Dealing with URL:Mal issue

Hey, I’ve been dealing with popups like this:

Infection Blocked

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I’m not really sure how to deal with this, but I believe it starts with me creating some sort of log.
Can someone well-versed in this help me out? Thank you.

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

I don’t really want to start another discussion here, but something I’ve never seen before happened when I try to download Farbar. I get a suspicious file warning from an unrelated file whenever I click to download it from the source provided, and Firefox just won’t download it.

Is there another trusted source I can get it from?

It’s a FP, you can safely allow the download.

Monitoring…

Here are the logs.

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Federation on Sat 07/18/2015 at 2:24:00.90.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Federation\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

7/18/2015 2:25:10 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Users\Federation\AppData\Roaming\Publish Providers deleted successfully
C:\Users\Federation\AppData\Roaming\SynthMaker deleted successfully
C:\Users\Federation\AppData\Local\EmieSiteList deleted successfully
C:\Users\Federation\AppData\Local\raco deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSUService deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\splashtopremoteservice deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\splashtopremoteservice deleted successfully

==== FireFox Fix ======================

ProfilePath: C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default

---- Lines Triple Pose removed from prefs.js ----
user_pref(“extensions.Triple Pose.aul”, “1432094134215”);
user_pref(“extensions.Triple Pose.irl”, true);
user_pref(“extensions.Triple Pose.is”, “rerbspus”);
user_pref(“extensions.Triple Pose.ug”, “48B3F05C-D86C-4B2C-8705-E7CE1A5FC0B9”);
---- FireFox user.js and prefs.js backups ----

user_20150718_0244_.backup
prefs_20150718_0244_.backup

==== Batch Command(s) Run By Tool======================

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

==== Deleting Files \ Folders ======================

C:\PROGRA~2\VST deleted
C:\PROGRA~2\Wincy deleted
C:\Users\Federation\AppData\Local\AVG Web TuneUp deleted
C:\Program Files\AVG Web TuneUp deleted
C:\PROGRA~2\Splashtop deleted
C:\PROGRA~2\COMMON~1\AVG Secure Search deleted
C:\PROGRA~3\AVG Web TuneUp deleted
C:\PROGRA~3\AVG Security Toolbar deleted
C:\PROGRA~3\Splashtop deleted
C:\PROGRA~3\AVG Secure Search deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Federation\AppData\Local\BTServer.log deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\Federation\AppData\LocalLow\AVG Web TuneUp deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\AVG Web TuneUp deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\Windows\SysWOW64\LavasoftTcpService.dll deleted
C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini deleted
C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default\jetpack deleted
“C:\ProgramData\193847656” deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default
user_pref(“browser.startup.homepage”, “http://pergamum-purgatorium.boards.net/”);
user_pref(“browser.search.defaulturl”, “https://www.google.com/search/?trackid=sp-006”);
user_pref(“browser.search.defaultengine”, “Google (avast)”);
user_pref(“browser.search.defaultenginename”, “Bing”);
user_pref(“browser.search.defaultenginename.US”, “Google Default”);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [06/30/2015 12:16 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default

  • WOT - C:\Users\Federation\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default\extensions{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
  • WOT - %ProfilePath%\extensions{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
  • NoScript - %ProfilePath%\extensions{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
  • Video DownloadHelper - %ProfilePath%\extensions{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
  • Adblock Plus - %ProfilePath%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox

  • Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
  • Firefox Security Update - %AppDir%\browser\extensions\jid1-sXWNoXABeFqKYg@jetpack.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Federation\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default
FD82108FD60B63010325D9AF6F00AF99 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll - Shockwave Flash

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found
eeafbffkmccheohnooflcnppngmobeoe - No path found
ellbonkjdmgdghkojcjmomekmjpdffde - No path found
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[03/30/2015 08:40 PM]
fllgpcmelbfhcligbphaaplminjpbiad - No path found
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[03/30/2015 08:40 PM]
hpjocjloojeicikiokfiekcdpojgfefc - No path found
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found
oaobejgaaiojgggjojlcpbembaoajbmc - No path found

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found
eeafbffkmccheohnooflcnppngmobeoe - No path found
ellbonkjdmgdghkojcjmomekmjpdffde - No path found
fllgpcmelbfhcligbphaaplminjpbiad - No path found
hpjocjloojeicikiokfiekcdpojgfefc - No path found
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found
oaobejgaaiojgggjojlcpbembaoajbmc - No path found

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://www.google.com/

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://www.google.com/

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Users\Federation\Downloads\Sylvania Synet7Wid OS’\Windows CE\A. WINDOWS CE V 1.0\script\System Disk\Windows\Profiles\guest\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Users\Federation\Downloads\Sylvania Synet7Wid OS’\Windows CE\A. WINDOWS CE V 2.0\script\System Disk\Windows\Profiles\guest\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\1503LPTH will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\32AH7Q5U will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\3G5RO0JI will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\51I7GKYP will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\6H5ZR832 will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\82MBQMZB will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BAQN4KYU will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BPBCF7DT will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\DR0UDDQS will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S17NH37N will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S39XWJR6 will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\X4MZGEI2 will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Federation\AppData\Local\Mozilla\Firefox\Profiles\lcbw4huv.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=1100 folders=113 1041741171 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Federation\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\FEDERA~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\1503LPTH” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\32AH7Q5U” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\3G5RO0JI” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\51I7GKYP” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\6H5ZR832” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\82MBQMZB” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BAQN4KYU” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BPBCF7DT” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\DR0UDDQS” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S17NH37N” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S39XWJR6” not found
“C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\X4MZGEI2” not found

==== EOF on Sat 07/18/2015 at 2:55:37.31 ======================

Anyway, I’ve still got the popups.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Here are the logs.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Righteo.

I haven’t seen the popup yet, so I’m just waiting to see, I guess.

Gah…

The popup persists.

http://download.bleepingcomputer.com/win-services/8/Tcpip.reg

Dowload and execute above .reg file. Restart your PC. Let me know if this fixed your issue.

I thought I was home free, but the popup just appeared a few seconds ago.

Thank you for your help so far, and thank you for your patience.

Edit: I’d just like to point out that I haven’t seen a popup since the last one. It’s either become rare, or something else.

Edit Again: I’m seeing it pop up a little more. Not nearly as frequently as before, though.

Did you apply last fix I gave to you?

Yeah, sorry, I guess I forgot to mention. I did that and then restarted afterwards.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Copy wpad into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

Here you are.