virus/worm?
Thread Starter
Joined: Apr 2005
Posts: 368
Likes: 0
From: UK
virus/worm?
Hi all
Been having a problem with what I think might be a virus/worm. This only happens when I log into IE5 No problems when using Fire Fox…………
After clicking the ‘sign in’ on IE5 Avast warning page appears “Virus was found” with the following info…
File Name: http://64.28.188.42/wpad.dat(DO NOT CLICK)
Malware Name: Malware-Gen
Type: Virus/worm
Having selected ‘abort connection’ on the Avast window IE then logs me on. After the opening page appears Avast kicks in again, as above info except the File Name of the offending item is now...
C\documents and setting\owner\local settings\temporary internet files\content IE5\
wnudq9uf\wpad[1].htm
Selecting Avast choices ‘Move to Chest’ does in fact move this file to the chest.
“ “ “ ‘Delete’ seems to work?
“ “ “ ‘ Repair’ Seems not able to do.
Selecting, move to chest/delete then allows me to carry on surfing with IE5 When I log off and go to Fire Fox no probs. But if I go back to IE and log in Avast then kicks in again with the above warnings. I’ve run Avast and spybot but they don’t pick up anything. Have even shredded my ‘temp internet files’ to no avail.
Have even searched the url seems a normal company on the net. Most strange, any help much appreciated.
Daz
Been having a problem with what I think might be a virus/worm. This only happens when I log into IE5 No problems when using Fire Fox…………
After clicking the ‘sign in’ on IE5 Avast warning page appears “Virus was found” with the following info…
File Name: http://64.28.188.42/wpad.dat(DO NOT CLICK)
Malware Name: Malware-Gen
Type: Virus/worm
Having selected ‘abort connection’ on the Avast window IE then logs me on. After the opening page appears Avast kicks in again, as above info except the File Name of the offending item is now...
C\documents and setting\owner\local settings\temporary internet files\content IE5\
wnudq9uf\wpad[1].htm
Selecting Avast choices ‘Move to Chest’ does in fact move this file to the chest.
“ “ “ ‘Delete’ seems to work?
“ “ “ ‘ Repair’ Seems not able to do.
Selecting, move to chest/delete then allows me to carry on surfing with IE5 When I log off and go to Fire Fox no probs. But if I go back to IE and log in Avast then kicks in again with the above warnings. I’ve run Avast and spybot but they don’t pick up anything. Have even shredded my ‘temp internet files’ to no avail.
Have even searched the url seems a normal company on the net. Most strange, any help much appreciated.
Daz
Per Ardua ad Astraeus
Joined: Mar 2000
Posts: 18,575
Likes: 4
From: UK
While as you say wpad is a genuine thing - a MS function which detects web proxy settings, I bravely clicked on your link and AVG immediately flagged a downloader agent which I then nuked.
Re wpad itself, I found this for IE:
"WPAD is the Web Proxy Automatic Discovery protocol, used by Internet Explorer to determine its proxy configuration. If IE doesn?t get the URL for a WPAD server from a DHCP option, it looks up the name wpad in DNS (appending the elements of the search list, of course). If it finds an address, the browser connects and tries to download the file wpad./wpad.dat. If it successfully retrieves the file, it reads its proxy configuration from there. What?s wrong with this? That perennial bugaboo, the search list. Let?s say your default domain name (what Microsoft calls the ?Primary DNS Suffix?) is infoblox.co.nz. If you?re using domain name ?devolution,? your search list (or ?DNS Suffix Search Order? in Windows parlance) includes infoblox.co.nz and co.nz. If there?s no wpad.infoblox.co.nz, the next domain name looked up is wpad.co.nz?which is outside your administrative control! Some miscreant may have registered wpad.co.nz (actually, it was registered by a responsible Kiwi security researcher named Beau Butler), and could be running a web server that delivers a wpad.dat file that instructs your web browser to shunt all its traffic to a proxy in Russia. Now, the default search lists that you get through ?devolution? (?Are we not men??) don?t include single-label domain names like com, which is good news because it means that those of us who run subdomains of com don?t have to worry quite as much. Even so, Duane Wessels, who runs wpad.com (and, thankfully, he?s another one of the good guys), sees over a million requests per day for wpad.com/wpad.dat. How should you deal with this? You can make sure that the wpad name resolution always returns the address of one of your own web servers, which serves a legitimate wpad.dat file. You can make sure that your computers? search lists don?t include any domain names outside of your administrative control (which is a good idea regardless). Or you can simply disable WPAD by unchecking ?Automatically detect settings? on the ?LAN Settings? page of IE?s preferences."
Cutting through that mumbo-jumbo I have highlighted the IE answer. There is almost certainly a hijack somewhere in your system taking you to 64.28.188.42 where I suggest you do NOT want to be! I don't think it is browser related but probably in your registry. I would offer 'hijack this' as per the sticky in this forum which should show up the problem. Dont forget System Restore will merely re-infect unless you clean it.
Re wpad itself, I found this for IE:
"WPAD is the Web Proxy Automatic Discovery protocol, used by Internet Explorer to determine its proxy configuration. If IE doesn?t get the URL for a WPAD server from a DHCP option, it looks up the name wpad in DNS (appending the elements of the search list, of course). If it finds an address, the browser connects and tries to download the file wpad./wpad.dat. If it successfully retrieves the file, it reads its proxy configuration from there. What?s wrong with this? That perennial bugaboo, the search list. Let?s say your default domain name (what Microsoft calls the ?Primary DNS Suffix?) is infoblox.co.nz. If you?re using domain name ?devolution,? your search list (or ?DNS Suffix Search Order? in Windows parlance) includes infoblox.co.nz and co.nz. If there?s no wpad.infoblox.co.nz, the next domain name looked up is wpad.co.nz?which is outside your administrative control! Some miscreant may have registered wpad.co.nz (actually, it was registered by a responsible Kiwi security researcher named Beau Butler), and could be running a web server that delivers a wpad.dat file that instructs your web browser to shunt all its traffic to a proxy in Russia. Now, the default search lists that you get through ?devolution? (?Are we not men??) don?t include single-label domain names like com, which is good news because it means that those of us who run subdomains of com don?t have to worry quite as much. Even so, Duane Wessels, who runs wpad.com (and, thankfully, he?s another one of the good guys), sees over a million requests per day for wpad.com/wpad.dat. How should you deal with this? You can make sure that the wpad name resolution always returns the address of one of your own web servers, which serves a legitimate wpad.dat file. You can make sure that your computers? search lists don?t include any domain names outside of your administrative control (which is a good idea regardless). Or you can simply disable WPAD by unchecking ?Automatically detect settings? on the ?LAN Settings? page of IE?s preferences."
Cutting through that mumbo-jumbo I have highlighted the IE answer. There is almost certainly a hijack somewhere in your system taking you to 64.28.188.42 where I suggest you do NOT want to be! I don't think it is browser related but probably in your registry. I would offer 'hijack this' as per the sticky in this forum which should show up the problem. Dont forget System Restore will merely re-infect unless you clean it.
Joined: Feb 2000
Posts: 542
Likes: 0
From: asia
Report it?
The web address you gave is owned by a major US hosting company, so presumably someone using their service has had their web site accidentally or deliberatley compromised.
If you look up the who is info, there is a tech and/or abuse contact - how about dropping them an email?
If you look up the who is info, there is a tech and/or abuse contact - how about dropping them an email?
Thread Starter
Joined: Apr 2005
Posts: 368
Likes: 0
From: UK
Thanks for your reply isi3000 I downloaded the free version, alas picked no nasties up. I have an update to this problem. While looking at my temp internet files I noticed that the offending file. File Type:: FireFox document, size 1KB with no expires date.
Stckyb: Have had reply from the hosting company they seem most concerned and have asked me to forward more details such as what AV I'm using.
Daz
Stckyb: Have had reply from the hosting company they seem most concerned and have asked me to forward more details such as what AV I'm using.
Daz
Joined: Feb 2000
Posts: 542
Likes: 0
From: asia
ok, now i understand (i think)
It would appear that someone has placed a corrupt wpad file in the path of the site you are accessing. It may not be on that site (see BOAC's post for a good example)
wpad files are only used by IE ( I think) so other browsers are not affected.
Your anti virus software is stopping the file being executed, but there seems to be a copy lurking on your system that is accessed every time you start IE, thus triggering your A/V software again.
Try deleting all temp internet files, then search your computer for any wpad.* files and delete them.
It would appear that someone has placed a corrupt wpad file in the path of the site you are accessing. It may not be on that site (see BOAC's post for a good example)
wpad files are only used by IE ( I think) so other browsers are not affected.
Your anti virus software is stopping the file being executed, but there seems to be a copy lurking on your system that is accessed every time you start IE, thus triggering your A/V software again.
Try deleting all temp internet files, then search your computer for any wpad.* files and delete them.
