Link to home
Create AccountLog in
Avatar of INeedYourHelp00
INeedYourHelp00

asked on

Windows XP ProxyServer Proxy Server keeps coming back malware infected registry changes at startup

I thought I'm pretty good at cleaning malware but I am stumped by this one.

Most everything I run says the machine (dell laptop) is clean, EXCEPT for HitManPro - that's a great app that I rarely see mentioned.  It says there is a proxy server (127.0.0.1:59274) on the machine (See image below).  It doesn't consider this a threat, but still - what's causing this!? . If you look at Internet settings / connections, it does NOT show a proxy is set.  I can have hitman pro remove that (I found a couple keys in the registry that have this proxy info - .default user and s-1-5-18 user  - see below also).  If I re-run hitman pro, it says it's there's no proxy.  Reboot and those 2 registry keys come back! And again, Hitman is the only one that catches this.  I tried telnet 127.0.0.1:59274, but don't get a response.  You can surf the web with or without this proxy set.  And Hitman doesn't consider it a threat.  I'd write it off as a false positive, except it keeps coming back.  so there IS something setting those registry keys at restart (not log off / log back on.).  I thought about a .reg script to remove those 2 at startup (assuming they get created before my script would run).  But that seems like a kluge.

Any advice?

Some of the other apps that don't find anything that could be causing this include:
MalwareBytes
SuperAntispyware
ESET online scanner
Housecall online scanner
Syphos rootkit finder
Microsoft Security Essentials
Spyware Doctor

Any other ways to try to find what's causing this registry key to return?  They have AIM set for startup, which I turned off, along with other apps.  But even with them off, those 2 registry keys keep coming back.

Thanks! User generated image User generated image User generated image User generated image
Avatar of edbedb
edbedb
Flag of United States of America image

I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
Avatar of INeedYourHelp00
INeedYourHelp00

ASKER

ComboFix 10-12-26.01 - Brando 12/27/2010  18:54:38.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3546.2933 [GMT -5:00]
Running from: c:\documents and settings\Brando\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\program files\Shared
c:\windows\system32\Oeminfo.ini

.
(((((((((((((((((((((((((   Files Created from 2010-11-27 to 2010-12-27  )))))))))))))))))))))))))))))))
.

2010-12-27 05:11 . 2009-08-07 00:23      215920      ----a-w-      c:\windows\system32\muweb.dll
2010-12-27 04:40 . 2010-12-27 20:59      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2010-12-27 04:33 . 2010-12-27 20:30      --------      d-----w-      c:\documents and settings\All Users\Application Data\PC Tools
2010-12-27 00:29 . 2010-12-27 00:29      --------      d-----w-      c:\documents and settings\LogMeInRemoteUser
2010-12-24 16:32 . 2010-12-27 01:03      --------      d-----w-      c:\program files\Sophos
2010-12-24 15:55 . 2010-12-24 15:55      --------      d-----w-      c:\program files\Common Files\Adobe
2010-12-24 15:50 . 2010-12-24 15:50      --------      d-----w-      c:\documents and settings\Brando\Local Settings\Application Data\Secunia PSI
2010-12-24 15:50 . 2010-12-24 15:50      --------      d-----w-      c:\program files\Secunia
2010-12-24 15:10 . 2010-12-24 15:10      --------      d-----w-      c:\documents and settings\Brando\Local Settings\Application Data\LogMeIn
2010-12-24 15:10 . 2010-12-08 18:12      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2010-12-24 15:10 . 2010-12-08 18:11      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-24 15:10 . 2010-12-08 18:11      29568      ----a-w-      c:\windows\system32\LMIport.dll
2010-12-24 15:10 . 2010-09-17 20:40      47640      ----a-w-      c:\windows\system32\drivers\LMIRfsDriver.sys
2010-12-24 15:10 . 2010-12-08 18:11      87424      ----a-w-      c:\windows\system32\LMIinit.dll
2010-12-24 15:10 . 2010-12-27 08:05      --------      d-----w-      c:\documents and settings\All Users\Application Data\LogMeIn
2010-12-24 15:10 . 2010-12-27 00:29      --------      d-----w-      c:\program files\LogMeIn
2010-12-24 15:09 . 2010-12-24 15:09      --------      d-----w-      c:\documents and settings\Brando\Local Settings\Application Data\Deployment
2010-12-24 15:07 . 2010-12-24 15:07      174142      ----a-w-      C:\cc_20101224_100733.reg
2010-12-24 15:06 . 2010-11-10 01:33      6273872      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8C949A5D-50E3-48CB-B38B-B42114EE284A}\mpengine.dll
2010-12-24 15:06 . 2010-10-19 20:51      222080      ------w-      c:\windows\system32\MpSigStub.exe
2010-12-24 15:02 . 2010-12-24 15:02      --------      d-----w-      c:\program files\Microsoft Security Client
2010-12-24 15:02 . 2010-12-24 15:02      --------      d-----w-      c:\program files\Common Files\Java
2010-12-24 15:02 . 2010-12-24 15:02      73728      ----a-w-      c:\windows\system32\javacpl.cpl
2010-12-24 15:02 . 2010-12-24 15:02      472808      ----a-w-      c:\windows\system32\deployJava1.dll
2010-12-23 02:30 . 2010-12-23 02:30      --------      d-----w-      c:\program files\ESET
2010-12-23 02:27 . 2010-12-20 23:09      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-23 02:27 . 2010-12-20 23:08      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-23 02:27 . 2010-12-23 02:27      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-12-23 02:25 . 2010-12-27 21:36      16968      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2010-12-23 02:24 . 2010-12-23 02:24      --------      d-----w-      c:\documents and settings\All Users\Application Data\Hitman Pro
2010-12-20 03:55 . 2010-12-20 03:55      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-14 21:47 . 2010-11-02 15:17      40960      -c----w-      c:\windows\system32\dllcache\ndproxy.sys
2010-12-14 21:46 . 2010-10-11 14:59      45568      -c----w-      c:\windows\system32\dllcache\wab.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-04-25 21:27      81920      ----a-w-      c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2008-04-25 16:16      832512      ----a-w-      c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2008-04-25 16:16      78336      ----a-w-      c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2008-04-25 16:16      1830912      ------w-      c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2008-04-25 16:16      17408      ----a-w-      c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2008-04-25 16:16      389120      ----a-w-      c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-25 16:16      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-25 16:16      290048      ----a-w-      c:\windows\system32\atmfd.dll
2010-10-26 13:27 . 2008-04-25 16:16      1862272      ----a-w-      c:\windows\system32\win32k.sys
2010-10-25 02:25 . 2010-10-25 02:25      165264      ----a-w-      c:\windows\system32\drivers\MpFilter.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-23 39408]
"Aim"="c:\program files\AIM\aim.exe" [2009-10-05 3634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-08 200704]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-09 466944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2010-12-21 291896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-13 16:24      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11      87424      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{FA0F0A01-4631-4161-A6C2-948BF694382E}\\setup\\hpznui01.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [6/23/2009 11:01 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 7:04 AM 987704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/1/2009 1:45 AM 108160]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [5/1/2009 1:45 AM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [5/1/2009 1:45 AM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [5/1/2009 1:45 AM 268992]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [5/1/2009 1:45 AM 160256]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B4.tmp --> c:\windows\system32\B4.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 12872]
S4 Viewpoint Manager Service;Viewpoint Manager Service; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GOTOASSIST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
HPService      REG_MULTI_SZ         HPSLPSVC
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-27 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-12-27  18:59:24
ComboFix-quarantined-files.txt  2010-12-27 23:59

Pre-Run: 292,534,210,560 bytes free
Post-Run: 292,636,323,840 bytes free

- - End Of File - - CD31B56DB985817EAC699A6592891B5E
I ran combofix, posted the log , see that it deleted some things, but ran hitman pro again and same situation - it sees the proxy entries, deletes them and then after reboot, the proxy entries are back in place : (

ASKER CERTIFIED SOLUTION
Avatar of edbedb
edbedb
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
process monitor shows what's running, right?  I don't think anything is running on an ongoing basis.  maybe a script at startup?  

you say If you can find where the key was changed it will show the proceess that did it.

where - as in when during the startup process?  or something else?

what watches the registry (at startup) - has to be running right at the start!?
all else fails, read the directions.  I see I misunderstood proc mon.  trying that now.
Damn it!  Damn it!  Damn it!

Secunia PSI makes that entry!  I'm trying to make sure everything's up to date and it goes and gives me something to have to chase after!  Interesting - another machine I am working on, also with secunia, doesn't have that proxy entry.  different version of xp though.