Help Removing Proxy Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by marie95, Sep 6, 2017.

  1. marie95

    marie95 Private E-2

    I need help removing hijacker off of my daughter's laptop. malwarbytes found " pum.optional.proxyhijacker" it was quarantined but it still shows up and is causing her computer lots of problems. (slow, internet connection problems, closing of programs , redirecting to other websites etc...)
    Attached are the logs for Malwarebytes adwcleaner Roguekiller and Hitman and MG.
    Thank you for all your help.
     

    Attached Files:

    marie95, Sep 6, 2017
    #1
  2. marie95

    marie95 Private E-2

    forgot to mention the computer takes about 5 minutes to turn on. my daughter doesnt remember exactly when this started, but its been about a month with problems
     
    Last edited: Sep 6, 2017
    marie95, Sep 6, 2017
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What browser are you using?
     
    TimW, Sep 6, 2017
    #3
  4. marie95

    marie95 Private E-2

    she was using chrome. when she started having all the problems she thought it was chrome so she switched to firefox this last week
     
    marie95, Sep 6, 2017
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Sep 6, 2017
    #5
  6. marie95

    marie95 Private E-2

    ok. changed proxy setting on chrome to automatically detect settings.
     
    marie95, Sep 6, 2017
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did that work? And Firefox?
     
    TimW, Sep 6, 2017
    #7
  8. marie95

    marie95 Private E-2

    yes it did. because chrome is her default firefox wont allow me to change proxys. But overall it seems quicker and i restarted it a couple of times and it start within 1 minute. I 'll have her use the computer for a while and see what she thinks. if there are any other kinks ill let you know.
    so it wasn't malware?
     
    marie95, Sep 6, 2017
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, in a way it was malware....browser hijacker. Glad it is working now.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Sep 6, 2017
    #9
  10. marie95

    marie95 Private E-2

    Ok, got it. Did all of the above. Thank you very very much!
    Have a great Day.
     
    marie95, Sep 7, 2017
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.
     
    TimW, Sep 7, 2017
    #11
  12. marie95

    marie95 Private E-2

    Is there a reason why the proxy setting would change themselves back to manual on their own? after i restarted the computer i checked the settings just to make sure and they were back to manual settings with an address typed into the box. This is after i switched it to automatic.
     
    marie95, Sep 7, 2017
    #12
  13. marie95

    marie95 Private E-2

    This is what is in the box after "manual Proxy" http=127.0.0.1:64550;https=127.0.0.1:64550.
    It doesn't matter if i delete it. it appears again after restart.
     
    marie95, Sep 8, 2017
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Last edited: Sep 8, 2017
    TimW, Sep 8, 2017
    #14
  15. marie95

    marie95 Private E-2

    Ok, i reset chrome to defaults and attached is the mbam log
     

    Attached Files:

    marie95, Sep 8, 2017
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTL to your desktop.

    Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
    Code:
    :processes
:killallprocesses
:reg
[HKU\S-1-5-21-2551970125-1638256982-2850799092-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER]
[HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE]
[HKU\S-1-5-21-2551970125-1638256982-2850799092-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE]
[HKU\S-1-5-21-2551970125-1638256982-2850799092-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER]
[HKU\S-1-5-21-2551970125-1638256982-2850799092-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYOVERRIDE]
[HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE]
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
    Then rerun MBAM and attach that log as well.
     
    TimW, Sep 8, 2017
    #16
  17. marie95

    marie95 Private E-2

    ok i did as you asked. OTL might not have run properly because avira kept interupting. If i did this wrong let me know, ill try it again.
     

    Attached Files:

    marie95, Sep 8, 2017
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to disable Avira before you run OTL, please.
     
    TimW, Sep 8, 2017
    #18
  19. marie95

    marie95 Private E-2

    Here are the new logs. After i ran OTL (with Avira off) when i rebooted it encountered an error, but it fixed itself. I don't know if that makes a difference.
     

    Attached Files:

    marie95, Sep 8, 2017
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OTL didn't do what I wanted it to do, but MBAM is clean. How are things running?
     
    TimW, Sep 8, 2017
    #20
  21. marie95

    marie95 Private E-2

    fine for a bit. i reran MBAM and the results were different this time
     

    Attached Files:

    marie95, Sep 8, 2017
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap....disable your AV software and try to run Hitman again.
     
    TimW, Sep 8, 2017
    #22
  23. marie95

    marie95 Private E-2

    Hitman, not OTL
     
    marie95, Sep 8, 2017
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap .... rerun RogueKiller and have it fix everything it found. My bad.
     
    TimW, Sep 8, 2017
    #24
  25. marie95

    marie95 Private E-2

    I ran RogueKiller and fixed everything it found. the same proxy highjacker things were included in the fix, and couple of other stuff too.
    all went well but the hijacker still shows up on MBAM.
     
    marie95, Sep 9, 2017
    #25
  26. marie95

    marie95 Private E-2

    besides quarantining them, am i supposed to delete them too. Is that what im doing wrong?
     
    marie95, Sep 9, 2017
    #26
  27. marie95

    marie95 Private E-2

    Here is the latest MBAM log
     

    Attached Files:

    marie95, Sep 9, 2017
    #27
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Delete them from MBAM, rerun RogueKiller and attach a new log, please.
     
    TimW, Sep 9, 2017
    #28
  29. marie95

    marie95 Private E-2

    Ok, i did as you asked. i deleted quarantined objects. i disabled avira, ran roguekiller. i didnt fix anything, just retrieved the log.
     

    Attached Files:

    marie95, Sep 9, 2017
    #29
  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK, have RogueKiller remove everything it found. Reboot. Rescan with RogueKiller and attach the new log.
     
    TimW, Sep 9, 2017
    #30
  31. marie95

    marie95 Private E-2

    Here it is. sorry for the long delays, it takes roguekiller a long time to scan
     

    Attached Files:

    marie95, Sep 9, 2017
    #31
  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This may seem complicated, but it isn't. Please right click on the start menu and click on run. Type in regedit. When the registry opens, expand the "HKEY_CURRENT_USER" hive by clicking on the "+" sign next to it. Continue expanding "Software," "Microsoft," "Windows" and "CurrentVersion," then click on the "Internet Settings" subkey or folder.

    View the contents of the Internet Settings folder on the right pane. Double-click on the "ProxyEnable" DWORD value to open the "Edit DWORD Value" window. Change the value to 0. Ok it. Click on File and exit.

    Reboot and rescan with RogueKiller and attach a new log, please.
     
    TimW, Sep 10, 2017
    #32
  33. marie95

    marie95 Private E-2

    did as you asked, here is the new log
     

    Attached Files:

    marie95, Sep 10, 2017
    #33
  34. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let me know if it comes back.
     
    TimW, Sep 10, 2017
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it does come back, it may be due to having SmartApp installed. I'm pretty sure this proxy setting is due to it.
     
    chaslang, Sep 10, 2017
    #35
    TimW likes this.
  36. marie95

    marie95 Private E-2

    Thank you so much.
    Especially for staying and helping me for such a long time. I told my daughter about smartapp. she will uninstall /delete it. It makes sense too when you had me go into regedit and i made the changes, as i closed that, the smartapp box became a black box.
    Again, thank you for your time
     
    marie95, Sep 10, 2017
    #36
  37. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing!!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Sep 10, 2017
    #37

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds