This is my first post so I hope Im doing this correctly and in the correct forum.
I have been getting a warning from Avast on two machines. both started about a week ago. Both machines are tied together in my home network with file sharing. Here is a photo of the warning.
Both machines go to the same Ip number. Im running Avast internet security version 6.0.1000 Definitions 110404-0.
I run a scan daily with everything turned on and Avast is not able to find a thing, though every 30-90 minutes or so I will get these messages saying it blocked the traffic. Looking at a few forums it is sounding like a maybe some unknown bot roaming around.
I contacted Avast tech support over the weekend and got some guys in India. They were not helpful and assured me that avast stopped the intrusion. Since that is all they could tell me and show me the same thing over and over, I felt totally confident in their understanding of what was actually causing the problem. They told me everything was fine and not to worry cause it was being caught. What was being caught they failed to understand. I know the Wpad.dat is somehow used in proxy autodiscovery protocol for Internet explorer. Though I dont use IE anywhere. I only use Firefox and both machines are currently on 3.6.16. One machine is running MS Outlook 2007 (12.0.6550.5003) SP2 MSO (12.0.6545.5004), the other does not run anything other then google mail in firefox.
Im guessing this is a bot, but far from a expert. Does anyone have any suggestions?
[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:
:filefind
wpad.*
[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt
Here is the file. I am at work at the moment, and have not seen the message while at work. But when I got home last night and powered back up it popped up again as being blocked. So basically the ipconfig will be different then what I have at home.
Well, then you can delete the file as well and make a new one once you came home. This comes from your DHCP/DNS server, not really anything local it seems.
and have not seen the message while at work. But when I got home last night and powered back up it popped up again as being blocked. So basically the ipconfig will be different then what I have at home.
To me this would indicate an infected router
Reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled “reset” located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
Another possibility… his work router and firewall may be filtering stuff and not allowing it to get to his PC. That might account for why there are no issues at work.
That threat comes from proxy autoconfiguration function in browsers. Proxy autoconfiguration is done via DNS/DHCP server. As noted above, there is no sign of local infection on the machine, which pretty much matches what I have explained.