This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 - Proxy set to http://ɴ.net/server.pac Can not change

Hi,

At my Windows 10, Proxy is set to http://ɴ.net/server.pac through a malware. I can not change it. I have deleted the entries in Windows registry but it comes back. Sophos home does not detect it.



This thread was automatically locked due to age.
Parents
  • Hi Azeem,

    I have asked SophosLabs to take a look at that address and block it if it is malicious.

    Can you confirm what Sophos products you are using and what version you are on?

    I suggest scanning the machine using Sophos Clean, found here: https://www.sophos.com/en-us/products/sophos-clean.aspx

    Please let me know if it finds anything.

  • Problem resolved with help of information found at the following page: 

    https://answers.avira.com/ru/question/hxxp-netserverpc-54387

    The program that is launching nslookup AND creating the registry key is what appears to be a compromised/hijacked version of Install Shield at C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe. That also happens to be one of my Scheduled Tasks.


    I removed ISUSPM.exe & ISUSPM.ini from C:\Program Files (x86)\Common Files\InstallShield\updateservice\

    and I managed to trace an unusual task that was scheduled. The program:

    C:\Program Files (x86)\Common Files\InstallShield\updateservices\ISUSPM.exe ___  was being called at 18:00.

    I removed this task, and now my internet settings are not being overwritten.This program is not being picked up by any of the antivirus programs I've tried, or malware programs.

    Can I send the infected ISUSPM.exe file to SOPHOS to investigate?

  • Glad to hear you have resolved this.

    Please send those files to samples@sophos.com 

    Thanks.

Reply Children
No Data