Please Help With pum.bad.proxy

[MrCharlie]

YES, MrC

[ChiSoxFan]

Ran the Clean. After is was finished a reboot was required to complete. After computer restarted, Panda Cloud Cleaner stated the infections successfully removed. I then updated Malwarebytes database, and ran as administrator and still found pum.bad.proxy.

 

Please let me know what the next step is.

 

Thanks for all your help.

[MrCharlie]

Are you familiar with working in the registry??

I want you to delete some items if found.

MrC

[ChiSoxFan]

Yes, I am familiar with working in the registry.

[MrCharlie]

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

  :regfind127.0.0.1:23012http=127.0.0.1:23012

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

[ChiSoxFan]

Here is the results of the scan:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 12:17 on 27/06/2014 by Marty & Dina
Administrator - Elevation successful

========== regfind ==========

Searching for "127.0.0.1:23012"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:23012"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:23012"

Searching for "http=127.0.0.1:23012"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:23012"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:23012"

-= EOF =-

[MrCharlie]

Please create a back-up of the registry before continuing:
Download Delfix from Here and save it to your desktop.

• Place a check mark in front of .......
• Create registry backup <---only!
• Uncheck the rest!
• Click the Run button.
  
  -----------------------------------
  
  Delete the items in red only:
  
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "ProxyServer"="http=127.0.0.1:23012"
  [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "ProxyServer"="http=127.0.0.1:23012"
  
  ----------------------
  
  See if these exist: (if so change or delete them)
  
  

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  
  - change "ProxyEnable" value from 1 to 0
  
  - delete the entry "ProxyOverride"
  
  - delete the entry "ProxyServer"

   

  
  
  - browse to
•  

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings
  
  - change "ProxyEnable" value from 1 to 0
  
  - delete the entry "ProxyOverride"
  
  - delete the entry "ProxyServer"

   

  
  
  - browse to
•  

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\Parameters\Internet\ManualProxies
  
  - in "Default", deleted the listing "http=127.0.0.1:23012;https=127.0.0.1:23012" so it would be blank (or value not set)

   

  
  - browse to
•  

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet\ManualProxies -
  
  - in "Default", deleted the listing "http=127.0.0.1:23012;https=127.0.0.1:23012" so it would be blank (or value not set)

   

  
  
  - browse to
•  

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  
  - delete the key "DefaultConnectionSettings"
  
  - delete the key "SavedLegacySettings"

   

  
  
  Let me know...MrC
   

[ChiSoxFan]

Was able to delete

 

 

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:23012"

 

 

Was not able to find

 

 

 

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:23012"

 

 

These entries did not exist

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

 

 This entry existed, but was already set as instructed

 

 

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\Parameters\Internet\ManualProxies

 

This entry did no exist as "ControlSet002" but did as "ControlSet003". The ...003 was set as instructed for ...002

 

 

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet\ManualProxies

 

After make these changes in the registry, ran Malwarebytes as Administrator and came back clean. Then shut down laptop for about 30 minutes. After restarting laptop, ran Malwarebytes as Administrator again and came back clean again.

 

Looks like it may finally be gone.

 

Are there any "clean up" steps next?

 

Thanks.

[MrCharlie]

Good, so far as clean-up...same as before:

https://forums.malwarebytes.org/index.php?/topic/150327-please-help-with-pumbadproxy/?p=843144

MrC

[ChiSoxFan]

Unfortunately, pum.bad.proxy is back.

 

Any suggestions?

 

Thanks.

[MrCharlie]

Follow these instructions for Windows Repair:

https://forums.malwarebytes.org/index.php?/topic/151093-need-assistance-removing-pumbadproxy/?p=846033

MrC

[ChiSoxFan]

Ran the Windows Repair as instructed in the above link, and pum.bad.proxy appeared after updating Malwarebytes database and running as administrator.

 

Any other suggestions?

 

Thanks.

[MrCharlie]

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

[ChiSoxFan]

Attached are the two reports.

OTL.Txt

Extras.Txt

[MrCharlie]

Please do this:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in bold:

  :OTL

  IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/

  IE - HKLM\..\SearchScopes,DefaultScope =

  IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

  IE - HKLM\..\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

  IE - HKLM\..\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

  IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found

  IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:23012

  IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found

  IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:23012

  IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

  IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

  IE - HKU\S-1-5-21-2251682311-4106646933-1266909191-1000\..\SearchScopes,DefaultScope = {74F58FCB-F368-4395-86CF-B90961FC82B1}

  IE - HKU\S-1-5-21-2251682311-4106646933-1266909191-1000\..\SearchScopes\{74F58FCB-F368-4395-86CF-B90961FC82B1}: "URL" = http://search.yahoo.com/search?fr=mcafee&type=A011US0&p={SearchTerms}

  IE - HKU\S-1-5-21-2251682311-4106646933-1266909191-1000\..\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

  IE - HKU\S-1-5-21-2251682311-4106646933-1266909191-1000\..\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

  IE - HKU\S-1-5-21-2251682311-4106646933-1266909191-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={searchTerms}

  O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  O7 - HKU\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  :Commands

  [EMPTYJAVA]

  [emptytemp]

  [EMPTYFLASH]

• Then click the Run Fix button at the top
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  Let me know....MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[ChiSoxFan]

Sorry, I've been away since the 4th of July holiday. Below are the results of the OTL fix from the last post:

 

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{74F58FCB-F368-4395-86CF-B90961FC82B1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74F58FCB-F368-4395-86CF-B90961FC82B1}\ not found.
Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33}\ not found.
Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C5ECE9-8E95-48C4-B2AA-8202E3547581}\ not found.
Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-2251682311-4106646933-1266909191-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
========== COMMANDS ==========
 
[EMPTYJAVA]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Marty & Dina
->Java cache emptied: 633481 bytes
 
User: Public
 
Total Java Files Cleaned = 1.00 mb
 
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Marty & Dina
->Temp folder emptied: 3665408 bytes
->Temporary Internet Files folder emptied: 17820433 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 68677425 bytes
->Flash cache emptied: 45601 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1064601 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 15980832 bytes
 
Total Files Cleaned = 102.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Marty & Dina
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 07102014_121810

Files\Folders moved on Reboot...
C:\Users\Marty & Dina\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\bLBBWlYJp_w[2].htm moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\fastbutton[1].htm moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\like[1].htm moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W7DT4UE3\postmessageRelay[2].htm moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JA8ZNCPA\index[1].htm moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Marty & Dina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[MrCharlie]

OK, let me know how it is, MrC

[ChiSoxFan]

Do you need to review the OTL log file, or should I go ahead run a Threat Scan using Malwarebytes now?

 

 

Thanks.

[MrCharlie]

Go a head and run the scan, MrC

[ChiSoxFan]

Ran Malwarebytes as Administrator, updated database, and it is till there.

 

Malwarebytes log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/10/2014
Scan Time: 1:40:58 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.09.13
Rootkit Database: v2014.07.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Marty & Dina

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 282585
Time Elapsed: 8 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:23012, , [89f85647a0db79bd9c284fb7937001ff]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

Any suggestions?

[MrCharlie]

Run another scan with Malwarebytes but first enable "Scan for rootkits:

Open up Malwarebytes > Settings > Detection and Protection > Put a check next to Scan for rootkits

Run a scan.

--------------------------------------------------

The rescan with RogueKiller: (download a fresh one)

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Last............

Download aswMBR to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it to your next post.
MrC

[ChiSoxFan]

First of all, thank you for all the time you have spent in assisting me in trying to remove this. Before I proceed with the above steps, do you think reformatting the hard-drive and then installing Windows would get rid of this?

 

All personal files have already been backed up, so nothing to worry about there.

 

 

Thanks.

[MrCharlie]

First, that entry is harmless and not active, it's just listing the address.

I've never been able to solve this problem with other users, I just usually just have them put the entry in Malwarebytes ignore list, so I don't know for sure if re-installing Windows would work....probably would.

MrC

[MrCharlie]

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC