#wpad

How to remove the AutoConfigUrl Browser Hijacker (Removal Guide)

Fri, 07 Oct 2016 10:29:03 EDT

Read 548 times

  Various adware programs will configure your browser to use a remote WPAD.dat file as the Automatic Configuration Script in Windows’ Internet Options or the browser’s settings. When this setting is configured, installed browsers will download the script from the remote location and use the instructions in the script to configure various browser settings such as proxy settings.

Unfortunately, since this script is under the adware developer’s control, the settings they configure can cause your browser to show unwanted ads or redirect to pages under their control. This can be very annoying as when you open your browser you may be shown unwanted home pages or if you click on a link you may be redirected to a site that is unrelated to the link you clicked on.

It is important to note that Automatic Configuration Scripts are commonly used for legitimate reasons such as a company wanting to configure all the workstation’s browsers to use a particular corporate proxy server. It is only when an adware program configures these scripts that we want to remove them.

Below is a list of URLs that are being configured as the AutoConfigUrl by adware:

http://unblockservice.com/wpad.dat http://unstop.me/wpad.dat http://unstopp.me/wpad.dat http://stoppblock.org/wpad.dat http://get-access.me/wpad.dat http://unstops.net/wpad.dat http://unstops.biz/wpad.dat http://stoppblock.com/wpad.dat http://un-blocking.net/wpad.dat http://non-block.net/wpad.dat http://nonblock.net/wpad.dat http://nonblocks.com/wpad.dat http://stoppblock.me/wpad.dat http://un-blocking.com/wpad.dat http://un-stop.net/wpad.dat http://stoppblock.biz/wpad.dat http://none-stop.net/wpad.dat http://non-block.com/wpad.dat http://noneblock.com/wpad.dat

How was a Automatic Configuration Script set on my computer?

The adware programs that configure the AutoConfigUrl are commonly bundled with free programs that you download from the Internet. Therefore, it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.

If you discover that your browser is being redirected to sites that you were not expecting or displaying unwanted advertisements, you can check the Internet Options -> Connections Tab and see if a Automatic Configuration Script is configured. If it is, I suggest you either contact your system administrator, if in a corporate environment, or use the guide below to scan for unwanted AutoConfigUrls and remove them for free.

Array

View Associated AutoConfigUrl Browser Hijacker Registry Information

HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings “AutoConfigUrl” = “http://un-blocking.info/wpad.dat?[id]” HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap UNCAsIntranet = 1 HKCUSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings “EnableAutoproxyResultCache” = 0 HKCUSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap HKCUSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap “AutoDetect” = 0 HKCUSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap “ProxyByPass” = 0 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNlaSvcParametersInternetManualProxies @ = 0http://un-blocking.info/wpad.dat?[id]

Source: Bleeping Virus

The WPAD Man in the Middle attack will allow you to harvest clear text passwords on an internal network and perform MiTM attacks against browsers.