Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, November 24, 2017 1:00 AM
After making the Windows Experience Upgrade and Windows Update the other day, my Chrome and Edge started to get erratic. I cannot open websites. It always say proxy error. Checked my hw connection, all good. My mobile devices can access the net so no prob with the router.
- I can ping URLs.
- flushed my dns, etc.
- scanned with my A/V and malwarebytes, nothing.
While researching on the issue, I came across WPAD. I checked the entries on the dat file :
function FindProxyForURL(url, host) {
if (isPlainHostName(host) ||
dnsDomainIs(host, ".windowsupdate.com") ||
dnsDomainIs(host, ".microsoft.com") ||
dnsDomainIs(host, ".baidu.com") ||
dnsDomainIs(host, ".kaspersky.com") ||
dnsDomainIs(host, ".live.com") ||
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.255.224.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
isInNet(host, "127.0.0.0", "255.0.0.0"))
return "DIRECT";
else
return 'PROXY 185.93.3.123:8080';
};
I can't figure out why there's this proxy link PROXY 185.93.3.123:8080.. i whois'ed the ip, it's a datacenter in spain.
To fix it, I had to create a new script (.pac) and call that in the proxy settings.
I wonder though how that proxy server/link got there? I can't even find where wpad.dat is located until I saved it locally.
Is it due to the Windows Update?
All replies (15)
Friday, November 24, 2017 1:36 AM
well, i am facing the same problem,
i did not set any proxy but it keep on told me
proxy 185.93.3.123:8080 error.
Even i tried on others browser, it cant access any website
Friday, November 24, 2017 2:19 AM | 1 vote
I'm facing the same problem as stated. Internet explorer & chrome failed to connect internet. Have called local internet service provider stated some technical issue incur. You may try
1) Use Firefox (it able to connect) OR
2) Go to Control Panel->Internet Option->Connection->LAN setting->uncheck "Automatically detect settings"
Friday, November 24, 2017 2:23 AM
Same issue on 1 client machine, seems to have been related to updates but can't verify as they were applied on the 17/11, user reported issue 24/11 after some days of connection issues.
No malware detected. Remove the autoproxy check and all is good again.
Interested to see what comes of this.
Friday, November 24, 2017 3:30 PM
Hi Emerson,
This really is a strange issue.
Seems to have affected Win10 and also W7 installations.
Could this be a Microsoft issue, or perhaps something more sinister?
The IP address in question seems to be linked to a Spanish Data Centre...
You'd think far more people would be reporting the issue if it was just MS related? Perhaps this could be a virus/exploit going around?
Matt
Friday, November 24, 2017 4:02 PM
Check under device manager/other if you have any of the following installed
sms/mms
sms/mms
BTLIstening
BBLPROXY
DBLPROXY
it will be under a tab called other.
I've had the exact same issue on a clients pc and after removing those software devices the internet started working again.
if that does not work then try Jess_joy's solution
Thanks
Tiaan
Friday, November 24, 2017 6:34 PM
could you check if your dhcp server ( probably your router ) assign you the network name "domain.name", as some dlink do as default?
it seems that someone has registered wpad.domain.name and use it to spread that exact wpad file
( http://wpad.domain.name/wpad.dat )
probably a sinister thing...
Friday, November 24, 2017 6:38 PM
same here (Hungary)
kali linux, andriod NOT affected
i take out my dlink router from my network and everything gets back to normal..
what is this?
some configuration error in win10_1709 / dlink firmware (malicious code) / telecomminucation spinline error ?
Friday, November 24, 2017 6:57 PM
by default your dlink router distribute 'network name' parameter set at "domain.name" in the dhcp server.
someone is using this to spread those malicious wpad file.
try to reintroduce your dlink router, changing domain.name in something different ( dhcp server settings )
Friday, November 24, 2017 9:46 PM
Hi THC,
Looks like you are spot on. Thank you.
I curl'd wpad.domain.name and it returned the proxy address that's been killing our network.. I'm not sure how somebody is allowed to register this domain in the first place, but it's quite clever.... Annoyingly.
Not sure if this is part of a data stealing exercise or a DDOS on somebody.
Anyway, If anybody is in the same situation, you need to change your DNS zone on your router to something other than domain.name. This will stop your devices looking up their auto-discovery cache/proxy settings.
Matt
Saturday, November 25, 2017 12:48 AM
Thank you all for your solutions, by removing the autoproxy I could use Edge and explorer again.
I would just still like to ask a question regarding changing the DNS zone in something different than domain.name ... in what must or can it be changed then? Is it something like google's 8.8.8.8 ?
Any help or advice would be appreciated.
Tom
Saturday, November 25, 2017 5:24 PM
This solution worked for me as well but the existance of an unidenitfied IP as a proxy is alarming, the only thing I can think of that I had on my PC that might have compromised my computer is uTorrent, anyone else had it? or any other software you installed recently?
Monday, November 27, 2017 3:27 AM
I saw this on Friday and it left me stumped. The ISP also.
Today the customer tells me it "fixed itself" over the weekend.
I wonder if the suspect proxy been shutdown or they increased their bandwidth to stop the timeouts?
Luckily for me, my Dlink DSL-2750B wasn't affected.
Wednesday, November 29, 2017 3:55 PM
I had a very similar issue on Monday. Problems with IE and Chrome both routing to google.cz. IP check showed that same 185... IP. Firefox, with proxy off went to google.com just fine. Turn on auto discovery - we're in Czechia again. I also have a Dlink router - an 890L on firmware 1.2 - but it wasn't configured with domain.name. Was 'dlinkrouter' all one word. Numerous scans later, no malware detected, but this clearly is. Changed dlinkrouter to something totally different; problem persists. Activation of auto-proxy discovery still routes me to cz, so something is still there.
Thursday, November 30, 2017 7:44 PM
any progression?
it should be sthg else
btw, my ISP did sthg (their support cannot share techical details...) and now the http://wpad.domain.name\wpad.dat file is EMPTY
it could be some filtering, sadly i dont have any more details
or somehow they(?) manage to modify | delete the source at http://wpad.domain.name ?
i tried to download from my mobile internet (android phone) but there was an error msg and i cannot download any file (maybe it is some android security block function or there is NO WPAD-PAC at all?)
i will test from other ISP from windows and i will post the results
Friday, December 1, 2017 12:50 PM
i will test from other ISP from windows and i will post the results
tested, the file is empty (0 long) from other ISP too