PUM.Bad.Proxy

[alan_s]

For years I've had a web proxy defined in the Internet Options for my Windows 7 (32-bit) system.  It was needed for Privoxy, but in March this year I started getting problems with Privoxy, so uninstalled it and unset "Use a proxy server..." in Internet Options, leaving the proxy addresses as-is..

 

Yesterday, 2014-07-31, an MBAM Threat Scan started flagging PUM.Bad.Proxy.   

 

I hadn't (at least, knowingly) installed anything for ages.  The most recent was 2014-06-21: an update to Thunderbird.  So, I did an experiment: Disconnected the network, restored the C-drive to an older image copy and ran a Threat Scan.  No problems were detected.  

 

I then re-connected the network, let MBAM update its databases and ran a new scan. This reported PUM.Bad.Proxy (Times are Central European summer time):

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 2014-07-31

Scan Time: 12:12:27

Logfile: 

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.07.31.03

Rootkit Database: v2014.07.17.01

License: Premium

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Enabled

 

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: XXXXXXXX

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 255894

Time Elapsed: 5 min, 6 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Warn

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 1

PUM.Bad.Proxy, HKU\S-1-5-21-986192021-2339230874-1921736129-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:8118;https=127.0.0.1:8118, , [8021b2eee19a7eb89d46715a5ba717e9]

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

So, the problem started with one of yesterday's updates. It was detected under the "Heuristic" part of the scan.  I elected to do nothing, for the time being.

 

The regedit display of the "offending" registry entry is: 

 

   ProxyServer  REG_SZ  http=127.0.0.1:8118;https=127.0.0.1:8118

 

Of course, it's shown under HKCU\Software... too.

 

These are the values I set years ago.   What the [8021b2eee19a7eb89d46715a5ba717e9] stuff above is, I've no idea - it's not shown by regedit.  

 

I believe this is a false positive.

 

I tried again today (log enclosed) but it's the same. 

 

MBAM_Scan_2014-08-01.txt

[miekiemoes]

Hi,

 

Unfortunately, a lot of malware (especially PUP) use Privoxy as well and set the proxyserver to this. This with as a result that, once the malware or PUP has been removed, that the user had issues with their proxy server since it was still pointing to there.

This is why we need to alert the user about this. We don't detect this as malware but as PUM - which means Potentially Unwanted Modification.

So if you have set this yourself (via Privoxy), then you can safely ignore this detection or eventually change the scan settings for PUM to not detect/list.

[alan_s]

Since I set the proxy values myself, but don't use Privoxy these days, I simply removed them via Internet Options.  And now, a scan gives me "No malicious items were detected!".  Many thanks for your prompt response and excellent explanation!