Not what you are looking for? Ask the experts!
New method of attack - "use automatic configuration script"
I believe I've turned up a new method of attack.
Short Story -
A piece of malware used the "use automatic configuration script" to insert an infected URL into a Windows system. One can navigate to this by going to
Control Panel / Internet Properties / Connections / LAN Settings
The malware inserted a URL in the "use automatic configuration script" field.
Long Story -
A customer brought me an infected computer. The system was running Kaspersky. I hooked it up at the office, but kept it offline. It seemed to work fine. As soon as it went online a fake BSOD screen appeared. While I could use Ctrl-Alt-Delete and Alt-Tab, I couldn't get back to a clean desktop. I took the system offline and restarted. I downloaded Malwarebytes and Microsoft Safety tool to another system and moved these to the infected system via USB. MalwareBytes removed about 300 items. Microsoft removed about a dozen things. Kaspersky removed about a dozen items. I uninstalled some questionable programs. I brought the system back online and again got a fake BSOD. Disconnect and restart. Ran Kaspersky full scan, Malwarebytes and Microsoft again. This time all clean. Bring online and fake BSOD. Disconnect and restart again. Setup up Kaspersky to update. Brought online and fake BSOD. I was able to watch Kaspersky get updates. Disconnect and restart again. Ran full scans. Nothing found. Connect and get fake BSOD. Disconnect and restart. This time I started looking at a number of settings. I found a URL in the "use automatic configuration script". I cut the URL and pasted to notepad. Brought the system online. This time everything worked fine. I took the URL and contacted Kaspersky and MalwareBytes. Since neither of them picked up on this method. Kaspersky brushed me off. The folks at MalwareBytes were interested. I did not try inserting this into my Norton protected system. Thought I did contact Norton support. I did a few searches and didn't find anyone reporting this method. So, I decided to start here and let others know. The URL I found is:
If anyone has any questions, I'm happy to answer what I can.