry accesses and tell you which program is writing to any particular registry entry.
Other programs you can try, if you haven’t, is Super AntiSpyware and Norton Power Eraser.
Ridiculous. Malwarebytes is just one antivirus tool. If that doesn’t work, there’s always SuperAntiSpyware, to name just one tool. There’s also the option to update the antivirus and scan (the virus probably blocks updating), or scan using a rootkit tool.
I’ve been dealing with spyware on hundreds of computers for years. There has only been one case that I couldn’t fix things using the tools available – and that was only because the computer was designed so that WindowsPE could not access the hard drive.
Just to clarify – is your proxy getting set to 128.0.0.1 or 127.0.0.1? If it’s 128.0.0.1 (as typed in your OP), that’s an IP address for mail.ru, a Russian email, blog hosting, and social media provider. If your machine is trying to talk to mail.ru, did you recently install any client software for any of their services? I don’t know where you are, so I don’t know if this is something you might have done, but maybe you’re using some kind of blog development package from them or something?
Best of luck.
Oops typo. 127.0.0.1 - localhost.
Ah. I thought I was on to something.
For what it’s worth, I’m on the side of those who say that, in general, it’s best to rebuild a machine when you get malware on it. Anti-malware tools have to know about the malware in order to remove it. According to Symantec, 75% of malware in the wild today infects fewer than 50 machines. Such “micro-targeting” of malware means that anti-malware vendors never see a sample and therefore can’t provide protection against it. So, today, the majority of new malware goes undetected by ALL anti-malware tools.
When your anti-malware system finds some piece of malware, or your machine starts acting in a way that’s indicative of malware, it’s a very good bet that there is more on the machine that you do not detect and may never detect. I think that “cleaning” malware only gives you a false sense of security.