ChiSoxFan

First of all, thank you for all the time you have spent in assisting me in trying to remove this. Before I proceed with the above steps, do you think reformatting the hard-drive and then installing Windows would get rid of this? All personal files have already been backed up, so nothing to worry about there. Thanks.

Ran Malwarebytes as Administrator, updated database, and it is till there. Malwarebytes log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/10/2014 Scan Time: 1:40:58 PM Logfile: Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.07.09.13 Rootkit Database: v2014.07.09.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Marty & Dina Scan Type: Threat Scan Result: Completed Objects Scanned: 282585 Time Elapsed: 8 min, 5 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:23012, , [89f85647a0db79bd9c284fb7937001ff] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Any suggestions?

Do you need to review the OTL log file, or should I go ahead run a Threat Scan using Malwarebytes now? Thanks.

Sorry, I've been away since the 4th of July holiday. Below are the results of the OTL fix from the last post: All processes killed ========== OTL ========== HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ not found. Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully! Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully! HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{74F58FCB-F368-4395-86CF-B90961FC82B1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74F58FCB-F368-4395-86CF-B90961FC82B1}\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ not found. Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found. Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: All Users User: Default User: Default User User: Marty & Dina ->Java cache emptied: 633481 bytes User: Public Total Java Files Cleaned = 1.00 mb [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 402 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Marty & Dina ->Temp folder emptied: 3665408 bytes ->Temporary Internet Files folder emptied: 17820433 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 68677425 bytes ->Flash cache emptied: 45601 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 1064601 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 15980832 bytes Total Files Cleaned = 102.00 mb [EMPTYFLASH] User: All Users User: Default User: Default User User: Marty & Dina ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 07102014_121810 Files\Folders moved on Reboot... C:\Users\Marty & Dina\AppData\Local\Temp\ehmsas.txt moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\bLBBWlYJp_w[2].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\fastbutton[1].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\like[1].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\postmessageRelay[2].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JA8ZNCPA\index[1].htm moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully. C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully. PendingFileRenameOperations files... Registry entries deleted on Reboot...

Attached are the two reports. OTL.Txt Extras.Txt

Ran the Windows Repair as instructed in the above link, and pum.bad.proxy appeared after updating Malwarebytes database and running as administrator. Any other suggestions? Thanks.

Unfortunately, pum.bad.proxy is back. Any suggestions? Thanks.

Was able to delete Was not able to find These entries did not exist This entry existed, but was already set as instructed This entry did no exist as "ControlSet002" but did as "ControlSet003". The ...003 was set as instructed for ...002 After make these changes in the registry, ran Malwarebytes as Administrator and came back clean. Then shut down laptop for about 30 minutes. After restarting laptop, ran Malwarebytes as Administrator again and came back clean again. Looks like it may finally be gone. Are there any "clean up" steps next? Thanks.

Here is the results of the scan: SystemLook 30.07.11 by jpshortstuff Log created at 12:17 on 27/06/2014 by Marty & Dina Administrator - Elevation successful ========== regfind ========== Searching for "127.0.0.1:23012" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" Searching for "http=127.0.0.1:23012" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="http=127.0.0.1:23012" -= EOF =-

Yes, I am familiar with working in the registry.

Ran the Clean. After is was finished a reboot was required to complete. After computer restarted, Panda Cloud Cleaner stated the infections successfully removed. I then updated Malwarebytes database, and ran as administrator and still found pum.bad.proxy. Please let me know what the next step is. Thanks for all your help.

Should I run then clean?

This laptop is running Vista Home Premium, should I follow these instructions to "install" Group Policy Editor? http://www.windowsreference.com/windows-vista/how-to-get-group-policy-editor-in-vista-home-edition/

I have deleted the files, but Group Policy Editor is not installed on this laptop. I was able to find gpedit.dll, but not gpedit.msc as shown in the link. Thanks

Other than Malwarebytes finding this, not others symptoms have been noticed. The ESET scan did find 2 items C:\Users\Marty & Dina\Downloads\CouponAlert.exe a variant of Win32/AdInstaller potentially unwanted application C:\Users\Marty & Dina\Downloads\Shockwave_Installer_Full.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application Please let me know what the next is. Thanks.

The Delfix link did not work, so I restored (from recycle bin) the one I had to backup the registry. Ran the fixme.bat file, then rebooted. Ran Malwarebytes and came back clean. Shut down laptop for about 2 hrs, then restarted and ran Malwarebytes again and found the PUM.Bad.Proxy this time. Not sure if this is related or not, but I am unable to uninstall FireFox (using add/remove, then selecting FireFox, then selecting uninstall) Thanks.

I uninstalled both Flash Players, Java, ComboFix, and Delfix. Rebooted the laptop. Installed Flash Player from Adobe's web site and installed Java from Java's web site (both successful installs). I then rebooted the laptop again. After that, I updated the MalwareBytes database and ran a Threat Scan. It came back with detecting the PUM.Bad.Proxy. Here is the log file: Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 6/19/2014Scan Time: 12:50:36 PMLogfile: MBAM.txtAdministrator: Yes Version: 2.00.2.1012Malware Database: v2014.06.19.08Rootkit Database: v2014.06.02.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: Disabled OS: Windows Vista Service Pack 2CPU: x86File System: NTFSUser: Marty & Dina Scan Type: Threat ScanResult: CompletedObjects Scanned: 276325Time Elapsed: 11 min, 31 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 1PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:23012, Quarantined, [450f47335f1c003652b102ee0200a35d] Registry Data: 0(No malicious items detected) Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end) What is the next step now that this has returned? Thanks

Downloaded zip file to desktop. Right clicked file to extract to desktop Did a copy and replace for existing SecurityCheck.exe Right clicked new exe file to run as administrator Got the same results as prior post. Was not able to see if the path was showing for "path not found", but was able to notice that PROCESS.TXT and INSTALL.TXT was not found. Thanks

I have downloaded the file to the desktop and double-clicked to run. When I press any key to continue, a "path not found" error message appears along with several "file not found" messages. I rebooted the laptop and got the same results. I then downloaded the file using the second link with same results as the first link, even after a rebooting for a second time. I let it run every time and the log file (notepad file) was always empty. I also tried to get a screen capture of the actual error message, but they went by too fast. What is the step? Thanks.

Updated Malwarebytes, and ran Threat Scan. It came back with PUM.Bad.Proxy and PUP.Optional.Conduit.A and I did quarantine both of these. Unfortunately I was not able to find the new log file. So I rebooted the laptop in hopes of finding the log file. Since I still could not find the log file, I updated Malwarebytes again and ran the Threat Scan a second time. The second time Malwarebytes came back clean, no treats found. Please let me know what the next step is. Thanks.

Hello, I have followed the instructions above. For the TDSSKiller scan, it found 11 objects and was not sure about some of them so I chose Skip for all of them. Some I could tell were needed. Attached are the log files from the TDSSKiller and ComboFix scan. Thanks. TDSSKiller.3.0.0.39_13.06.2014_12.15.03_log.txt TDSSKiller.3.0.0.39_13.06.2014_12.18.25_log.txt ComboFix.txt

I tried running Junkware Removal Tool as Administrator (with the protection software closed). It appears to run fine but when it automatically closes, a log file is not being created. I have tried twice with the same result both times. Here are the other log files. Thanks Rkill.txt AdwCleanerS0.txt

Thank you for assisting me with the removal of this malware/virus. Attached is the RogueKiller report and the MBAM report. RKreport_SCN_06112014_124219.log MBAM.txt

Still need help removing Pum.Bad.Proxy. Please let me know what additional information is needed. Thanks.

I have ran MBAM and pum.bad.proxy gets quaritined, but keeps returning after restarting laptop. Attached are the FRST.txt and Adiition.txt logs. FRST.txt Addition.txt