Proxy server; unable to load websites

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by webbyte, Sep 6, 2014.

  1. webbyte

    webbyte Private E-2

    Several problems with computer. Proxy server keeps appearing in Internet Explorer, unable to access websites, unable to add printer.

    Windows 8.1, two users, both Administrators. Ran Malwarebytes under both userids and initially identified and quarantined items but logs don't appear to have any info in them. Items are still in quarantine.

    Was able to uninstall toolbars and other adware programs via Uninstall but can't uninstall Snap.do Engine.

    Attached are logs of scans.
     

    Attached Files:

    webbyte, Sep 6, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3709238265-1662038314-1514808746-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51797;https=127.0.0.1:51797 -> FOUND
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3709238265-1662038314-1514808746-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51797;https=127.0.0.1:51797 -> FOUND
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these on the tasks tab please...

    • [Suspicious.Path] Digital Sites.job -- C:\Users\Brandon\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
    • [Suspicious.Path] {BB8C73F4-AA04-43BD-8F42-3FFEB4B43919}.job -- C:\Users\Brandon\AppData\Local\9bc017df-a7d3-49cf-9642-706286e3e04cad\bcdfadcfeecad.exe -> FOUND
    • [Suspicious.Path] \\4701 -- wscript.exe (C:\Users\Tammy\AppData\Local\Temp\launchie.vbs //B) -> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.





    Now re run Hitman and have it remove all that it sees.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Files
C:\ProgramData\65b2ca5afb93f002
C:\ProgramData\KKinggCouponu
C:\ProgramData\RouyaelSShooppoeirApP
C:\ProgramData\ShoppingDealFactory
:\Users\Brandon\AppData\Local\9bc017df-a7d3-49cf-9642-706286e3e04cad\bcdfadcfeecad.exe
C:\Users\Brandon\AppData\Roaming\DIGITA~1
C:\Users\Tammy\AppData\Local\Temp\launchie.vbs 

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Sep 7, 2014
    #2
  3. webbyte

    webbyte Private E-2

    Attached are logs as requested.

    Using Rogue Killer when deleting PUM.Proxy - got ERROR2 on second in list but when running Hitman Pro, the proxy entry showed there so chose repair option for that item. Chose delete for all other items in Hitman Pro.

    While rebooting after running OTM got error: system encountered error and is collecting data 0xc00021a, but reboot proceeded normally after that and computer started up okay.

    Snap.Do Engine is still listed in Programs/Uninstall a Program. Prior to running the cleanup steps you provided had attempted to uninstall it several times but clicking Uninstall didn't do anything, no error, nothing displayed. I haven't tried to uninstall it since.

    In Internet Explorer under Manage Add Ons - raeaoldeaL and PngViewer are still listed. They are disabled but when I select either one, the only option is to Enable it, there is no option to remove.

    The computer seems to be running okay otherwise.
     

    Attached Files:

    webbyte, Sep 7, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman again please, it still shows things pending deletion, I just want to be sure. Attach log when done.

    Same for RogueKiller, new scan (only a scan) and attach log.

    Are you sure about snapdo? The leatest logs does not have it listed. You could always try Revo Uninstaller or the Windows Installer Cleanup Utility.
     
    Kestrel13!, Sep 7, 2014
    #4
  5. webbyte

    webbyte Private E-2

    Here are latest RogueKiller and Hitman Logs

    Checked snap.do engine and it is still showing is Uninstall Programs. Clicked on it and nothing happened. After you've confirmed above logs are clear, I'll try RevoUninstaller or Windows Installer Cleanup.

    Do you recommend any browser link scanners, e.g., Web of Trust.
     

    Attached Files:

    webbyte, Sep 7, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please do. Let me know. If one does not work, try the other.

    They can sometimes slow you down a bit but Web of trust should be okay.
     
    Kestrel13!, Sep 8, 2014
    #6
  7. webbyte

    webbyte Private E-2

    RevoUninstaller found Snap.do under an Uninstall key in the registry. Deleted the key and 5 sub-keys and it is now gone from Uninstall Programs.

    Anything else I need to do?
     
    webbyte, Sep 8, 2014
    #7
  8. webbyte

    webbyte Private E-2

    Found snap.do engine in Uninstall Programs for 2nd user so ran RevoUninstaller to delete from that user also. The reference was in a HKCU key.

    Ran Rogue Killer and Hitman Pro from 2nd user and am attaching logs. Is there additional clean-up to be done?

    There is a program called Rocket installed on the computer. Haven't been able to find out what it is. Since the cleanup, both the desktop and task bar icons for Rocket have changed to a generic icon but under Apps on Windows 8 Start Screen the correct icon is appearing. The program is AppData-Local-Rocket-Application-rocket.exe. All of the other desktop and taskbar icons look correct.
     

    Attached Files:

    webbyte, Sep 8, 2014
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :reg
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.3gp\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.aac\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.avi\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.mov\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.mp3\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.mp4\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.mpeg\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.mpg\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.wav\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.wma\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Classes\.wmv\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Microsoft\Installer\UpgradeCodes\5E8031606EB60A64C882918F8FF38DD4]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SnapDo.exe]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.3gp\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.aac\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.avi\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.mov\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.mp3\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.mp4\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.mpeg\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.mpg\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.wav\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.wma\newp.backup]
[-HKU\S-1-5-21-3709238265-1662038314-1514808746-1002_Classes\.wmv\newp.backup]


:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.




    Reset Google Chrome to defaults


    Hmm, not seeing any signs of anything called rocket. Let's do this:

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
rocket.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    Now reboot the machine and re run a scan with Hitman and attach log. Let me know about Rocket.
     
    Kestrel13!, Sep 9, 2014
    #9
  10. webbyte

    webbyte Private E-2

    Here are the latest logs.

    I ran all these scans under the same user account but seems like there are different results depending on which user logged in as, even though right clicking and selecting Run As Administrator.

    The program Rocket appeared in earlier Hitman Pro logs under Malware so don't know whether one of the cleanup steps tried to remove it. In addition to icon showing on desktop/Start Menu Apps, program name is showing in Uninstall Program but the icon is generic. Should I try uninstall through Uninstall Program or via Revo Uninstaller?
     

    Attached Files:

    webbyte, Sep 9, 2014
    #10
  11. webbyte

    webbyte Private E-2

    For comparison, here is Hitman Pro log run from 2nd user account.

    Before running Hitman Pro scan, ran OTM under 1st user account, per instructions, but did not run it again under 2nd account but did complete instructions for resetting Google Chrome browser under both accounts.
     

    Attached Files:

    webbyte, Sep 9, 2014
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What happens when you just try and delete C:\Users\Brandon\AppData\Local\Rocket :confused
     
    Kestrel13!, Sep 10, 2014
    #12
  13. webbyte

    webbyte Private E-2

    Sorry for the confusion but didn't want to delete anything without your instruction.

    In addition to rocket.exe, there were other files in the AppData-Local-Rocket-Application folder plus there was AppData-Local-Rocket-User folder and desktop icons.

    Just uninstalled Rocket through Uninstall a Program and it removed AppData-Local-Rocket-Application folder and desktop icons but didn't remove AppData-Local-Rocket-UserData so I manually deleted it.

    Is there additional clean-up to be done?
     
    webbyte, Sep 10, 2014
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Strange, as nothing at all rocket related was showing in your logs as an installed program.

    How are things running? I wasn't seeing anything else to do. :)
     
    Kestrel13!, Sep 10, 2014
    #14
  15. webbyte

    webbyte Private E-2

    Computer seems to be running okay right now.

    If nothing needs to be done, I'll delete the tools used for clean-up, reset UAC and enable antivirus.
     
    webbyte, Sep 10, 2014
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Sep 10, 2014
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds