Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUM.bad.proxy and proxy settings


  • This topic is locked This topic is locked
17 replies to this topic

#1 rr19991029

rr19991029

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 26 September 2014 - 05:58 AM

Hi

 

Having a similar problem to one posted on here earlier by another member.

 

Laptop running Windows 8.1 64bit

 

Proxy setting keep being reset to http=127.0.0.1:9880;https=127.0.0.1:9880

 

A malwarebytes scan reports PUM.bad.proxy but even though it picks it up, it doesn;t remove it and it just comes back.

 

I've tried other tools, again without success.

 

Tried downloading and running DDS but it compains that it can't run in compatibility mode.

 

So I've tried Farbar and got the text files that I've attached

 

Hope someonce can help with this as its a friends laptop and she really needs it fixed.

 

Thanks Robin

 

Attached File  FRST.txt   71.36KB   4 downloads

Attached File  Addition.txt   30.26KB   2 downloads



BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 26 September 2014 - 10:26 AM

Hi. I'm checking your log now and will reply with instructions soon.

#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 26 September 2014 - 11:32 PM

I noticed that you posted the same problem on another forum: https://forums.malwarebytes.org/index.php?/topic/157651-help-pumbadproxy/. You will have to request them to close it in order to be able to help you. Please post back once that thread is closed.

#4 rr19991029

rr19991029
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 27 September 2014 - 04:10 AM

Hi

Sorry about that, I've asked them to close that request.

Robin

#5 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 30 September 2014 - 01:39 PM

Since it has been a few days since your first post, we will need a fresh FRST log to check the current status of your computer, please do the following:

Run FRST again, check Addition.txt, press Scan and attach both reports.

#6 rr19991029

rr19991029
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 01 October 2014 - 07:36 AM

Hi

 

Fresh scan files attached

 

Attached File  FRST.txt   71.59KB   2 downloads

 

Attached File  Addition.txt   30.65KB   1 downloads



#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 01 October 2014 - 01:54 PM

Do you recognize this folder/program?

C:\Program Files (x86)\RixesEbs\

If not, go to Virustotal
Click the 'Choose File' button
Navigate to this file (if you can't find the file, you may need to show the hidden files): C:\Program Files (x86)\RixesEbs\RixesEbs.exe
Click on the Open button
Click on the Scan it! button
Do the same for C:\Program Files (x86)\RixesEbs\HttpsProxy.exe and C:\Program Files (x86)\RixesEbs\RixesEbsHelper.exe
Copy and paste the results into your next reply.

Next, follow these steps:

1.- Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt
 


ShellIconOverlayIdentifiers:  SkyDrive1 -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers:  SkyDrive2 -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers:  SkyDrive3 -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32:  SkyDrive1 -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32:  SkyDrive2 -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32:  SkyDrive3 -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:9880;https=127.0.0.1:9880
SearchScopes: HKLM - {3746836F-4290-4F48-84F7-C18D6F99DFF0} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MAARJS
SearchScopes: HKLM - {4B51C980-C6B0-11E1-9136-AED16088709B} URL = http://www.safesearch.net/search?q={searchTerms}&utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=3cc3984c-c3a4-4e5f-a499-d93e81ab58fd
SearchScopes: HKLM-x32 - {4B51C980-C6B0-11E1-9136-AED16088709B} URL = http://www.safesearch.net/search?q={searchTerms}&utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=3cc3984c-c3a4-4e5f-a499-d93e81ab58fd
SearchScopes: HKCU - {3746836F-4290-4F48-84F7-C18D6F99DFF0} URL = 
SearchScopes: HKCU - {4B51C980-C6B0-11E1-9136-AED16088709B} URL = http://www.safesearch.net/search?q={searchTerms}&utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=3cc3984c-c3a4-4e5f-a499-d93e81ab58fd
SearchScopes: HKCU - {85A60A59-D3D8-468F-B598-FB4393789EF4} URL = https://www.google.com/search?q={searchTerms}
FF Plugin HKCU: @lightspark.github.com/Lightspark;version=1 -> C:\Program Files (x86)\Lightspark 0.5.3-git\nplightsparkplugin.dll No File
FF Extension: No Name - C:\Program Files (x86)\AmiExt\flashEnhancer\ff [Not Found]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 IntcAzAudAddService; \SystemRoot\system32\drivers\RTKVHD64.sys [X]
EmptyTemp:
Task: {A962A507-422E-4A33-958A-D27E48120610} - System32\Tasks\SoftPlanet Software Assistant => C:\Program Files (x86)\SoftPlanet Software Assistant\spassist.exe
C:\Program Files (x86)\SoftPlanet Software Assistant\
AlternateDataStreams: C:\ProgramData\Temp:373E1720
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.


2.- Run FRST again, check Addition.txt, press Scan and attach both reports.

#8 rr19991029

rr19991029
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 02 October 2014 - 07:11 AM

Hi

 

No, I don't know what those programs are.

 

I've attached screenshots (Snipping Tool) from the Virustotal results

 

 

 

 

Attached File  Virustotal-RixesEbs.PNG   30.1KB   0 downloads

Attached File  Virustotal-HttpsProxy.PNG   25.16KB   0 downloads

Attached File  Virustotal-RixesEbsHelper.PNG   24.41KB   0 downloads

 

Here are the FRST log files as well

 

Attached File  Fixlog.txt   6.39KB   3 downloads

Attached File  FRST.txt   66.38KB   1 downloads

Attached File  Addition.txt   30.26KB   1 downloads

 

Thanks again

 

Robin



#9 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 02 October 2014 - 10:34 PM

Please follow these steps:

1.- Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt
 

R2 RixesEbs; C:\Program Files (x86)\RixesEbs\RixesEbs.exe [2801248 2014-08-26] ()
C:\Program Files (x86)\RixesEbs\RixesEbs.exe
C:\Program Files (x86)\RixesEbs\HttpsProxy.exe
C:\Program Files (x86)\RixesEbs\RixesEbsHelper.exe
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:9880;https=127.0.0.1:9880
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.

2.- Run FRST again, check Addition.txt, press Scan and attach both reports.

3.- Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the number of the most recent report).
4.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKillerX64.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.


#10 rr19991029

rr19991029
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 03 October 2014 - 07:28 AM

Files as requested.

 

Attached File  Fixlog.txt   1.26KB   1 downloads

Attached File  FRST.txt   59.75KB   1 downloads

Attached File  Addition.txt   30.2KB   1 downloads

Attached File  AdwCleanerS6.txt   1.57KB   1 downloads

Attached File  RKreport_SCN_10032014_132138.log   5.97KB   2 downloads

 

 

 

 



#11 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 04 October 2014 - 10:36 AM

Please follow these steps:

1.- Run Malwarebytes Anti-Malware and do the following:

Click on Scan now.
If an update is available, click Update Now.
A Threat Scan will start.
After scan, if potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.

A window with an option to view the detailed log will appear. Click on View Detailed Log.
After viewing the results, please click on the Copy to Clipboard button > OK.
Paste your log into your next reply.

Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.


2.- Go to Eset web page and run an online scanner from ESET. (You will need to use Internet explorer for this scan).

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on Run ESET Online Scanner button.
Tick the box next to YES, I accept the Terms of Use.
Click Start.
When asked, allow the ActiveX control to install.
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options below are ticked.
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
Click Start.
Wait for the scan to finish.
Use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
and copy and paste the results here in this topic.

#12 rr19991029

rr19991029
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 05 October 2014 - 12:03 PM

Hi there

 

It's looking good... Malwarebytes scan came back clean

 

-------------------------------------------------------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/10/2014
Scan Time: 15:33:44
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.05.05
Rootkit Database: v2014.09.19.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: user-pc

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 382659
Time Elapsed: 16 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

However, I can't run the ESET online scanner. When it opens the pop-up box in IE it only shows the top left hand corner of the web page, so I can't see a start scan button.  I've added a screenshot of this (sorry if its a bit small)

 

 

Attached File  ESET2.jpg   22.14KB   0 downloads



#13 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 05 October 2014 - 02:50 PM

Let's try a different way. Please do the following:

  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#14 rr19991029

rr19991029
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 06 October 2014 - 01:56 PM

Hi

 

I'm going to be away for the next couple of days so may not be able to reply immediately.

 

Attached File  eset.txt   564bytes   1 downloads

 

 



#15 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:04:10 AM

Posted 06 October 2014 - 08:05 PM

Your log looks clean. How are things running now?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users