ChiSoxFan

First of all, thank you for all the time you have spent in assisting me in trying to remove this. Before I proceed with the above steps, do you think reformatting the hard-drive and then installing Windows would get rid of this? All personal files have already been backed up, so nothing to worry about there. Thanks.

Ran Malwarebytes as Administrator, updated database, and it is till there. Malwarebytes log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/10/2014 Scan Time: 1:40:58 PM Logfile: Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.07.09.13 Rootkit Database: v2014.07.09.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Marty & Dina Scan Type: Threat Scan Result: Completed Objects Scanned: 282585 Time Elapsed: 8 min, 5 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:23012, , [89f85647a0db79bd9c284fb7937001ff] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Any suggestions?

Do you need to review the OTL log file, or should I go ahead run a Threat Scan using Malwarebytes now? Thanks.

Sorry, I've been away since the 4th of July holiday. Below are the results of the OTL fix from the last post: All processes killed ========== OTL ========== HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ not found. Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully! Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully! HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{74F58FCB-F368-4395-86CF-B90961FC82B1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74F58FCB-F368-4395-86CF-B90961FC82B1}\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ not found. Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: All Users User: Default User: Default User User: Marty & Dina ->Java cache emptied: 633481 bytes User: Public Total Java Files Cleaned = 1.00 mb [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 402 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Marty & Dina ->Temp folder emptied: 3665408 bytes ->Temporary Internet Files folder emptied: 17820433 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 68677425 bytes ->Flash cache emptied: 45601 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 1064601 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 15980832 bytes Total Files Cleaned = 102.00 mb [EMPTYFLASH] User: All Users User: Default User: Default User User: Marty & Dina ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 07102014_121810 Files\Folders moved on Reboot... C:\Users\Marty & Dina\AppData\Local\Temp\ehmsas.txt moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\bLBBWlYJp_w[2].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\fastbutton[1].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\like[1].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\postmessageRelay[2].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JA8ZNCPA\index[1].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully. PendingFileRenameOperations files... Registry entries deleted on Reboot...

Attached are the two reports. OTL.Txt Extras.Txt

Ran the Windows Repair as instructed in the above link, and pum.bad.proxy appeared after updating Malwarebytes database and running as administrator. Any other suggestions? Thanks.

Unfortunately, pum.bad.proxy is back. Any suggestions? Thanks.

Was able to delete Was not able to find These entries did not exist This entry existed, but was already set as instructed This entry did no exist as "ControlSet002" but did as "ControlSet003". The ...003 was set as instructed for ...002 After make these changes in the registry, ran Malwarebytes as Administrator and came back clean. Then shut down laptop for about 30 minutes. After restarting laptop, ran Malwarebytes as Administrator again and came back clean again. Looks like it may finally be gone. Are there any "clean up" steps next? Thanks.

Here is the results of the scan: SystemLook 30.07.11 by jpshortstuff Log created at 12:17 on 27/06/2014 by Marty & Dina Administrator - Elevation successful ========== regfind ========== Searching for "127.0.0.1:23012" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" Searching for "http=127.0.0.1:23012" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" -= EOF =-

Yes, I am familiar with working in the registry.

Ran the Clean. After is was finished a reboot was required to complete. After computer restarted, Panda Cloud Cleaner stated the infections successfully removed. I then updated Malwarebytes database, and ran as administrator and still found pum.bad.proxy. Please let me know what the next step is. Thanks for all your help.

Should I run then clean?

This laptop is running Vista Home Premium, should I follow these instructions to "install" Group Policy Editor? http://www.windowsreference.com/windows-vista/how-to-get-group-policy-editor-in-vista-home-edition/

I have deleted the files, but Group Policy Editor is not installed on this laptop. I was able to find gpedit.dll, but not gpedit.msc as shown in the link. Thanks

Other than Malwarebytes finding this, not others symptoms have been noticed. The ESET scan did find 2 items C:\Users\Marty & Dina\Downloads\CouponAlert.exe a variant of Win32/AdInstaller potentially unwanted application C:\Users\Marty & Dina\Downloads\Shockwave_Installer_Full.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application Please let me know what the next is. Thanks.