So I f*ed up. Earlier this year I went to visit my parents, and brought with me my new laptop with no productivity software installed. I normally use Linux, so I never cared about installing things on Windows.
I was tasked to edit a Visio document, so I had to boot into Windows and install Visio. I downloaded Visio from MSFT (I have two licenses in my account), but due to activation restrictions (somewhere 4 times per 6 months), activation failed.
Being a PC enthusiast, I get new computers frequently, above MSFT's activation limit.
So I downloaded a KMS activator
![Face Palm :palm:](https://www.eevblog.com/forum/Smileys/default/xfacepalm.gif.pagespeed.ic.EBDwh1hCfo.png)
, and that's when all hell broke loose.
Apparently, MSFT is not happy with KMS, so they filed DMCA complaints and took down all official KMS sites, so there's no way to know if the link I found is virus-free or not, and Windows Defender will mark all KMS as virus.
So I proceeded with disabling WD and gave KMS admin privilege, and that proved horribly wrong.
Initially I didn't find my computer was hacked, until days later I realized I could no longer access Google and other websites banned by the great firewall, so at that time I realized the KMS must have done funny things to my proxy settings.
And indeed, it set up an auto config proxy which points to 127.0.0.1:86, and there's no way I can override it. I can change it in Settings app and it will revert back instantly. I can also change in registry, and it reverts back after a reboot.
I tried MalwareBytes, found nothing. I tried WD, found nothing. This is after all KMS components are removed, but apparently a virus will not remove itself at your request. The KMS is gone, the virus is not, at least not completely.
After investigating with Process Explorer, I was able to see svchost was modifying my settings in Settings app back to the bad ones, and upon further inspection the corresponding service is WinHTTPAutoProxySvc, and it is a Windows component.
So the virus must be clever in setting Windows component to do dirty works for it, and there's no trace of the actual virus itself.
I can now just disable this service, but unfortunately that also renders the entire Windows proxy framework uselsss, so outside FireFox, there's no proxy for me, meaning Steam Workshop is inaccessible for me.
TL;DR: How can I prevent WinHTTPAutoProxySvc from changing my proxy settings without disabling it? Command "netsh winhttp proxy reset" resulted in operation success, but the behavior remained.