Help

Viruses and worms
1

Hi guys,

I am using Avast free software. I noticed that every 20-30 minutes Avast tells me that it has blocked this link from being accessed:
hxxp://wpad.domain.org/wpad.dat

and this is the the message I get every time:

http://img835.imageshack.us/img835/3356/avastpop.png

Is this a real threat? and What should I do?

Thanks,

2

Please ‘modify’ your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

3

This is the log file,

Thanks,

4

OK, there are other tools and logs to post (OTLs extras.txt, etc.).

There is likely to be a bit of time zone ping pong (12:10am here in the UK) before a malware removal specialist can analyse the logs, hopefully another in a closer time zone can run with this.

So best to have the logs done and attached so when one becomes available the logs are available.

5

Is there anybody able to help me in this situation?

Thanks,

6

Hi Hussein,

Certainly.

Please bear with us as we only have four malware experts here and each comes here when not working their regular jobs.

As an example, essexboy is in England, and from where I sit, there is a 6-hour time zone difference: Here: 1:00 AM / There: 7:00 AM. So it will be awhile before he comes here to assist. There are others, too. So, it will be only a matter of hours, one will come here and assist you.

Please follow DavidR’s advice and post the three logs b[/b] in your next reply if you have not already done so. Without these logs, a malware expert will have to wait for you to get this done, and then craft a specially made fix only for your system.

EDIT: Log for Malwarebytes, OTL, OTL Extras, aswMBR. You have already posted OTL, but none of the others.

7

Thanks guys for clarifying the situation,

I attached the following files:
OTL.Txt
aswMBR.txt
mbam-log-2012-07-20 (01-45-44).txt (Logos for Malwarebytes)

Thanks,

8

Help is on the way.

A malware expert has been notified.

9

Let me know if this cures it

Reset/Renew TCP/IP connection

[*] Open an elevated command prompt. To do that:[*] Click the Start Orb
[*] In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
[*] Right click on cmd.exe and click Run as Administrator. A black command window will open up.
[*] At the blinking cursor type the following commands, pressing the Enter key after each command typed:[*] ipconfig /release
Back at the blinking cursor type the following command, and press the Enter key.
[*] ipconfig /renew

[*] Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
[*] Reboot the computer

10

Thanks for the help. I tried the steps you mentioned. However, nothing have been changed. The problem still exists.

11

OK lets go hunting

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:regfind
wpad.dat
:filefind
wpad.dat

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

12

I noticed that this case happens only when I use the LAN connection. There is no problem when I use the Wireless connection.

Also, I am running on 64bit operation system, so downloaded the 64bit version of SystemLook and the logos file is attached.

Thanks,

13

Oops forgot he had a 64 bit version :-[

How many computers are there on the LAN ? And do you route through one as a DNS server ?

14

I have 5 computers on the LAN and one of them is the DNS server. My computer is part of a university network, and it is the only one that has windows operation system in this LAN.

Thanks,

15

In that case it is the LAN dns server that has been poisoned

And your system is not affected. If it was your computer then you would get the same when you used wireless

16

Thanks a lot, :slight_smile:

As I understand, there is a virus in the network, but Avast prevents it from accessing my computer, right? :o

17

Yep your system is clean and Avast is stopping you from going to the redirect that the LAN is trying to send you to