We help IT Professionals succeed at work.
Get Started

Windows XP ProxyServer Proxy Server keeps coming back malware infected registry changes at startup

2,004 Views
Last Modified: 2012-06-27
I thought I'm pretty good at cleaning malware but I am stumped by this one.

Most everything I run says the machine (dell laptop) is clean, EXCEPT for HitManPro - that's a great app that I rarely see mentioned.  It says there is a proxy server (127.0.0.1:59274) on the machine (See image below).  It doesn't consider this a threat, but still - what's causing this!? . If you look at Internet settings / connections, it does NOT show a proxy is set.  I can have hitman pro remove that (I found a couple keys in the registry that have this proxy info - .default user and s-1-5-18 user  - see below also).  If I re-run hitman pro, it says it's there's no proxy.  Reboot and those 2 registry keys come back! And again, Hitman is the only one that catches this.  I tried telnet 127.0.0.1:59274, but don't get a response.  You can surf the web with or without this proxy set.  And Hitman doesn't consider it a threat.  I'd write it off as a false positive, except it keeps coming back.  so there IS something setting those registry keys at restart (not log off / log back on.).  I thought about a .reg script to remove those 2 at startup (assuming they get created before my script would run).  But that seems like a kluge.

Any advice?

Some of the other apps that don't find anything that could be causing this include:
MalwareBytes
SuperAntispyware
ESET online scanner
Housecall online scanner
Syphos rootkit finder
Microsoft Security Essentials
Spyware Doctor

Any other ways to try to find what's causing this registry key to return?  They have AIM set for startup, which I turned off, along with other apps.  But even with them off, those 2 registry keys keep coming back.

Thanks! Hitman says there's a proxy but it's not a threat? 1 reg key before cleaning with hitman - see the proxy server entry? and this is 2-1-5-18 after cleaning - no proxy server and default user registry hive with the proxy server.  hitman removes it from here also.
Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 7 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE