Windows XP ProxyServer Proxy Server keeps coming back malware infected registry changes at startup

I thought I'm pretty good at cleaning malware but I am stumped by this one.

Most everything I run says the machine (dell laptop) is clean, EXCEPT for HitManPro - that's a great app that I rarely see mentioned.  It says there is a proxy server (127.0.0.1:59274) on the machine (See image below).  It doesn't consider this a threat, but still - what's causing this!? . If you look at Internet settings / connections, it does NOT show a proxy is set.  I can have hitman pro remove that (I found a couple keys in the registry that have this proxy info - .default user and s-1-5-18 user  - see below also).  If I re-run hitman pro, it says it's there's no proxy.  Reboot and those 2 registry keys come back! And again, Hitman is the only one that catches this.  I tried telnet 127.0.0.1:59274, but don't get a response.  You can surf the web with or without this proxy set.  And Hitman doesn't consider it a threat.  I'd write it off as a false positive, except it keeps coming back.  so there IS something setting those registry keys at restart (not log off / log back on.).  I thought about a .reg script to remove those 2 at startup (assuming they get created before my script would run).  But that seems like a kluge.

Any advice?

Some of the other apps that don't find anything that could be causing this include:
MalwareBytes
SuperAntispyware
ESET online scanner
Housecall online scanner
Syphos rootkit finder
Microsoft Security Essentials
Spyware Doctor

Any other ways to try to find what's causing this registry key to return?  They have AIM set for startup, which I turned off, along with other apps.  But even with them off, those 2 registry keys keep coming back.

Thanks! Hitman says there's a proxy but it's not a threat? 1 reg key before cleaning with hitman - see the proxy server entry? and this is 2-1-5-18 after cleaning - no proxy server and default user registry hive with the proxy server.  hitman removes it from here also.
INeedYourHelp00Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

edbedbCommented:
I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
INeedYourHelp00Author Commented:
ComboFix 10-12-26.01 - Brando 12/27/2010  18:54:38.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3546.2933 [GMT -5:00]
Running from: c:\documents and settings\Brando\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\program files\Shared
c:\windows\system32\Oeminfo.ini

.
(((((((((((((((((((((((((   Files Created from 2010-11-27 to 2010-12-27  )))))))))))))))))))))))))))))))
.

2010-12-27 05:11 . 2009-08-07 00:23      215920      ----a-w-      c:\windows\system32\muweb.dll
2010-12-27 04:40 . 2010-12-27 20:59      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2010-12-27 04:33 . 2010-12-27 20:30      --------      d-----w-      c:\documents and settings\All Users\Application Data\PC Tools
2010-12-27 00:29 . 2010-12-27 00:29      --------      d-----w-      c:\documents and settings\LogMeInRemoteUser
2010-12-24 16:32 . 2010-12-27 01:03      --------      d-----w-      c:\program files\Sophos
2010-12-24 15:55 . 2010-12-24 15:55      --------      d-----w-      c:\program files\Common Files\Adobe
2010-12-24 15:50 . 2010-12-24 15:50      --------      d-----w-      c:\documents and settings\Brando\Local Settings\Application Data\Secunia PSI
2010-12-24 15:50 . 2010-12-24 15:50      --------      d-----w-      c:\program files\Secunia
2010-12-24 15:10 . 2010-12-24 15:10      --------      d-----w-      c:\documents and settings\Brando\Local Settings\Application Data\LogMeIn
2010-12-24 15:10 . 2010-12-08 18:12      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2010-12-24 15:10 . 2010-12-08 18:11      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-24 15:10 . 2010-12-08 18:11      29568      ----a-w-      c:\windows\system32\LMIport.dll
2010-12-24 15:10 . 2010-09-17 20:40      47640      ----a-w-      c:\windows\system32\drivers\LMIRfsDriver.sys
2010-12-24 15:10 . 2010-12-08 18:11      87424      ----a-w-      c:\windows\system32\LMIinit.dll
2010-12-24 15:10 . 2010-12-27 08:05      --------      d-----w-      c:\documents and settings\All Users\Application Data\LogMeIn
2010-12-24 15:10 . 2010-12-27 00:29      --------      d-----w-      c:\program files\LogMeIn
2010-12-24 15:09 . 2010-12-24 15:09      --------      d-----w-      c:\documents and settings\Brando\Local Settings\Application Data\Deployment
2010-12-24 15:07 . 2010-12-24 15:07      174142      ----a-w-      C:\cc_20101224_100733.reg
2010-12-24 15:06 . 2010-11-10 01:33      6273872      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8C949A5D-50E3-48CB-B38B-B42114EE284A}\mpengine.dll
2010-12-24 15:06 . 2010-10-19 20:51      222080      ------w-      c:\windows\system32\MpSigStub.exe
2010-12-24 15:02 . 2010-12-24 15:02      --------      d-----w-      c:\program files\Microsoft Security Client
2010-12-24 15:02 . 2010-12-24 15:02      --------      d-----w-      c:\program files\Common Files\Java
2010-12-24 15:02 . 2010-12-24 15:02      73728      ----a-w-      c:\windows\system32\javacpl.cpl
2010-12-24 15:02 . 2010-12-24 15:02      472808      ----a-w-      c:\windows\system32\deployJava1.dll
2010-12-23 02:30 . 2010-12-23 02:30      --------      d-----w-      c:\program files\ESET
2010-12-23 02:27 . 2010-12-20 23:09      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-23 02:27 . 2010-12-20 23:08      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-23 02:27 . 2010-12-23 02:27      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-12-23 02:25 . 2010-12-27 21:36      16968      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2010-12-23 02:24 . 2010-12-23 02:24      --------      d-----w-      c:\documents and settings\All Users\Application Data\Hitman Pro
2010-12-20 03:55 . 2010-12-20 03:55      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-14 21:47 . 2010-11-02 15:17      40960      -c----w-      c:\windows\system32\dllcache\ndproxy.sys
2010-12-14 21:46 . 2010-10-11 14:59      45568      -c----w-      c:\windows\system32\dllcache\wab.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-04-25 21:27      81920      ----a-w-      c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2008-04-25 16:16      832512      ----a-w-      c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2008-04-25 16:16      78336      ----a-w-      c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2008-04-25 16:16      1830912      ------w-      c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2008-04-25 16:16      17408      ----a-w-      c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2008-04-25 16:16      389120      ----a-w-      c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-25 16:16      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-25 16:16      290048      ----a-w-      c:\windows\system32\atmfd.dll
2010-10-26 13:27 . 2008-04-25 16:16      1862272      ----a-w-      c:\windows\system32\win32k.sys
2010-10-25 02:25 . 2010-10-25 02:25      165264      ----a-w-      c:\windows\system32\drivers\MpFilter.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-23 39408]
"Aim"="c:\program files\AIM\aim.exe" [2009-10-05 3634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-08 200704]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-09 466944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2010-12-21 291896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-13 16:24      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11      87424      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{FA0F0A01-4631-4161-A6C2-948BF694382E}\\setup\\hpznui01.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [6/23/2009 11:01 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 7:04 AM 987704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/1/2009 1:45 AM 108160]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [5/1/2009 1:45 AM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [5/1/2009 1:45 AM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [5/1/2009 1:45 AM 268992]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [5/1/2009 1:45 AM 160256]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B4.tmp --> c:\windows\system32\B4.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 12872]
S4 Viewpoint Manager Service;Viewpoint Manager Service; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GOTOASSIST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
HPService      REG_MULTI_SZ         HPSLPSVC
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-27 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-12-27  18:59:24
ComboFix-quarantined-files.txt  2010-12-27 23:59

Pre-Run: 292,534,210,560 bytes free
Post-Run: 292,636,323,840 bytes free

- - End Of File - - CD31B56DB985817EAC699A6592891B5E
INeedYourHelp00Author Commented:
I ran combofix, posted the log , see that it deleted some things, but ran hitman pro again and same situation - it sees the proxy entries, deletes them and then after reboot, the proxy entries are back in place : (

CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

edbedbCommented:
You might be able to find the culprit with Process Monitor.
http://technet.microsoft.com/en-us/sysinternals/bb896645

If you can find where the key was changed it will show the proceess that did it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
INeedYourHelp00Author Commented:
process monitor shows what's running, right?  I don't think anything is running on an ongoing basis.  maybe a script at startup?  

you say If you can find where the key was changed it will show the proceess that did it.

where - as in when during the startup process?  or something else?

what watches the registry (at startup) - has to be running right at the start!?
INeedYourHelp00Author Commented:
all else fails, read the directions.  I see I misunderstood proc mon.  trying that now.
INeedYourHelp00Author Commented:
Damn it!  Damn it!  Damn it!

Secunia PSI makes that entry!  I'm trying to make sure everything's up to date and it goes and gives me something to have to chase after!  Interesting - another machine I am working on, also with secunia, doesn't have that proxy entry.  different version of xp though.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.