Please Help With pum.bad.proxy

[ChiSoxFan]

I have ran MBAM and pum.bad.proxy gets quaritined, but keeps returning after restarting laptop. Attached are the FRST.txt and Adiition.txt logs.

FRST.txt

Addition.txt

[ChiSoxFan]

Still need help removing Pum.Bad.Proxy. Please let me know what additional information is needed.

 

Thanks.

[MrCharlie]

Welcome to the forum.

Please run a Quick Scan with Malwarebytes

For Malwarebytes ver: 1.75

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

For Malwarebytes 2.0, please run a Threat Scan

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

Then.......

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

[ChiSoxFan]

Thank you for assisting me with the removal of this malware/virus. Attached is the RogueKiller report and the MBAM report.

RKreport_SCN_06112014_124219.log

MBAM.txt

[MrCharlie]

Please download and run rkill, post the log:
http://download.bleepingcomputer.com/dl/72e398dead83b4daa1b0306a09573f6f/53989954/windows/security/security-utilities/r/rkill/rkill.exe

--------------------------------

Then.............

Make sure you have created a restore point and.....
Download Delfix from Here and save it to your desktop.

• Place a check mark in front of .......
• Create registry backup <---only!
• Uncheck the rest!
• Click the Run button.
  
  Close the tool out when it's done....we'll use it later.
  
  ------------------------------------
  
  Next.......
  
  Please download AdwCleaner from HERE or HERE to your desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  Last..................
  
  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  MrC

[ChiSoxFan]

I tried running Junkware Removal Tool as Administrator (with the protection software closed). It appears to run fine but when it automatically closes, a log file is not being created. I have tried twice with the same result both times.

 

Here are the other log files.

 

Thanks

Rkill.txt

AdwCleanerS0.txt

[MrCharlie]

OK...Next:

Make sure you have created that system restore point before you continue!

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

  

• Put a checkmark beside loaded modules.

  

• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.

  

• Click the Start Scan button.

  

• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.

  

  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

  If in doubt about an entry....please ask or choose Skip

• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  

  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[ChiSoxFan]

Hello, I have followed the instructions above. For the TDSSKiller scan, it found 11 objects and was not sure about some of them so I chose Skip for all of them. Some I could tell were needed.

 

Attached are the log files from the TDSSKiller and ComboFix scan.

 

Thanks.

TDSSKiller.3.0.0.39_13.06.2014_12.15.03_log.txt

TDSSKiller.3.0.0.39_13.06.2014_12.18.25_log.txt

ComboFix.txt

[MrCharlie]

Update and run a Threat Scan with Malwarebytes, let me know how it is.

MrC

[ChiSoxFan]

Updated Malwarebytes, and ran Threat Scan.

 

It came back with PUM.Bad.Proxy and PUP.Optional.Conduit.A and I did quarantine both of these. Unfortunately I was not able to find the new log file. So I rebooted the laptop in hopes of finding the log file. Since I still could not find the log file, I updated Malwarebytes again and ran the Threat Scan a second time. The second time Malwarebytes came back clean, no treats found.

 

Please let me know what the next step is.

 

Thanks.

[MrCharlie]

Logs can be located by clicking on the History button. You can double click a log and choose to export in either text or xml file formats. In most cases you can simply click on the Copy to Clipboard button when the log is opened and then paste it back to a reply here on the forum if looking for help or someone requested you to post the log. Please do not post xml log files on the forum unless requested by a helper or Staff member. The logs are also stored in the following location by default for Vista/Win7/8 unless you move the path. C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs The path for Windows XP is: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs

------------------------------------

If there's no other problems.........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[ChiSoxFan]

I have downloaded the file to the desktop and double-clicked to run. When I press any key to continue, a "path not found" error message appears along with several "file not found" messages. I rebooted the laptop and got the same results. I then downloaded the file using the second link with same results as the first link, even after a rebooting for a second time. I let it run every time and the log file (notepad file) was always empty. I also tried to get a screen capture of the actual error message, but they went by too fast.

 

What is the step?

 

 

Thanks.

[MrCharlie]

Try the attached one (unzip it first).......and run it by right clicking on it and "choose run as administrator"

See if that works, if not I'll look through the logs to see what's out of date in the AM.

MrC

[ChiSoxFan]

Downloaded zip file to desktop.

Right clicked file to extract to desktop

Did a copy and replace for existing SecurityCheck.exe

Right clicked new exe file to run as administrator

 

Got the same results as prior post. Was not able to see if the path was showing for "path not found", but was able to notice that PROCESS.TXT and INSTALL.TXT was not found.

 

Thanks

[MrCharlie]

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~

Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Flash Player 13 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 13.0.0.214 - Adobe Systems Incorporated)

These are out of date: should be 14.0.0.125

http://www.adobe.com/downloads/other-downloads.html <------download page

----------------------------------------------

Adobe Reader XI (11.0.07) <----this is OK

----------------------------------------------

Java 7 Update 51 <---------please update, should be Update 60

Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

-------------------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.
If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (My Preventive Maintenance also found HERE)

Good Luck and Thanks for using the forum, MrC

[ChiSoxFan]

I uninstalled both Flash Players, Java, ComboFix, and Delfix. Rebooted the laptop. Installed Flash Player from Adobe's web site and installed Java from Java's web site (both successful installs). I then rebooted the laptop again. After that, I updated the MalwareBytes database and ran a Threat Scan. It came back with detecting the PUM.Bad.Proxy.

 

Here is the log file:

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 6/19/2014

Scan Time: 12:50:36 PM

Logfile: MBAM.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.06.19.08

Rootkit Database: v2014.06.02.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows Vista Service Pack 2

CPU: x86

File System: NTFS

User: Marty & Dina

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 276325

Time Elapsed: 11 min, 31 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 1

PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:23012, Quarantined, [450f47335f1c003652b102ee0200a35d]

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

What is the next step now that this has returned?

 

Thanks

[MrCharlie]

Make sure you have created a restore point and.....
Download Delfix from Here and save it to your desktop.

• Place a check mark in front of .......
• Create registry backup <---only!
• Uncheck the rest!
• Click the Run button.
  
  Close the tool out when it's done....we'll use it later.
  
  ----------------------------------------------
  
  Download, unzip and double click on fixme.bat (fixme.zip)
  Reboot and if you have any problems getting back on line, just navigate to:
  C:\WINDOWS\ERUNT\DelFix\ERDNT.EXE
  and double click on ERDNT.EXE
  That will put things back to the way they were.
  
  ----------------------
  
  Run another scan with MB and see if it's found.
  
  MrC

[ChiSoxFan]

The Delfix link did not work, so I restored (from recycle bin) the one I had to backup the registry. Ran the fixme.bat file, then rebooted. Ran Malwarebytes and came back clean. Shut down laptop for about 2 hrs, then restarted and ran Malwarebytes again and found the PUM.Bad.Proxy this time.

 

Not sure if this is related or not, but I am unable to uninstall FireFox (using add/remove, then selecting FireFox, then selecting uninstall)

 

 

Thanks.

[MrCharlie]

Besides Malwarebytes finding the bad proxy, are there any symptoms??

 

-------------------------------

 

Run this online scan:

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

• Scan potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

[ChiSoxFan]

Other than Malwarebytes finding this, not others symptoms have been noticed.

 

The ESET scan did find 2 items

 

C:\Users\Marty & Dina\Downloads\CouponAlert.exe a variant of Win32/AdInstaller potentially unwanted application
C:\Users\Marty & Dina\Downloads\Shockwave_Installer_Full.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

Please let me know what the next is.

 

Thanks.

[MrCharlie]

OK, delete these 2 files:

C:\Users\Marty & Dina\Downloads\CouponAlert.exe
C:\Users\Marty & Dina\Downloads\Shockwave_Installer_Full.exe

-------------------------------------

Then............See if you have the Group Policy Editor installed:

http://www.sevenforums.com/tutorials/3652-local-group-policy-editor-open.html

If so......

In Group Policty goto User Configuration then Windows Settings
Choose Internet Explorer Maintenance then goto Connection and click Proxy Settings
Tick on the Enable Proxy settings so make the proxy values visible.
Erase the proxy value Address of Proxy (do this also with the port)
Untick the enable proxy settings then click OK to close.
Close the Group Policy Editor.
MrC

[ChiSoxFan]

I have deleted the files, but Group Policy Editor is not installed on this laptop. I was able to find gpedit.dll, but not gpedit.msc as shown in the link.

 

Thanks

[ChiSoxFan]

I have deleted the files, but Group Policy Editor is not installed on this laptop. I was able to find gpedit.dll, but not gpedit.msc as shown in the link.

 

Thanks

 

This laptop is running Vista Home Premium, should I follow these instructions to "install" Group Policy Editor?

 

http://www.windowsreference.com/windows-vista/how-to-get-group-policy-editor-in-vista-home-edition/

[MrCharlie]

No, for now.....

Download and run Panda Cloud Cleaner

http://www.pandasecurity.com/usa/homeusers/support/card?id=1674

MrC

[ChiSoxFan]

Should I run then clean?