Why are my browsers suddenly configured to use a proxy?
I sat down at my computer this morning and could not access any web sites using Firefox. FF was telling me that "Firefox is configured to use a proxy server that is refusing connections." So I check my settings and sure enough, it's set to "Use System Proxy Settings." Thinking this was suspicious, I checked IE, and sure enough it's set up to use a proxy. But just like FF I couldn't actually browse to any sites until I set to option to "No Proxy".
Now I don't use a proxy and never have before. So I'm not sure how these settings "magically" appeared. I imagine they can be set through a registry entry. Does it seem likely that I have a virus or some sort of malware? I am running Win7 64-bit and for AV I'm using MS Security Essentials. I ran Malwarebyte's Anti-Malware but no problems were detected. Are there any known legitimate programs that will change the proxy settings without warning?
Fiddler could be the cause. I debug my Silverlight application calls via Fiddler and have realised that launching Fiddler does automatically check the "Use a proxy server for LAN" checkbox. Uncheck the box and do not re-launch Fiddler, and all is well (though at times Fiddler does not track the traffic from that browser instance).
I have had this happen a couple of times in the last month or two and I have seen or heard of it happening to co-workers recently. In all of these cases it was due to malware. You may want to run a second tool in addition to MalwareBytes. The two times it happened to me none of my tools detected the problem. I ran MSConfig and there was a new process set to run during the startup.
You could also use Process Explorer from MS to see the location of all running processes:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
You will need to go to View->Select Columns and make sure Image Path is selected in order to see the location of each running process. Anything running from temporary locations would be suspicious. I usually sort the view by image path...makes it quicker to see problem locations. Any suspicious files could be uploaded to VirusTotal.com.
When the malware installs, it plants a proxy program on your system, then configures firefox to use the proxy 127.0.0.1 (localhost) on some weird port (this is of course the port on which the proxy program is taking requests.) When you google something, your request goes through the proxy program and then to the internet. The proxy program searches your request and then sometimes returns relevant ads when you click the link. Some malware proxies are also commanded to block anti malware searches and websites. I a doozy once, so i went to malwarebytes site, but it wouldn't go through. Anyway.. that's how it works. After the malware is removed, the server refuses connections, so you will just need to configure it to use 'no proxy'.
Malwarebyte's ftw!