Possible google redirect proxy??

[abs_rio]

I've suddenly noticed that my google searches are appearing in a different format (underlined). Bing search produces a grey screen with no searches appearing whatsoever. I've tried chrome and internet explorer with both giving the same result. I've ran malwarebytes and ESET scanner but it has made no difference. The other thing I've noticed is that windows is using some sort of proxy server. I've attached images below:

http://postimg.org/image/fxx2hlvbn/
http://postimg.org/image/ba3jcl5uz/
http://postimg.org/image/z322lq3rh/

I would greatly appreciate any advice? I'm using windows 8.1 pro. Thanks in advance.

[Peter Parker]

Assuming you've tried disabling the proxy and it keeps coming back?

Thanks for reminding me why I run Linux. Sorry, that doesn't help you, but these might :-

1) Regedit
The registry key is given in this PUM.bad.proxy wiki page
And here's a YT vid suggesting safe-mode before you run regedit. Win 7 in the vid, but it might be the same?

2) Other tools
http://www.malwareremovalguides.info...removal-guide/

[smargh]

There are many possible tools to use, but the first point of call is generally Autoruns: https://technet.microsoft.com/en-gb/.../bb963902.aspx - it has a feature to check file signature and also submit & query files automatically with Virustotal.

Perhaps tcpview will tell you which process is actually listening on that proxy port: http://live.sysinternals.com/tcpview.exe

If you have the ability to do so, it's often useful to remove the drive and scan it while plugged in to a second PC, using a couple of different trial AV applications.

[scaryjim]

OK, first thing I note is that you've got some horrendous Norton safe banner thing on your browser. My first step would be uninstalling that, tbh. Norton's a notorious resource hog and IMNSHO isn't far off being malware itself. I wouldn't be at all surprised if Norton had installed a proxy for doing websafe checking, and that could quite easily be messing with your browsing.

Otherwise you need to track down what program is running that proxy server - might be worth looking the both the processes tab and the services tab of task manager to spot anything that looks likely.

[abs_rio]

There are many possible tools to use, but the first point of call is generally Autoruns: https://technet.microsoft.com/en-gb/.../bb963902.aspx - it has a feature to check file signature and also submit & query files automatically with Virustotal.

Perhaps tcpview will tell you which process is actually listening on that proxy port: http://live.sysinternals.com/tcpview.exe

If you have the ability to do so, it's often useful to remove the drive and scan it while plugged in to a second PC, using a couple of different trial AV applications.

I'm using tcpview but not sure what to look for exactly ----> http://postimg.org/image/lfojtaa6h/

I've tried the youtube method but that doesn't work. Also, tried disabling norton toolbar but again makes no difference.

[Peter Parker]

I'm using tcpview but not sure what to look for exactly ---->

I've tried the youtube method but that doesn't work. Also, tried disabling norton toolbar but again makes no difference.

But what exactly didn't work? Did the proxy setting keep coming back? Before leaving safe mode or after?

Some more thoughts that might help :

1. Backup your data and create a Windows restore point, if you haven't already ! When messing around with the registry it's possible to make your operating system unbootable. Or at least it used to be and I assume still is.
2. That isupdate.exe process looks very dodgy to me:
   
   1. For example, Chrome is Process ID (PID) 4868. It connects out to a "remote" address of localhost:8080 which is the proxy.
   2. isupdate.exe is listening on 3XSCarbon:8080 - I assume 3XSCarbon is your PC name, and thus the same as localhost (sort of).
   3. The incoming connections to the proxy's local port (8080) have a "remote" port (still really on your machine though), e.g. 51769.
   4. The same isupdate.exe process then creates another local port on the next sequential number (51770), which finally connects out to the internet on an HTTP connection to some cloud IP.
   5. The sent/received bytes and packets seem to match up for these processes and ports.

Google tells me isupdate.exe could be the Install Shield Updater, but ... I don't think it should be acting as a proxy for Chrome!

For some reason process 0 (Windows "system idle" process?!) also looks like a proxy. That's odd too.

Looks like there's a person with a similar problem - http://www.bleepingcomputer.com/foru...h-compromised/

Sadly I'm not up to date on the best malware removers. I used to use Hijack This but it's been a while. Seems to be still updated though.

Good luck!

[scaryjim]

Any idea what isupdate.exe is? AFAICT that's the one that's listening on port 8080, and it's also making lots of http/https requests suggesting it's handling all the browsing traffic (which would be right for a proxy server). That's your strongest suspect out of that list....

[Splash]

KMS Server Service.exe also looks pretty suspect - this shouldn't be running on a client OS.

So it seems you have something that is running at startup which is resetting your proxy settings - if you open MSConfig and select "diagnostic startup" then reboot do you still see the same issue? Also what do you have listed in the Startup tab in Task Manager, and if you open Task Scheduler do you see any odd tasks set to run at startup?

[satrow]

MBAM: http://www.bleepingcomputer.com/down...-anti-malware/
AdwCleaner: http://www.bleepingcomputer.com/download/adwcleaner/
Junkware Removal Tool: http://www.bleepingcomputer.com/down...-removal-tool/

Save the logs, zip and attach them later!

Reset all browsers to their defaults, from the BC topic earlier: http://www.bleepingcomputer.com/foru.../#entry3628560

[abs_rio]

Thanks for all the advice guys. I followed the steps in this post http://www.bleepingcomputer.com/foru...sed/?p=3630748

Problem solved, at least for now! Still don't what caused the problem in the first place!

[DanceswithUnix]

I saw this on my father in law's laptop not long ago. I spent a few minutes looking, and recommended a Windows re-install.

I presume malware can arrange to survive if you restore to an earlier restore point.