Virus sets Proxy Settings

One of my friends reported that they had a virus on their computer.  Not to worry – their antivirus software detected it and quarantined it.  The problem was that after detecting it and quarantining the virus, they had problems surfing the Internet to a number of sites.  Not all sites mind you, but things like their bank, www.nba.com, and even this site were all broken.  Their email worked just fine, it was just some websites that were messed up.  I paid a visit to check it out.  Their AV package showed the following log file… ok – looks like it detected the virus and then moved it.  Cool – virus gone.

To be sure I scanned the computer with MalwareBytes and it showed clean too.  I then rebooted into safe mode and still had problems with accessing the web.  Ok – not so cool.  I spent a bit of time going over the computer.  I reset the TCP IP stack using the netsh commands… nope – that didn’t fix it.  I was scratching my head and explaining how it all works when I had a light bulb moment….

I checked the Proxy Settings on IE and found that yes – something had set a proxy server.  See the screen below.

It was redirecting it to the localhost 127.0.0.1 on port 27811. The virus itself had modified IE and installed itself as a proxy server. Tricky huh.

Now I checked using netstat (netstat –ano | find “:27811”) to see if there was anything listening on that port and there was nothing – that makes sense because the web surfing problem only occurred AFTER the AV package quarantined the virus and with the virus gone there would be no proxy to pass the info through.

Ok – give the virus was now gone… my advice to my friend was for him to change any secure passwords he had used in the past week or so as we don’t know when the virus/trojan got into his system.  Thought I’d share this one though as I’ve not seen a virus/trojan become a proxy before.