After this then let me know if it stops

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Here’s the fix log. wpad.dat Threat Has Been Detected popups still going.

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-25 21:36:09) Run:2
Running from C:\Users\J\Downloads
Loaded Profiles: J (Available Profiles: J)
Boot Mode: Normal

fixlist content:

CreateRestorePoint:
Reg: reg delete “HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f
Reg: reg delete “HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f
Reg: reg delete “HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f
Reg: reg add “HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f
Reg: reg add “HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f
Reg: reg add “HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Restore point was successfully created.

========= reg delete “HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg delete “HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg delete “HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f =========

ERROR: The system was unable to find the specified registry key or value.

========= End of Reg: =========

========= reg add “HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add “HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add “HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad” /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-581647834-421146410-1571146747-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-581647834-421146410-1571146747-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 452.1 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 21:37:58 ====

Have the alerts now ceased

Nope, still going. Not quite as often as before, but plenty often.

hy agian jpek please run and attach a fresh scan o frst and can you provide a picthure of what avast say it will give essexboy some information where to loctat the infection, is the popup still related to the wpap infection or does it say something else?

Which scan do you want me to do? The FRST?

Here is a picture of one recent popup (attached). It’s all about the wpad.dat, but sometimes it gives an IP address after the http and sometimes it doesn’t mention Outlook. Mostly, they’ve looked like this lately though.

Hmm when I reset the registry dat that should have gone, but it is now appearing to be from office which would tend to point the finger at an e-mail

Lets check the registry again

Enter the following data in the FRST search box and press search registry

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

wpad.browsersecurity.info;wpad.dat

Short and sweet:

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-28 01:08:53)
Running from C:\Users\J\Downloads
Boot Mode: Normal

================== Search Registry: “wpad.browsersecurity.info;wpad.dat” ===========

====== End of Search ======

Do you use office to collect e-mails ? And does this occur when office is not running

I use Outlook for emails. I closed it and this is what the wpad.dat error started generating:

Hmm could you run the registry search again please as that is where that is generated from

What would you like me to enter as the registry search term?

Here’s the latest wpad.dat threat.

wpad.browsersecurity.info;wpad.dat

The delineator is a semicolon

Well, you asked me to do this just recently, and the results are the same. This time I closed Outlook when I ran it.

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-30 17:33:19)
Running from C:\Users\J\Downloads
Boot Mode: Normal

================== Search Registry: “wpad.browsersecurity.info;wpad.dat” ===========

====== End of Search ======

Aye I did but if you look back then the first time you ran it nothing showed, but there was a result on the second run

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

So, no further suggestions?

See Reply #34.

Here (attached) is the log from ComboFix. A couple of caveats. When it was running before the restart, it threw up a series of error messages, such as the ones I’m attaching about various files, saying first that it couldn’t back them up and then that it couldn’t backup and then couldn’t restore several files in the C:\Windows\System32 (or maybe they were all in C:\Windows\System32\config, I’m not sure.) There were a total of maybe 5 or 8 such files, with two error messages for each.

Also, when the system restarted and ComboFix came back up to finish its process, there was an instruction to not run any other programs while ComboFix was generating the log, but it was too late for that, as some program automatically come up on my system at startup, and I hadn’t known to turn them off. One of the programs that started at that point was the Avast virus protection you had indicated I should disable. I did disable it (disabled all shields) but only until the “next startup” so it came up automatically after the startup. Please, let me know if I need to rerun ComboFix because of this.

Meanwhile, threats are still being detected.

Hmm this is a bit baffling,… Could you run this fix and let me know the result…

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that