avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection

I’ve seen a few different threads addressing the wpad.dat virus – or fake virus? – but never quite with my details and with responses I don’t quite understand, so I thought I’d start from scratch. A week or two ago Avast starting finding and blocking what it claims to be an infection from a wpad.dat file. Sometimes the address is in the form of http://wpad.dat where the ip address changes every few minutes. More recently the address is http://wpad.browsersecurity.info/wpad.dat.

The Avast activity around this virus has brought my computer to its knees. Now every few minutes, or every few seconds, Avast pops up its warning window, dings at me and says Threat Has Been Detected. But there’s almost no information about the threat. It gives the URL, says the infection is URL:Mal and, more recently gives the process address as C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.

I am running Avast with Windows 7. Somebody please help me get rid of this!

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Additionally run FRST a second time
Copy the following into the search box :

browsersecurity.info

Then press search registry

Here they are. More attachments in the next reply

And here are the rest of them.

OK, now you’ve to wait a bit…

Oops. It seems I posted the aswMBR log prematurely. It wasn’t done with the scan. Here it is again.

You did not appear to do the registry search could you do that section again

Re-install Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Then I need you to go Google Sync and sign into your account
  3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
  4. Now we need to uninstall chrome.
    Note: When asked about user data or settings you must remove this also so please check the box.
  5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
  6. Import your bookmarks back into Chrome
  7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: IFEO\tbdelta.exetoolbar783881609.exe: [Debugger] tasklist.exe R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [7743472 2015-08-19] (Reimage®) Toolbar: HKU\S-1-5-21-581647834-421146410-1571146747-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File 2016-01-16 03:33 - 2016-01-16 03:34 - 00000000 ____D C:\ProgramData\Reimage Protector 2016-01-16 03:33 - 2016-01-16 03:33 - 00001901 _____ C:\Users\Public\Desktop\PC Scan & Repair by Reimage.lnk 2016-01-16 03:33 - 2016-01-16 03:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair 2016-01-16 03:33 - 2016-01-16 03:33 - 00000000 ____D C:\Program Files\Reimage 2016-01-15 23:27 - 2016-01-16 03:35 - 00000150 _____ C:\windows\Reimage.ini 2016-01-15 23:27 - 2016-01-15 23:27 - 00772016 _____ (Reimage®) C:\Users\J\Downloads\ReimageRepair.exe 2016-01-16 03:34 - 2016-01-16 03:34 - 00004258 _____ C:\windows\System32\Tasks\ReimageUpdater 2016-01-16 03:34 - 2016-01-16 03:34 - 00003410 _____ C:\windows\System32\Tasks\Reimage Reminder 2016-01-16 03:33 - 2016-01-16 03:37 - 00000000 ____D C:\rei 2012-09-10 03:49 - 2012-09-10 03:49 - 0001050 ____H () C:\Users\J\AppData\Local\{793FD447-37EB-4083-B222-2E447297AF07} 2016-01-18 03:43 - 2016-01-18 03:43 - 00178938 _____ C:\windows\system32\ScanResults.xml 2016-01-18 03:34 - 2016-01-18 03:34 - 00000464 _____ C:\windows\system32\ScannerSettings CustomCLSID: HKU\S-1-5-21-581647834-421146410-1571146747-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\J\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-581647834-421146410-1571146747-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\J\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-581647834-421146410-1571146747-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\J\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File Task: {4F3CA883-F142-4B19-897F-4C34237FE053} - System32\Tasks\Reimage Reminder => C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe [2015-11-10] (Reimage ltd.) <==== ATTENTION Task: {BAE3D24C-2952-4E5F-B271-529189EAC31C} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2015-08-19] (Reimage®) <==== ATTENTION Task: {91025437-894A-4B9C-96B4-A316B1668DBB} - System32\Tasks\Unblock-us => C:\Users\J\Downloads\unblock-us.exe [2014-02-13] () Startup: C:\Users\J\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jonniemouse - Shortcut.lnk [2015-12-22] ShortcutTarget: jonniemouse - Shortcut.lnk -> C:\Program Files\jonniemouse\jonniemouse.ahk () Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[Cx].txt as well.

Hi. I don’t use Chrome. I use Firefox. Do I still need to do this?

hey jpek yes please run the fix essexboy have posted for you and also go back and do the other steps he wanted aswell the registry serch.

even if you have no symtoms on your computer does not mean your computer is malware free. :wink:

Here is the registry search (attached). I uninstalled Chrome, but, since I don’t use it, didn’t bother with either the bookmark backup or the reinstallation. Now I’m about to start on the other steps.

I forgot to mention that, when Chrome was uninstalling, Internet Explorer opened up and gave me the following message. Don’t know if it matters to this problem:

The proxy server isn’t responding
• Check your proxy settings 127.0.0.1:8080.
Go to Tools > Internet Options > Connections. If you are on a LAN, click “LAN settings”.
• Make sure your firewall settings aren’t blocking your web access.
• Ask your system administrator for help.
Fix connection problems


(I tried “fixing” but it failed).

follow instructions Essexboy gave in post above and attach requested logs

Looks like it was all related to the bad chrome, could you run FRST once more please so that I can check the proxy

Here is the fixlog. By the way, FRST “fixed” – quaranteened an AutoHotKeys script called jonniemouse.ahk. This was NOT malware, but an essential mouse replacement program I use with my computer. I removed it from quarantine, but I hope the other cleanup programs don’t zap it. It also used to run automatically on Startup and now doesn’t anymore, and I’m not sure how to restore it.

Still working your way through your instructions, but so far the THREAT HAS BEEN DETECED popups are still going strong.

Are they still related to the wpad entries

Could you run another registry search for me please

Enter the following data in the FRST search box and press search registry

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

wpad.browsersecurity.info;wpad.dat

Yes, still related. Let me get through your previous checklist and then I’ll run another registry search.

Here are the AdwCleaner results you asked for earlier.

AdwCleaner v5.030 - Logfile created 25/01/2016 at 02:39:08

Updated 17/01/2016 by Xplode

Database : 2016-01-25.1 [Server]

Operating system : Windows 7 Professional Service Pack 1 (x64)

Username : J - J-HP

Running from : C:\Users\J\Downloads\adwcleaner_5.030.exe

Option : Cleaning

Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

[-] File Deleted : C:\Users\J\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocifcogajbgikalbpphmoedjlcfjkhgh

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Reimage.exe
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKCU\Software\Reimage
[-] Key Deleted : HKCU\Software\reimagerepair
[-] Key Deleted : HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key Deleted : [x64] HKLM\SOFTWARE\Reimage
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Reimage Repair
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\searchnu.com

***** [ Web browsers ] *****


:: “Tracing” keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2205 bytes] ##########

And here’s the result of the wpad.browsersecurity.info;wpad.dat registry search in FRST.

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-25 02:53:05)
Running from C:\Users\J\Downloads
Boot Mode: Normal

================== Search Registry: “wpad.browsersecurity.info;wpad.datwpad.browsersecurity.info;wpad.datwpad.browsersecurity.info;wpad.dat” ===========

===================== Search result for “wpad.browsersecurity.info” ==========

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-1a-70-e1-b3-6b]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

===================== Search result for “wpad.dat” ==========

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-1a-70-e1-b3-6b]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
“WpadDetectedUrl”=“http://wpad.browsersecurity.info/wpad.dat
====== End of Search ======