[Help] [Win10] Saving pennies, losing pounds

[blueskull]

So I f*ed up. Earlier this year I went to visit my parents, and brought with me my new laptop with no productivity software installed. I normally use Linux, so I never cared about installing things on Windows.

I was tasked to edit a Visio document, so I had to boot into Windows and install Visio. I downloaded Visio from MSFT (I have two licenses in my account), but due to activation restrictions (somewhere 4 times per 6 months), activation failed.

Being a PC enthusiast, I get new computers frequently, above MSFT's activation limit.

So I downloaded a KMS activator , and that's when all hell broke loose.

Apparently, MSFT is not happy with KMS, so they filed DMCA complaints and took down all official KMS sites, so there's no way to know if the link I found is virus-free or not, and Windows Defender will mark all KMS as virus.

So I proceeded with disabling WD and gave KMS admin privilege, and that proved horribly wrong.

Initially I didn't find my computer was hacked, until days later I realized I could no longer access Google and other websites banned by the great firewall, so at that time I realized the KMS must have done funny things to my proxy settings.

And indeed, it set up an auto config proxy which points to 127.0.0.1:86, and there's no way I can override it. I can change it in Settings app and it will revert back instantly. I can also change in registry, and it reverts back after a reboot.

I tried MalwareBytes, found nothing. I tried WD, found nothing. This is after all KMS components are removed, but apparently a virus will not remove itself at your request. The KMS is gone, the virus is not, at least not completely.

After investigating with Process Explorer, I was able to see svchost was modifying my settings in Settings app back to the bad ones, and upon further inspection the corresponding service is WinHTTPAutoProxySvc, and it is a Windows component.

So the virus must be clever in setting Windows component to do dirty works for it, and there's no trace of the actual virus itself.

I can now just disable this service, but unfortunately that also renders the entire Windows proxy framework uselsss, so outside FireFox, there's no proxy for me, meaning Steam Workshop is inaccessible for me.

TL;DR: How can I prevent WinHTTPAutoProxySvc from changing my proxy settings without disabling it? Command "netsh winhttp proxy reset" resulted in operation success, but the behavior remained.

[TERRA Operative]

Time for a nuke and pave, with no more dodgy downloads.

You could give tronscript a go first though, it might, maybe, help..
https://www.reddit.com/r/TronScript/

[bingo600]

Could you do a "system restore" to a time where it wasn't even installed ?
I'm on linux too , so i don't even know if M$ is still doing these semi-automatic system backups anymore.

Even if it worked , i'd seriously consider nuking the HDD and reinstall.

/Bingo

[james_s]

While it's a bit late for this now, any time I want to test something potentially sketchy I spin up a VM. I keep a copy of a clean install and just make a copy of it, use it for whatever I need to do and then if I'm done with it or if it gets infected I can just delete the whole VM.

[Ed.Kloonk]

 

[olkipukki]

I was tasked to edit a Visio document, so I had to boot into Windows and install Visio. I downloaded Visio from MSFT (I have two licenses in my account), but due to activation restrictions (somewhere 4 times per 6 months), activation failed.

Being a PC enthusiast, I get new computers frequently, above MSFT's activation limit.

Is it not possible to deactivate Vision before proceeding with a new activation? 

At least I used to be able to deactivate MS Office and reinstall it on another hardware...

[S. Petrukhin]

I think you needn't panic about the virus.
You probably enabled automatic activation in KMS, it is embedded in win and blocks requests.
Try launching KMS again and click [Delete KMS-host service] in the [System] tab.