Avast continually blocks http://wpad.browsersecurity.info/wpad.dat infection

system · July 20, 2017, 9:23pm

I’m running Avast on Windows 10 and it continues to detect a threat identified as “http://wpad.browsersecurity.info/wpad.dat”
It reports “URL:Mal” under URL and says the threat is associated with “C:\Windows\System32\svchost.exe”

The warning always pops up when I first connect to a network and then recurs at ~10 minute intervals. I’ve scanned and scanned and nothing is ever detected. Please help!

SassDrake · July 21, 2017, 12:19am

Let’s try this

Run FRST again
In search box type wpad
Click on Search registry
Wait until search is finished
SearchLog.txt should be produced on your Desktop
[li]Attach SearchLog.txt to your message

system · July 21, 2017, 3:44pm

Here’s the search

mchain · July 21, 2017, 4:13pm

http://urlquery.net/report/a97936bb-decb-43f9-bc3a-c50658e994d2

SassDrake · July 21, 2017, 4:48pm

OK. This operation will automatically reboot your system so save your work before doing this.

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

ExportKey: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
ExportKey: "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"

CMD: bitsadmin /reset /allusers
Hosts:
RemoveProxy:
Reboot:

Go to File → Save As and save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Also, post screenshot of Avast detection if possible.

system · July 22, 2017, 2:44pm

Ok, ran the fixlist. Here’s the log and the screenshot you asked for.

SassDrake · July 22, 2017, 2:50pm

Does Avast still reports blocked threats?

system · July 22, 2017, 2:58pm

Yeah, it’s still popping up. Thanks for all the help so far though

SassDrake · July 22, 2017, 3:10pm

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

CreateRestorePoint:

Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f

Reg: reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f

CMD: netsh int ip reset


EmptyTemp:

Reboot:

Go to File → Save As and save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

system · July 26, 2017, 6:23pm

Hey sorry for the pause, applied the latest fix and attached the log. So far so good! I will let you know if the problem returns. Thanks again!

SassDrake · July 26, 2017, 6:24pm

If problem is solved then do this.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

system · July 26, 2017, 6:33pm

Never mind, the problem is back, except this time the associated process with the first detection is chrome.exe

Shortly after, a second detection occurred associated with the original svchost.exe.

I’ve attached a screenshot of both detections.

SassDrake · July 26, 2017, 7:12pm

Run FRST again
In search box type browsersecurity.info
Click on Search registry
Wait until search is finished
SearchLog.txt should be produced on your Desktop
[li]Attach SearchLog.txt to your message

system · July 26, 2017, 7:24pm

Here’s the search

SassDrake · July 26, 2017, 7:59pm

System will be automatically restarted after this.

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SearchList /d "" /f
Reboot:

Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Does Avast still shows popups?

system · July 31, 2017, 3:17pm

it’s been a few days and no more popups! I’ll go ahead and perform the cleanup actions you recommended earlier. Thanks a ton

Avast continually blocks http://wpad.browsersecurity.info/wpad.dat infection

Announcements