I thought I'm pretty good at cleaning malware but I am stumped by this one.
Most everything I run says the machine (dell laptop) is clean, EXCEPT for HitManPro - that's a great app that I rarely see mentioned. It says there is a proxy server (127.0.0.1:59274) on the machine (See image below). It doesn't consider this a threat, but still - what's causing this!? . If you look at Internet settings / connections, it does NOT show a proxy is set. I can have hitman pro remove that (I found a couple keys in the registry that have this proxy info - .default user and s-1-5-18 user - see below also). If I re-run hitman pro, it says it's there's no proxy. Reboot and those 2 registry keys come back! And again, Hitman is the only one that catches this. I tried telnet 127.0.0.1:59274, but don't get a response. You can surf the web with or without this proxy set. And Hitman doesn't consider it a threat. I'd write it off as a false positive, except it keeps coming back. so there IS something setting those registry keys at restart (not log off / log back on.). I thought about a .reg script to remove those 2 at startup (assuming they get created before my script would run). But that seems like a kluge.
Some of the other apps that don't find anything that could be causing this include:
ESET online scanner
Housecall online scanner
Syphos rootkit finder
Microsoft Security Essentials
Any other ways to try to find what's causing this registry key to return? They have AIM set for startup, which I turned off, along with other apps. But even with them off, those 2 registry keys keep coming back.