Windows 10 - Proxy set to http://ɴ.net/server.pac Can not change

Hi Azeem,

I have asked SophosLabs to take a look at that address and block it if it is malicious.

Can you confirm what Sophos products you are using and what version you are on?

I suggest scanning the machine using Sophos Clean, found here: https://www.sophos.com/en-us/products/sophos-clean.aspx

Please let me know if it finds anything.

Hi Azeem,

I have asked SophosLabs to take a look at that address and block it if it is malicious.

Can you confirm what Sophos products you are using and what version you are on?

I suggest scanning the machine using Sophos Clean, found here: https://www.sophos.com/en-us/products/sophos-clean.aspx

Please let me know if it finds anything.

Problem resolved with help of information found at the following page: 

https://answers.avira.com/ru/question/hxxp-netserverpc-54387

The program that is launching nslookup AND creating the registry key is what appears to be a compromised/hijacked version of Install Shield at C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe. That also happens to be one of my Scheduled Tasks.

I removed ISUSPM.exe & ISUSPM.ini from C:\Program Files (x86)\Common Files\InstallShield\updateservice\

and I managed to trace an unusual task that was scheduled. The program:

C:\Program Files (x86)\Common Files\InstallShield\updateservices\ISUSPM.exe ___  was being called at 18:00.

I removed this task, and now my internet settings are not being overwritten.This program is not being picked up by any of the antivirus programs I've tried, or malware programs.

Can I send the infected ISUSPM.exe file to SOPHOS to investigate?

Glad to hear you have resolved this.

Please send those files to samples@sophos.com 

Thanks.

Regardless of license, you can always submit samples to Sophos using this form:
https://secure2.sophos.com/en-us/support/contact-support.aspx

I often use it to submit zero day files that get caught in our email security gateway.

-Gary