ashkan_najmabadi 0 Posted December 7, 2021 Posted December 7, 2021 Hello, can anyone help me? I receive this notification several times. is this virus or trojan? what should i do?
Administrators Marcos 5,462 Posted December 7, 2021 Administrators Posted December 7, 2021 Please provide logs collected with ESET Log Collector for a start.
ashkan_najmabadi 0 Posted December 7, 2021 Author Posted December 7, 2021 you mean this text file?collector_log.txt
Administrators Marcos 5,462 Posted December 7, 2021 Administrators Posted December 7, 2021 I mean eav_logs.zip or eis_logs.zip.
Administrators Marcos 5,462 Posted December 7, 2021 Administrators Posted December 7, 2021 I'm sorry but we do not provide support to those with misused / leaked licenses. The license you use was overused and canceled.
JanBar 0 Posted December 8, 2021 Posted December 8, 2021 We are facing almost same problem from yesterday. running any application using internet cause blocking connection. what is realy strange to me that it points to same IP like original post.
itman 1,806 Posted December 8, 2021 Posted December 8, 2021 13 hours ago, JanBar said: We are facing almost same problem from yesterday. running any application using internet cause blocking connection. what is realy strange to me that it points to same IP like original post. Appears Eset is detecting an infected BGP server performing WPAD "man-in-the-middle" interception activities. It so happens that the IP address shown references a server in Prague. This might explain why your Internet traffic is being blocked since I assume being located in the Czech Republic, regional Internet network traffic is being routed through this server. You can try to set your browser network settings to use "no proxy" which is a recommended mitigation for this type of WPAD attack. You also need to inform your ISP of this activity so that they can investigate on their end what is the status of this server. Aryeh Goretsky 1
JanBar 0 Posted December 9, 2021 Posted December 9, 2021 no proxy is set and winhttpautoproxysvc is completely disabled but the problem persist 😞
itman 1,806 Posted December 9, 2021 Posted December 9, 2021 14 hours ago, JanBar said: no proxy is set and winhttpautoproxysvc is completely disabled but the problem persist 😞 In Win 10, make sure below highlighted setting is set to "off":
JanBar 0 Posted December 10, 2021 Posted December 10, 2021 sure i did, this setting is set to off. But in WIN 10, this settings doesnt stop the service itself you can check it by type "sc query winhttpautoproxysvc" so i disable also the service
itman 1,806 Posted December 10, 2021 Posted December 10, 2021 (edited) Refer to this posting: https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/ . Although its 4 years old, it still appears applicable since the same three OVH French servers are still currently being used in the wpad.domain.name configuration file. Again, its your ISP's responsibility to ensure you're not being routed to this domain. You need to contact them about this. If they ignore you, find a different ISP provider. If you're using ISP provided DNS servers, switch to using Google, Clouldfare, etc. and see if that eliminates the issue. Also, note that Microsoft does not recommend that the winhttpautoproxysvc be disabled. Edited December 10, 2021 by itman
safety 8 Posted December 11, 2021 Posted December 11, 2021 Hacking of the router is possible. As a solution, you need to go to the router settings and change the domain name from domain.name to my.router (as an example, or another non-existent domain name). Quote SQx: It turns out that this domain name is real, and it contains intangible settings that Windows 7/10 automatically picks up, hxxp://185.38.111.1/wpad.dat or hxxp://wpad.domain.name/wpad.dat
safety 8 Posted December 11, 2021 Posted December 11, 2021 more details here https://www.anti-malware.ru/forum/topic/33052-uvs-тестирование/?do=findComment&comment=195390
itman 1,806 Posted December 11, 2021 Posted December 11, 2021 (edited) 5 hours ago, safety said: Hacking of the router is possible. As a solution, you need to go to the router settings and change the domain name from domain.name to my.router (as an example, or another non-existent domain name). On ISP provided routers that setting wouldn't exist. If would take the form of DNS suffix that would be stored internally in the router and is not user modifiable. As such, I can't see how it could be hacked. I would reset the router and see if that resolves the issue. However, DCHP domain is stored in Win registry Tcpip settings per below screen shot. It is possible this setting was hacked. However, I believe this setting is refreshed each time system restarts. But not in the case of Win 10 fast startup mode I believe. Edited December 11, 2021 by itman
itman 1,806 Posted December 11, 2021 Posted December 11, 2021 Another thing that can be tried is to perform a full Win 10 network reset. See below screen shot. Note carefully what this does and that VPN software, etc.. might have to be reinstalled. Also, you will have no network connectivity for 5 mins. while Windows is setting up the network for a reset. If this doesn't solve the wpad issue, it is happening external to Windows; either by the router or your ISP network. Also if this solves the issue but it reappears later, this would imply that it is installed malware related.
itman 1,806 Posted December 11, 2021 Posted December 11, 2021 (edited) I did come across the Google ProjectZero article that recommended that winhttpautoproxysvc service be disabled: https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html . BTW - this was patched by Microsoft. At the same time I found this later dated router vulnerability advisory that also might be worth exploring: Quote The Web Proxy Automatic Discovery (WPAD) protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration, but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of “wpad” if a DHCP response is unavailable. An attacker with local area network (LAN) access may be able to add a device with the name “wpad” to the network, which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers (including, but not limited to, Google Wifi and Ubiquiti UniFi) automatically register device names as DNS A records on the LAN, which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD. https://www.kb.cert.org/vuls/id/598349 Of note is the recommended mitigation for this is: Quote Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to auto-configuration and auto-discovery features should not accept mDNS based names as authoritative sources.Apply the vendor patch. Edited December 11, 2021 by itman safety 1
Recommended Posts