I have a user that installed some adware indavertently. I'm not 100% sure which one exactly since a helpful manager tried to fix the PC himself with MalwareBytes and who knows what else.
I ran some scans with rkill and TDSSKiller, Combofix, AdwCleaner, and Junkware removal. Everything comes up clean. But I'm convinced something is still left behind because when I browse to pages that are completely static, that I made myself, I see Chrome momentarily go to other addresses. One that I see repeatedly is:
"Waiting for a.spdse.com..."
That looks like an address for "Save Path Deals" adware to me.
I don't see this behavior indication in IE.
I tried resetting Chrome, and uninstalling Chrome, but it's still the same.
The only thing I'm sure of, is that I should not see any reference to "a.spdse.com" when I go to any of my own pages. Where could this be coming from?
While writing this, I found a clue: The proxy settings are being hijacked. It's being set to 127.0.0.1 port 8000, and even if I disable it or change it, it goes right back!
What service could be running that isn't being detected?