PPRuNe Forums - View Single Post - virus/worm?
Thread: virus/worm?
View Single Post
Old 23rd August 2008 | 16:13
  #2 (permalink)  
BOAC
Per Ardua ad Astraeus
 
Joined: Mar 2000
Posts: 18,575
Likes: 4
From: UK
While as you say wpad is a genuine thing - a MS function which detects web proxy settings, I bravely clicked on your link and AVG immediately flagged a downloader agent which I then nuked.

Re wpad itself, I found this for IE:

"WPAD is the Web Proxy Automatic Discovery protocol, used by Internet Explorer to determine its proxy configuration. If IE doesn?t get the URL for a WPAD server from a DHCP option, it looks up the name wpad in DNS (appending the elements of the search list, of course). If it finds an address, the browser connects and tries to download the file wpad./wpad.dat. If it successfully retrieves the file, it reads its proxy configuration from there. What?s wrong with this? That perennial bugaboo, the search list. Let?s say your default domain name (what Microsoft calls the ?Primary DNS Suffix?) is infoblox.co.nz. If you?re using domain name ?devolution,? your search list (or ?DNS Suffix Search Order? in Windows parlance) includes infoblox.co.nz and co.nz. If there?s no wpad.infoblox.co.nz, the next domain name looked up is wpad.co.nz?which is outside your administrative control! Some miscreant may have registered wpad.co.nz (actually, it was registered by a responsible Kiwi security researcher named Beau Butler), and could be running a web server that delivers a wpad.dat file that instructs your web browser to shunt all its traffic to a proxy in Russia. Now, the default search lists that you get through ?devolution? (?Are we not men??) don?t include single-label domain names like com, which is good news because it means that those of us who run subdomains of com don?t have to worry quite as much. Even so, Duane Wessels, who runs wpad.com (and, thankfully, he?s another one of the good guys), sees over a million requests per day for wpad.com/wpad.dat. How should you deal with this? You can make sure that the wpad name resolution always returns the address of one of your own web servers, which serves a legitimate wpad.dat file. You can make sure that your computers? search lists don?t include any domain names outside of your administrative control (which is a good idea regardless). Or you can simply disable WPAD by unchecking ?Automatically detect settings? on the ?LAN Settings? page of IE?s preferences."

Cutting through that mumbo-jumbo I have highlighted the IE answer. There is almost certainly a hijack somewhere in your system taking you to 64.28.188.42 where I suggest you do NOT want to be! I don't think it is browser related but probably in your registry. I would offer 'hijack this' as per the sticky in this forum which should show up the problem. Dont forget System Restore will merely re-infect unless you clean it.
BOAC is offline  
Reply
0