How to check for malicious Proxy Auto-Config files in Windows

Internet banking credentials are a high-value target for online criminals. Common attack forms that try to steal credentials or at least information are man-in-the-middle attacks and trojans that are have been designed specifically to capture credentials related to financial services and websites.
Microsoft released a warning back in February 2014 about malicious Proxy Auto-Config (PAC) redirects that can be used for that purpose as well.
A PAC file is used to select proxy servers or direct connections based on web addresses that you open in the web browser. These type of files are mostly used in corporate environments and here especially on mobile devices such as laptops.
PAC files are supported by all modern web browsers and can be loaded like other proxy servers in the network settings.
Malicious PAC files are used to redirect Internet users when they try to open sites of interest. The browser is automatically rerouted to a fake website that looks like the original site. Any information or credentials the user enters on this site are stolen and may be used for malicious activities or to steal online accounts.
Users can be infected through various means, from drive-by attacks and malware to local attacks that plant the PAC file directly on the system.
According to Microsoft's study, malicious PAC files are predominantly used in Brazil, Russia, the UK and Australia.
While many attacks target banking websites, Microsoft notes that other services are also targeted, including other payment providers, email providers, or social networking sites.
Find out if (malicious) PAC files are loaded on your system
Depending on which web browser you are using, you find the PAC files listed in a different location and menu.
Internet Explorer and browsers that use IE network settings (like Google Chrome)
Note: You can configure from within Chrome's settings, but you will be redirected to the Internet Options when you do.
- Open Internet Explorer on your computer.
- Tap on the Alt-key to bring up the menu bar if it is not displayed.
- Select Tools > Internet Options from the menu.
- Switch to the connections tab.
- Click on LAN settings.
- Check the "Use automatic configuration script" option. If it is enabled and if a PAC file is listed here, it is being used.
- To remove it, simply uncheck the box or delete it there. Do this only if you are certain that it is malicious.
The Firefox web browser
- Open the Firefox web browser.
- Tap on the Alt-key to bring up the menu bar.
- Select Tools > Options > Advanced > Network.
- Click on the Settings button next to Connections.
- Verify that the "automatic proxy configuration url" is not selected.
Use a third party program
Phrozensoft has published the Auto Config Risk Protector application for Windows today which checks Internet Explorer's proxy settings for you to notify you when a PAC file is being used.
Simply run the program and click on the scan button afterwards. The application will either report that there is no PAC file in use, or that it has found one. If that is the case, the address of it is displayed to you with options to keep it or remove it instead.
Advertisement
Does it come back after every “moment” update?
Yeah right.. Like this is going to stop defender from running =) This is comedy gold right here.
no ‘about the author’ paragraph?
For permanent disable defender is if removed complete from system no just change permission folder.
Just this is joke.
simpler, load Autoruns (SysInternals)
– filter “Defender”
– untag all entries
– reboot
nothing has changed since my 1st modification years ago
I wouldn’t disable Defender imho, it has too many hidden roots inside Windows itself. One time I tried to uninstall it using brute force scripts and then the Onedrive feature stopped working definitely. A reinstallation was needed and since those times I prefer to maintain Defender untouched. It’s a better method to install another antivirus and it will disable Defender in a safer and easier mode (e.g., Avast is the best in this way, and also Panda Cloud Free is good too).
You can not stop defender from running in background or remove it without some penalty. All you can do is to limit telemetry.
@borts,
It’s probably Smartscreen which is preventing WD from being disabled. Get rid of that and the problem should be solved: https://thegeekpage.com/disable-windows-defender-smartscreen/#How_to_disable_the_Windows_Defender_SmartScreen_via_Local_Group_Policy_Editor
Remove Windows and go for Linux.
Linux sucks dude. Besides it’s not comparable to Windows, these OSes are in different classes entirely.
I use Linux as my daily driver. It’s far more stable than Windows. When’s the last time you used Linux, 2010?
@basingstoke
You’re right, dude. Bro, linux is just a bunch of code that starts before the OS, dude. Brobrodude, that shit ain’t even got emojis, dudebrodudeman! Dudebro, it’s no way near as cool as Windows with its hardcoded abilities to make money off the user, bro. Yo brodude man, you’re the coolest dude ever man, bro. Dude.
Lol what? Windows 7 doesn’t come with any Emojis
Download Autoruns and remove the checkmark from Windows Defender. It doesn’t remove it, but it will never run. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Just use “Defender Control”:
https://www.sordum.org/9480/defender-control-v2-1/comment-page-1/#comments
Per this video,
https://www.youtube.com/watch?v=CLIjr7FyxZ8
it also works on Windows 11 too…
Win Defender, is completly the most succesful free-built in antivirus of Microsoft. Really nice product. Saved my ass a lot of times. Has updated malware database, completly strong defence
from whatever smart screen disables. Or if you want better and more upgrated (paid) program,
you can go further. But defender is always on your side.
Why would one disable Windows (or Microsoft) Defender in the first place?. I consider this to be playing with fire big time. Everybody knows that if one is using another A-V, Defender will be disabled on its own and won’t be in one’s way.
Why would I want to disable Windows Defender in the first place? It’s a great anti virus in my opinion. Been using it since Windows 8 and and never had a problem or a virus. Why mess with a good thing, if it ain’t broke don’t fix it.
How a ridiculous article!
I am thoroughly stunned.
Why Should You Disable First-Party Windows Defender?
I can only think that it is “malice or perversely intention (want you to buy a third-party AV where you can expect a back margin)” to guide invalidation without showing the premise.
No sane company will use third-party closed source programs (such as AV).
As I thought, “Ghacks Technology News” seems to be coming to downfall.