Cannot remove this stubborn proxy.

illusions · Jun 1, 2009

Hi,

I am using windows xp sp3 on home computer
with d-link router dl-604

I have never enter the proxy server info however it keeps reappearing even after I have deleted it on
registry. I have google everywhere on the internet cannot seem able to find a solution.

proxy server 64.59.144.94 keeps resurrecting itself.
see attachment jpg

Please advice and thanks

My registry remove proxy.reg =======================

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=""
"ProxyServer"=""
"AutoConfigProxy"=-
“AutoConfigURL”=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=hex:46,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SavedLegacySettings"=hex:46,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00

===============================
Out of fustration i delete the whole
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

Reboot the computer and it create a new
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=hex:46,00,00,00,03,00,00,00,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,26,00,00,00,68,74,74,70,3a,2f,2f,70,\
72,6f,78,79,2e,76,63,2e,73,68,61,77,63,61,62,6c,65,2e,6e,65,74,2f,77,70,61,\
64,2e,64,61,74,00,ec,7c,1e,26,e1,c9,01,00,00,00,00,00,00,00,00,00,00,00,00,\
01,00,00,00,02,00,00,00,c0,a8,00,65,00,00,00,00,00,00,00,00,6f,00,6f,00,74,\
00,25,00,5c,00,54,00,45,00,4d,00,50,00,00,00,44,00,3b,00,2e,00,56,00,42,00,\
53,00,3b,00,2e,00,56,00,42,00,45,00,3b,00,2e,00,4a,00,53,00,3b,00,2e,00,4a,\
00,53,00,45,00,3b,00,2e,00,57,00,53,00,46,00,3b,00,2e,00,57,00,53,00,48,00,\
00,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,62,00,65,00,6d,\
00,00,00,00,00,00,00
"SavedLegacySettings"=hex:46,00,00,00,0a,00,00,00,01,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,26,00,00,00,68,74,74,70,3a,2f,2f,70,72,6f,\
78,79,2e,76,63,2e,73,68,61,77,63,61,62,6c,65,2e,6e,65,74,2f,77,70,61,64,2e,\
64,61,74,00,ec,7c,1e,26,e1,c9,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,\
00,00,02,00,00,00,c0,a8,00,65,00,00,00,00,00,00,00,00,6f,00,6f,00,74,00,25,\
00,5c,00,54,00,45,00,4d,00,50,00,00,00,44,00,3b,00,2e,00,56,00,42,00,53,00,\
3b,00,2e,00,56,00,42,00,45,00,3b,00,2e,00,4a,00,53,00,3b,00,2e,00,4a,00,53,\
00,45,00,3b,00,2e,00,57,00,53,00,46,00,3b,00,2e,00,57,00,53,00,48,00,00,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,62,00,65,00,6d,00,00,\
00,00,00,00,00

refer to proxy2 image

In DefaultConnectionSettings and SavedLegacySettings
has the

http://proxy.vc.shawcable.net/wpad.dat

so i download the wpad.dat
look something like this using a note pad to read it.

==================================

function FindProxyForURL(url, host)
{
if (
shExpMatch(url, "https://*") ||
shExpMatch(url, "news://*") ||
shExpMatch(url, "snews://*") ||
shExpMatch(url, "ftp://*@*") ||
shExpMatch(url, "http://localhost/*") ||
shExpMatch(url, "http://localhost:*/*") || shExpMatch(url, "*.shaw.ca/*") ||
shExpMatch(url, "http://10.*") ||
shExpMatch(url, "http://172.16.*") ||
shExpMatch(url, "http://192.168.*") ||
shExpMatch(url, "http://*.youtube.com/*") ||
shExpMatch(url, "http://*.google.com/*") ||
shExpMatch(url, "http://*.facebook.com/*") ||
shExpMatch(url, "http://*.myspace.com/*") ||
shExpMatch(url, "http://*.myspacecdn.com/*") ||
shExpMatch(url, "http://*.dailymotion.com/*") ||
shExpMatch(url, "http://*.megarotic.com/*") ||
shExpMatch(url, "http://*.apple.com/*") ||
shExpMatch(url, "http://*.xvideos.com/*") ||
shExpMatch(url, "http://*.megavideo.com/*") ||
shExpMatch(url, "http://*.veoh.com/*") ||
shExpMatch(url, "http://*.imeem.com/*") ||
shExpMatch(url, "http://*.rapidshare.com/*") ||
shExpMatch(url, "http://*.google.ca/*") ||
shExpMatch(url, "http://*.msn.com/*") ||
shExpMatch(url, "http://*.live.com/*") ||
shExpMatch(url, "http://*.llnwd.net/*") ||
0
)
{
return("DIRECT");
}
var hash = 0;
hash = (host.length % 2);

if (hash == 0)
{
return("PROXY 64.59.144.94:8080; PROXY 64.59.144.95:8080; DIRECT");
}
else
{
return("PROXY 64.59.144.95:8080; PROXY 64.59.144.94:8080; DIRECT");
}

}

=====================

What is wpad.dat ... where is it located?

chaslang · Jun 3, 2009

Welcome to Major Geeks!

I'm not sure exact what you are trying to do but the IP address you are referring to is from your cable company Shaw and is likely part of your default setup with them. This is not malware. It is probably a required setup. WPAD stands for Web Proxy Autodiscovery Protocol which is method used by clients to locate a proxy auto-config file automatically and use this to configure the browser's web proxy settings. See: http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

Log in or Sign up

Cannot remove this stubborn proxy.

illusions Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Cannot remove this stubborn proxy.

illusions Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches