Jump to content

Pum.Bad.Proxy

fr8pil8
 Share

Recommended Posts

  • Replies 58
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

fr8pil8

fr8pil8

Posted
  • Author
Posted

Evening MrC,

 

RKreport_SCN_07092014_171156.log

 

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/09/2014 05:27:56 PM in x86 mode.
Windows Version: Windows Vista Ultimate Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

 * DFSR [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 07/09/2014 05:29:00 PM
Execution time: 0 hours(s), 1 minute(s), and 4 seconds(s)RKreport_SCN_07092014_171156.log

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

The proxy address is there but it's not active:

[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> FOUND
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> FOUND

 



These indicate your using a router..correct????:

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> FOUND

 


-----------------------------------------

Please run this scan:

Download aswMBR to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it to your next post.
MrC

Link to post
Share on other sites
fr8pil8

fr8pil8

Posted
  • Author
Posted

Norton360 didn't like aswMBR, so I disabled it, then downloaded the file.  After selecting "Run", a pop-up from the aswMBR program gave me the following option:

 

                                        "This computer supports 'Virtualization Technology'.  Would you like to use it for rootkit detection?  YES/NO"

 

and the correct answer is ...?

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Give this a try:

Reboot into safe mode and run RogueKiller.
Delete any bad proxy settings as before:
 

[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 

 

Now reset Internet Explorer:
http://malwaretips.com/blogs/reset-internet-explorer-settings/

Reboot into normal mode.

Let me know....MrC (I won't be around much on Saturday)

Link to post
Share on other sites
fr8pil8

fr8pil8

Posted
  • Author
Posted

I had reset IE while in safe mode as per the 'malwaretips' article.  Still in safe mode I ran ADW Cleaner, twice.  Both times the scan showed nothing...no files, folders or anything from the registry listed...all lines in all categories were blank, as if I hadn't run the scan.  Just ran RougeKiller in normal and both the PUB.Proxy files were back.   7-11RKreport_SCN_07112014_205735.log   I deleted them. 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

See if you can reset your router:

Shut down the computer and reset the router:

http://www.online-tech-tips.com/computer-tips/reset-wireless-router-default-settings/

There should be a reset button that you push or hole that you stick a pin to reset the router (usually 10 seconds)

It's usually located on the back of the router, check your owners manual.

If you can't find one, just disconnect the power from the router for about a minute, then reconnect it, let it reset then turn the computer back on and see how it is.

---------------------------------------------------

Download and run Panda Cloud Cleaner: (run the standard scan and clean all that's found)

http://www.pandasecurity.com/usa/homeusers/support/card?id=1674

---------------------------------------------------

Give this a try:

Download zoek.exe to your Desktop:

http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here

http://www.bleepingcomputer.com/forums/topic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator

Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:

autoclean;

resetIEproxy;

iedefaults;

startupall;

emptyalltemp;

Now...

Close any open programs.

Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.

The log is also found on the systemdrive, normally C:\

If a reboot is needed, the log is opened after the reboot.

MrC

Link to post
Share on other sites
fr8pil8

fr8pil8

Posted
  • Author
Posted

zoek has been running now for almost 24 hrs.  I think it's safe to say it has frozen up.  I can't close the program, even with task manager, so I'm guessing I'll have to manually shut down the computer and maybe try running zoek again...thoughts...

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Nothing showing, I guess it's still there.

I'm running out of options at this point, the setting that Malwarebytes keeps finding is harmless though.

My suggestion would be....next time Malwarebytes finds it, just have Malwarebytes ignore it.

I've been down this road before...sometimes I can rid the computer of it and sometimes I can't.

What do you think??  MrC

 

 

 

EDIT: I just had another thought, it's not a fix but it will keep that proxy entry deleted.
I could create a bat file that will run when ever Windows starts and delete the proxy entry if  present.
Let me know...MrC
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.