BleepingComputer.com: Pum.Bad.Proxy or ?

Hello All,
I need some help in trying to determine why a registry entry keeps getting changed after reboot. This is a POS system that speaks to other servers for polling sales and thought the internet is up and I can browse, It is still being rejected by the servers I think because of an entry in the registry. HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable with value of 1
ProxyServer http=127.0.0.1:54970

 Capture.PNG (71.67K)
Number of downloads: 4

When I change the ProxyEnable value to 0 and delete the ProxyServer entry it returns when system reboots. I have scanned with these tools:

MalwareBytes
found a number of viruses including PUM.BAD.PROXY but with different port number than above. After safemode full scans and normal mode full scans, MalwareBytes says I'm clean

TDSS Killer
Found rootkit viruses and says they were succesfully removed

Eset Online Scanner
Only found what TDSS had quarantined so I deleted TDSS Quarantine folder.

Eset Nod32 5
Didn't find anything

Super anti-Spyware
Didn't find anything

Spyboy Search and destroy
Nothing

Hitman Pro
Finds this registry entry saying that Internet Explorer is using this proxy server deletes it but returns when rebooted

I have exhausted all of tricks and need some help getting rid of this. Like I said earlier this is a POS system and all work performed is done remotely. I thought of running ComboFix but wasn;t sure if anyone has used this remotely. Any help would be greatly appreciated.

This post has been edited by hamluis: 03 February 2012 - 10:20 AM
Reason for edit: Moved from Vista to Am I Infected.

Welcome aboard

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Broni,
Thanks for replying. According to these instructions I need to disconnect from internet but I am connected remotely trying to resolve this. If I need to, I can have someone run GMER locally it's just difficult to have someone do this.

Here are results of Gmer scan. I had to run this remotely so I couldn't disconnect internet but didn't run into any issues:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-04 11:15:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.4.AD
Running: mdqco74l.exe; Driver: C:\Users\TASTIU~1\AppData\Local\Temp\pfldipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x885D07F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x885D08B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x885D0870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x885D0830]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221 81CE29A4 4 Bytes [F0, 07, 5D, 88]
.text ntkrnlpa.exe!KeSetEvent + 37D 81CE2B00 4 Bytes [B0, 08, 5D, 88]
.text ntkrnlpa.exe!KeSetEvent + 5DD 81CE2D60 4 Bytes [70, 08, 5D, 88]
.text ntkrnlpa.exe!KeSetEvent + 619 81CE2D9C 4 Bytes [30, 08, 5D, 88]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\lsm.exe[640] ntdll.dll!NtOpenProcess 77D14A84 5 Bytes JMP 00680010
.text C:\Windows\system32\lsm.exe[640] ntdll.dll!NtTerminateProcess 77D15344 5 Bytes JMP 00690010
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[996] kernel32.dll!SetUnhandledExceptionFilter 7637A8C5 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
  
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Here ya go:

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET NOD32 Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Java™ 6 Update 14
Out of date Java installed!
Adobe Flash Player ( 10.0.32.18) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Windows Defender MSASCui.exe
``````````End of Log````````````


Farbar Service Scanner Version: 04-02-2012 01
Ran by tastiuser (administrator) on 05-02-2012 at 06:53:40
Running from "C:\Users\tastiuser\Desktop\Chet"
Microsoft® Windows Vista™ Business Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-10-19 12:12] - [2009-04-11 00:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-10-19 12:12] - [2009-04-11 00:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****


MiniToolBox by Farbar Version: 18-01-2012
Ran by tastiuser (administrator) on 05-02-2012 at 06:54:46
Microsoft® Windows Vista™ Business Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® 82567LM-3 Gigabit Network Connection = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : TDL0120
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Intel® 82567LM-3 Gigabit Network Connection
Physical Address. . . . . . . . . : 00-22-19-33-03-8C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.65(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, February 05, 2012 6:43:22 AM
Lease Expires . . . . . . . . . . : Monday, February 06, 2012 6:43:21 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : isatap.gateway.2wire.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1890:13d1:3f57:febe(Preferred)
Link-local IPv6 Address . . . . . : fe80::1890:13d1:3f57:febe%10(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.227.16
74.125.227.17
74.125.227.18
74.125.227.19
74.125.227.20

Pinging google.com [74.125.227.48] with 32 bytes of data:Reply from 74.125.227.48: bytes=32 time=19ms TTL=52Reply from 74.125.227.48: bytes=32 time=17ms TTL=52Ping statistics for 74.125.227.48: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum = 19ms, Average = 18msServer: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70
72.30.2.43
98.137.149.56
98.139.180.149

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:Reply from 209.191.122.70: bytes=32 time=20ms TTL=50Reply from 209.191.122.70: bytes=32 time=19ms TTL=50Ping statistics for 209.191.122.70: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 19ms, Maximum = 20ms, Average = 19msServer: home
Address: 192.168.1.254

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Reply from 208.43.87.2: Destination host unreachable.Reply from 208.43.87.2: Destination host unreachable.Ping statistics for 208.43.87.2: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Pinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
11 ...00 22 19 33 03 8c ...... Intel® 82567LM-3 Gigabit Network Connection
1 ........................... Software Loopback Interface 1
13 ...00 00 00 00 00 00 00 e0 isatap.gateway.2wire.net
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
12 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.65 276
192.168.1.65 255.255.255.255 On-link 192.168.1.65 276
192.168.1.255 255.255.255.255 On-link 192.168.1.65 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.65 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.65 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 18 ::/0 On-link
1 306 ::1/128 On-link
10 18 2001::/32 On-link
10 266 2001:0:4137:9e76:1890:13d1:3f57:febe/128
On-link
10 266 fe80::/64 On-link
10 266 fe80::1890:13d1:3f57:febe/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/05/2012 06:44:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/04/2012 10:50:06 AM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (02/03/2012 06:56:13 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/03/2012 06:41:49 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/02/2012 11:35:31 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (02/02/2012 11:34:44 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/02/2012 04:26:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/02/2012 02:42:46 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/02/2012 00:56:50 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/02/2012 00:39:41 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (02/04/2012 11:12:44 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/03/2012 06:31:50 AM) (Source: LSM) (User: )
Description: Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode
.

Error: (02/02/2012 11:39:02 PM) (Source: LSM) (User: )
Description: Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode
.

Error: (02/02/2012 11:35:35 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (02/02/2012 11:35:31 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (02/02/2012 11:35:22 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (02/02/2012 11:35:06 PM) (Source: LSM) (User: )
Description: Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode
.

Error: (02/02/2012 11:34:45 PM) (Source: Service Control Manager) (User: )
Description: ehdrv
spldr
Wanarpv6

Error: (02/02/2012 11:34:45 PM) (Source: Service Control Manager) (User: )
Description: Computer BrowserServer%%1068

Error: (02/02/2012 11:33:37 PM) (Source: DCOM) (User: )
Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Acrobat.com (Version: 1.7.186)
Adobe AIR (Version: 1.5.2.8900)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 9.5.0 (Version: 9.5.0)
Apple Application Support (Version: 1.1.0)
Apple Software Update (Version: 2.1.1.116)
Brother HL-2140 (Version: 1.00)
CCleaner (Version: 3.15)
CimpleBox StationSync (Version: 1.00.0000)
CRE QuickPatch v2 (Version: 12.019.00001)
Dell Edoc Viewer (Version: 1.0.0)
Dell Getting Started Guide (Version: 1.00.0000)
DSIClient Version 2.50 including DSIClientX 3.80 (Version: 2.50.0000)
DxClient 2.7.1 (Version: 2.7.1)
Elo Universal Driver 4.8.7 (Version: 4.8.7)
EPSON Advanced Printer Driver 4 (Version: 4.07.0007)
EPSON APD4 Point and Print Support (Version: 4.07.0006)
ESET NOD32 Antivirus (Version: 5.0.95.0)
GoToMeeting 4.0.0.320
Intel® Network Connections 13.1.34.2 (Version: 13.1.34.2)
Intel® PRO Alerting Agent (Version: 12.0.3)
Intel® Active Management Technology
Java™ 6 Update 14 (Version: 6.0.140)
LogMeIn (Version: 4.0.734)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Standard 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Search Enhancement Pack (Version: 1.3.59.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (PCAMERICA) (Version: 9.4.5000.00)
Microsoft SQL Server 2005 Tools Express Edition (Version: 9.4.5000.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
PowerDVD DX (Version: 8.2.5024)
QuickTime (Version: 7.65.17.80)
Restaurant Pro Express (Version: 12.006.00001)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Sync (Version: 14.0.8050.1202)
Windows Live Upload Tool (Version: 14.0.8014.1029)

========================= Memory info: ===================================

Percentage of memory in use: 53%
Total physical RAM: 1978.88 MB
Available physical RAM: 919.79 MB
Total Pagefile: 4201.04 MB
Available Pagefile: 2977.72 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.2 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:146.92 GB) (Free:108.46 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:2 GB) (Free:1.14 GB) NTFS

========================= Users: ========================================

User accounts for \\TDL0120

Administrator Guest tastiuser


**** End of log ****



Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.02.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
tastiuser :: TDL0120 [administrator]

2/5/2012 7:10:26 AM
mbam-log-2012-02-05 (07-10-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 174292
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-05 06:58:11
-----------------------------
06:58:11.500 OS Version: Windows 6.0.6002 Service Pack 2
06:58:11.500 Number of processors: 2 586 0x170A
06:58:11.501 ComputerName: TDL0120 UserName:
06:58:12.281 Initialize success
07:01:26.669 AVAST engine defs: 12020501
07:01:47.277 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:01:47.280 Disk 0 Vendor: ST316081 4.AD Size: 152587MB BusType: 3
07:01:47.289 Disk 0 MBR read successfully
07:01:47.291 Disk 0 MBR scan
07:01:47.305 Disk 0 Windows VISTA default MBR code
07:01:47.315 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 94 MB offset 63
07:01:47.330 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 2048 MB offset 194560
07:01:47.348 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 150443 MB offset 4388864
07:01:47.364 Disk 0 scanning sectors +312496128
07:01:47.442 Disk 0 scanning C:\Windows\system32\drivers
07:02:01.701 Service scanning
07:02:02.728 Modules scanning
07:02:07.540 Disk 0 trace - called modules:
07:02:07.561 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
07:02:07.567 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8589bac8]
07:02:07.575 3 CLASSPNP.SYS[87f9e8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x83ffe028]
07:02:08.145 AVAST engine scan C:\Windows
07:02:09.903 AVAST engine scan C:\Windows\system32
07:04:55.822 AVAST engine scan C:\Windows\system32\drivers
07:05:09.781 AVAST engine scan C:\Users\tastiuser
07:06:28.928 AVAST engine scan C:\ProgramData
07:06:29.259 File: C:\ProgramData\Adobe\Reader\9.3\ARM\17152\AcrobatUpdater.exe **INFECTED** Win32:Trojan-gen
07:06:29.538 File: C:\ProgramData\Adobe\Reader\9.3\ARM\17152\AdobeARMHelper.exe **INFECTED** Win32:Trojan-gen
07:06:29.635 File: C:\ProgramData\Adobe\Reader\9.3\ARM\17152\ReaderUpdater.exe **INFECTED** Win32:Trojan-gen
07:08:46.873 Scan finished successfully
07:09:02.902 Disk 0 MBR has been saved successfully to "C:\Users\tastiuser\Desktop\Chet\MBR.dat"
07:09:02.907 The log file has been saved successfully to "C:\Users\tastiuser\Desktop\Chet\aswMBR.txt"


Thanks for help Broni!

I don't see any proxies being set:

Quote

=====================================================================================

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\ProgramData\Adobe\Reader\9.3\ARM\17152\AcrobatUpdater.exe
- C:\ProgramData\Adobe\Reader\9.3\ARM\17152\AdobeARMHelper.exe
- C:\ProgramData\Adobe\Reader\9.3\ARM\17152\ReaderUpdater.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Didn't appear to find anything. I posted what I thought you may need.

SHA256: b9320542d9e3dab454881b771c3895e1bdc96d603379cbb597fd8bd7dc9f2719
SHA1: c2a1991493682285eed4ecf3e47b27431d8ea0db
MD5: 6b5ed259ffcdd40663007b6047e1efe0
File size: 312.9 KB ( 320456 bytes )
File name: AcrobatUpdater.exe
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-02-05 20:25:02 UTC ( 0 minutes ago )

SHA256: b9320542d9e3dab454881b771c3895e1bdc96d603379cbb597fd8bd7dc9f2719
SHA1: c2a1991493682285eed4ecf3e47b27431d8ea0db
MD5: 6b5ed259ffcdd40663007b6047e1efe0
File size: 312.9 KB ( 320456 bytes )
File name: AdobeARMHelper.exe
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-02-05 20:30:13 UTC ( 2 minutes ago )

SHA256: b9320542d9e3dab454881b771c3895e1bdc96d603379cbb597fd8bd7dc9f2719
SHA1: c2a1991493682285eed4ecf3e47b27431d8ea0db
MD5: 6b5ed259ffcdd40663007b6047e1efe0
File size: 312.9 KB ( 320456 bytes )
File name: ReaderUpdater.exe
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-02-05 20:34:16 UTC ( 0 minutes ago )

You should be good to go.

Why do you think the registry still says I'm using the proxy? This is the problem servers are having connecting with this POS.

The setting you quote is located in HKEY_USERS\.DEFAULT registry setting, which basically irrelevant as it refers to settings before any user logs in.

The only important setting is located in HKEY_CURRENT_USER section.

I compared identical POS systems registries to the problem POS and they don't have this setting. Wonder why this one does? Even my desktop doesn't.