Alert received but scan detects nothing

Viruses and worms
1

Hi out there!
Every time I open a browser (IE, Firefox or Chrome) I receive an alert:

Avast! Web Shield has blocked a harmful webpage or file.
Object: http://wpad/wpad.dat
Infection: JS:Banker-G [Trj]
Action: Connection aborted
Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

The last line refers to the browser opened (IE, Firefox or Chrome).
A full scan of the pc by Avast does not reveal anything.

2

I am running Windows7 64 bit SP1

3

Try this

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

check for malware with

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have latest database before you scan
click the remove selected button to quarantine anything found

Post scan log here

4

Thanks to PONDUS for help.

I have cleaned temporary files, rebooted and have run Malwarebytes (the short version).

Malwarebytes does not find anything. The answer is in danish, but being from Norway you should be able to understand it:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6073

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

16-03-2011 08:51:45
mbam-log-2011-03-16 (08-51-45).txt

Skanningstype: Hurtig skanning
Objekter skannet: 171316
Tid gået: 5 minut(ter), 15 sekund(er)

Hukommelses Processorer Inficeret: 0
Hukommelses Moduler Inficeret: 0
Registreringsdatabasenøgler Inficeret: 0
Registreringsdatabaseværdier Inficeret: 0
Registreringsdatabasedata Objekter Inficeret: 0
Inficerede Mapper: 0
Inficerede Filer: 0

Hukommelses Processorer Inficeret:
(Ingen skadelige objekter blev fundet)

Hukommelses Moduler Inficeret:
(Ingen skadelige objekter blev fundet)

Registreringsdatabasenøgler Inficeret:
(Ingen skadelige objekter blev fundet)

Registreringsdatabaseværdier Inficeret:
(Ingen skadelige objekter blev fundet)

Registreringsdatabasedata Objekter Inficeret:
(Ingen skadelige objekter blev fundet)

Inficerede Mapper:
(Ingen skadelige objekter blev fundet)

Inficerede Filer:
(Ingen skadelige objekter blev fundet)

5
Malwarebytes does not find anything. The answer is in danish, but being from Norway you should be able to understand it:
Det skal nok gå bra ;)

malwarebytes found nothing, did TFC clear it, is the problem gone ?

6

You cannot “clear” this locally. The only place you can clear this is the web server running at the machine with wpad hostname. Web Proxy Automatic Discovery is a way to configure proxy in browsers via DHCP+DNS. wpad.dat is essentially a simple Javascript to do the job, here is an example:


// vim: syntax=javascript
 
function FindProxyForURL(url, host) 
{ 
    if (shExpMatch( host, "192.168.0.*" )
    ||  shExpMatch( host, "10.0.0.*" )
    ||  shExpMatch( host, "127.*" )
    ||  shExpMatch( host, "localhost" )
    ||  shExpMatch( host, "*.example.com" )
    ||  isPlainHostName( host )
    ||  dnsDomainIs( host, ".example.com" )) {
        return "DIRECT"; 
    }
 
// You shouldn't need this, but in some cases it might be handy:
//    if (isInNet(host, "192.168.0.0", "255.255.0.0")) {
//        return "DIRECT"; 
//    }
 
// This uses the proxy port by default,
// and direct if that isn't working.
    return "PROXY proxy.example.com:8080; DIRECT"; 
}
7
You cannot "clear" this locally. The only place you can clear this is the web server running at the machine with wpad hostname. Web Proxy Automatic Discovery is a way to configure proxy in browsers via DHCP+DNS. wpad.dat is essentially a simple Javascript to do the job, here is an example:
Yes i did see your suggestion in the other post......

So my next suggestion would be to run OTS and let Essexboy have a look…but if you can fix it…

8

Let me clarify some more - unless

ping wpad

points at localhost (127.0.0.1 or ::1) it is not really useful to run any local scans. They won’t produce anything useful.

9

So what you are saying is that this is not from inside the machine ?

10

Yes. This is the same thing like any malious script on some website - wpad.dat is served by a webserver (usually on a local network). Simplified: When you launch a browser, it looks for http://wpad/wpad.dat if it is configured to automatically detect proxy settings. Implementation differs in various browsers, hence you need both DNS and DHCP to use this feature reliably on networks where users are using different browsers, but this beyond the scope of this problem.

11

Hi

I have the same problem, but the threat is detected on our corporate proxy.pac file. No other Avast user gets the message, and our other virus scanners have no problem at all. Without the proxy.pac, I can’t connect to the internet, so this is really annoying.

12

Post the content of the file here (attach as *.txt or paste between code tags (the # button above the post form).

13

Hello all,

I’m sorry, but this is a false positive detection which is currently removed in the internal vps version and will be released in about 5 hours.

Best Regards
J. Sejtko

14

Hi jsejtko,

Any news for the updated version?

Thanks

15

Just check for an avast virus definition update and see if one is available.