Bobs_your_uncle Posted September 11, 2014 ID:877742 Share Posted September 11, 2014 Hi there, Hoping someone can provide some guidance to rid my system of this malware once and for all I've tried several tools but malwarebytes is the only that even seems to detect this. It does remove it but its back within a day or so. I look forward to working with an expert on the permenant removal! Detection : PUM.BAD.PROXY Thanks Bryan Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 11, 2014 ID:877780 Share Posted September 11, 2014 Hello, They call me TwinHeadedEagle around here, and I'll be working with you. Before we start please read and note the following:Limit your internet access to posting here, some infections just wait to steal typed-in passwords.Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.Do not paste the logs in your posts, attachments make my work easier. There is a Upload Files option below which you can use to attach your reports. Always attach reports from all tools.Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.Note that we may live in totally different time zones, what may cause some delays between answers.Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. I can't foresee everything, so if anything unexpected happens, please stop and inform me! There are no silly questions. Never be afraid to ask if in doubt! Rules and policies We won't support any piracy. That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding! Failure to follow these guidelines will result with closing your topic and withdrawning any assistance. I would like to see how this detection looks like: Please re-run Malwarebytes' Anti-Malware.Click the History tab.Click Application Logs and double-click the newest Scan Log.At the bottom click Export and choose Text file.Save the file to your desktop and include its content in your next reply. Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 13, 2014 Author ID:878581 Share Posted September 13, 2014 Thanks TwinHeadedEagle, Please see the following log: Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 9/2/2014Scan Time: 4:33:41 AMLogfile: MWB.txtAdministrator: Yes Version: 2.00.2.1012Malware Database: v2014.09.02.03Rootkit Database: v2014.08.21.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: Disabled OS: Windows XP Service Pack 3CPU: x86File System: NTFSUser: Cyrious Scan Type: Threat ScanResult: CompletedObjects Scanned: 444840Time Elapsed: 25 min, 27 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledDeep Rootkit Scan: EnabledHeuristics: EnabledPUP: WarnPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 1PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5577, Quarantined, [4b4ed7f2fc7fd95d82332d91cc377f81] Registry Data: 0(No malicious items detected) Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end) Thank you Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 13, 2014 ID:878589 Share Posted September 13, 2014 Okay, let's scan deeper: Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 14, 2014 Author ID:878826 Share Posted September 14, 2014 Here we are, please see attached ThanksAddition.txtFRST.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 14, 2014 ID:878837 Share Posted September 14, 2014 Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop: Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!Right-click on icon and select Run as Administrator to start the tool.(XP users click run after receipt of Windows Security Warning - Open File).Press the Fix button just once and wait.If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.When finished FRST will generate a log on the Desktop, called Fixlog.txt.Please attach it to your reply.fixlist.txt Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 16, 2014 Author ID:879374 Share Posted September 16, 2014 everything ran well! log attached. BFixlog.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 16, 2014 ID:879514 Share Posted September 16, 2014 How is your PC now? Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 16, 2014 Author ID:879599 Share Posted September 16, 2014 More to come, can we let it bake for a couple of days. It used to come back around that time after being "cleaned". Thanks man Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 16, 2014 ID:879617 Share Posted September 16, 2014 Okay, keep me updated Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 20, 2014 Author ID:880973 Share Posted September 20, 2014 I just ran another scan to see if anything popped up and its back Whatcha think? Thx B Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20, 2014 Root Admin ID:881035 Share Posted September 20, 2014 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 21, 2014 Root Admin ID:881547 Share Posted September 21, 2014 Topic reopened per rquest Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 21, 2014 ID:881549 Share Posted September 21, 2014 Bump the topic when you're ready Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 22, 2014 Author ID:881626 Share Posted September 22, 2014 ttt ! Thanks again for the help, its back again; what could we try from here? Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 22, 2014 Author ID:881627 Share Posted September 22, 2014 T.H.E. is it possibly this simple? http://en.wikipedia.org/wiki/PUM.bad.proxy WP is saying basically change the proxy setting in IE. Don't know if I buy into its that simple, what do you think? Thanks Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 22, 2014 ID:881688 Share Posted September 22, 2014 Can I see MalwareBytes latest scan? Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 23, 2014 Author ID:882026 Share Posted September 23, 2014 last scan: Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 9/19/2014Scan Time: 8:53:11 PMLogfile: MWB.txtAdministrator: Yes Version: 2.00.2.1012Malware Database: v2014.09.20.01Rootkit Database: v2014.09.19.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: Disabled OS: Windows XP Service Pack 3CPU: x86File System: NTFSUser: support Scan Type: Threat ScanResult: CompletedObjects Scanned: 459040Time Elapsed: 26 min, 11 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledDeep Rootkit Scan: EnabledHeuristics: EnabledPUP: WarnPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 1PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5577, Quarantined, [2f56a649eb90eb4b0858d80040c304fc] Registry Data: 0(No malicious items detected) Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end) Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 23, 2014 ID:882203 Share Posted September 23, 2014 Let's run one more FRST fix: Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop: Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!Right-click on icon and select Run as Administrator to start the tool.(XP users click run after receipt of Windows Security Warning - Open File).Press the Fix button just once and wait.If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.When finished FRST will generate a log on the Desktop, called Fixlog.txt.Please post it to your reply.fixlist.txt Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 23, 2014 Author ID:882424 Share Posted September 23, 2014 yes sir and thank youFixlog.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 23, 2014 ID:882447 Share Posted September 23, 2014 Do you see file named Proxy at C:\ If you see it, please attach it. Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 24, 2014 Author ID:882680 Share Posted September 24, 2014 nope, no proxy file. avast, spybot, MS security essentials(though not getting updates) all don't detect anything. Have also run rogue killer, JRT, Highjackthis in hope to remove.I have not tried combofix Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 24, 2014 ID:882694 Share Posted September 24, 2014 It was my error: Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop: Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!Right-click on icon and select Run as Administrator to start the tool.(XP users click run after receipt of Windows Security Warning - Open File).Press the Fix button just once and wait.If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.When finished FRST will generate a log on the Desktop, called Fixlog.txt.Please attach it to your reply. Then attach file found on your C drive.fixlist.txt Link to post Share on other sites More sharing options...
Bobs_your_uncle Posted September 26, 2014 Author ID:883247 Share Posted September 26, 2014 no problem, here is the result Fixlog.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 26, 2014 ID:883459 Share Posted September 26, 2014 It appears that there is no such line that MalwareBytes is reporting. Run Scan again and tell me does MalwareBytes picks it up again? Link to post Share on other sites More sharing options...
Recommended Posts