Help!

Hi, recently I’ve been those notifications everyone seems to be getting. It’s really frustrating and I don’t feel safe using my laptop anymore. I’m need of help removing this is malware. I’ve read other ppl posts but I don’t quite unstand how to remove it.

I’ve been getting this notification:
URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

it seems to have most, if not all my exe files that sends stuff online like skype.

Here are the log files.

Help? anybody? :frowning:

I believe this to be a false positive, also your main FRST log is empty

mybad, I posted the wrong FRST file. this is from my admin account. here’s the correct one. I fear it has corrupted more than that.
I think I’ve made it worst by activating the built in admin account. now more the alerts keeps popping up more. I wanted to enavle it so I can access some files and folders that were lock but now it made things worst.

I see you have run combofix, could you attach that log please

Sorry I just got up. I think I have to run it again. I don’t know where the log file is. give me a few min. Thanks for replying to my message.

hmmm… after running combofix I stopped getting those http://wpad.browserupdatecheck.in/wpad.dat notifications. I’m going see if I still have them when I log into the admin account. anyways, here’s the combofix log file.

I’ve tried switch to my admin account and it looks like it’s still has this problem. I think I’m gonna risk it and run combo fix on this account too

Could you keep me updated as we have not yet found where this is coming from. If you could attach the log from the admin run as well please

I ran combofix from my admin account and after a reboot the same notification shows up :-[

here’s the log file for combofix

Did these alerts start after you updated a programme like deluge ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx U3 a4nzm094; C:\Windows\System32\Drivers\a4nzm094.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero byte File/Folder) 2015-06-27 11:26 - 2015-06-27 11:26 - 00003104 _____ C:\Windows\System32\Tasks\{50818EB9-AC37-4F9D-972C-1DCD7AD9B556} Task: {186B389B-2F11-475D-851F-61E45BE15396} - \Microsoft\Windows\Setup\gwx\launchtrayprocess No Task File <==== ATTENTION Task: {37E9DA0F-6FDD-41AE-983B-AD03CAA21140} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B No Task File <==== ATTENTION Task: {6DEEE1C2-9D4C-408E-8AFE-435E43C3C291} - System32\Tasks\{2D3DB124-0AEF-4AFA-9EBB-5336BD199D62} => pcalua.exe -a C:\05_Games\psp\ppsspp\lgs510_x64.exe -d C:\05_Games\psp\ppsspp Task: {7A719FC9-DDA5-4428-AA65-69E7867B2899} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig No Task File <==== ATTENTION Task: {C4A288A9-2E99-4F92-8682-F27BA6A39EE1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle No Task File <==== ATTENTION Task: {DA5AEDAA-4282-48BA-83FB-7CD29FACB3F3} - System32\Tasks\{50818EB9-AC37-4F9D-972C-1DCD7AD9B556} => pcalua.exe -a "C:\Program Files (x86)\Winamp\uninst-vis_geis.dll.exe" Task: {E9C833A3-EC60-4491-9775-E32EF8D5CE10} - \Microsoft\Windows\Setup\GWXTriggers\Logon No Task File <==== ATTENTION HKU\S-1-5-21-1549826269-4061090989-2237375474-1000\Software\Classes\.exe: => <===== ATTENTION! FirewallRules: [{A64FF77A-C2CE-473F-B943-3896B0743848}] => (Allow) C:\Users\owner\AppData\Local\Chromatic\Application\chromatic.exe FirewallRules: [{08DB13DC-A6BD-4D24-A270-E93CF7BE575E}] => (Allow) C:\Users\owner\AppData\Local\Chromatic\Application\chromatic.exe FirewallRules: [{8740B342-1B6A-44FD-8C32-5D35FF116742}] => (Allow) C:\Users\owner\AppData\Local\Chromatic\Utils\Updater.exe FirewallRules: [{6002331B-ECCC-4134-9260-46AAD3067CD0}] => (Allow) C:\Users\owner\AppData\Local\Chromatic\Utils\Updater.exe FirewallRules: [{CD7D7A23-5786-4EAD-9AE5-95A92FE533D5}] => (Allow) C:\Users\owner\AppData\Local\wd\wd.exe FirewallRules: [{AF923EC3-9204-46B9-BC1F-CF11F3094C9C}] => (Allow) C:\Users\owner\AppData\Local\wd\wd.exe FirewallRules: [{7A3E51BE-A7CA-4704-8870-7B32528CCCB6}] => (Allow) C:\Users\owner\AppData\Local\Temp\nsd77DF.tmp\CnetInstaller-34442.exe FirewallRules: [{3561D911-6B85-4D35-A917-EEA57243EF1E}] => (Allow) C:\Users\owner\AppData\Local\Temp\nsd77DF.tmp\CnetInstaller-34442.exe FirewallRules: [TCP Query User{649BB327-EABC-462C-B311-253BD3992E36}C:\07_downloads\winamp566_full_en-us\winamp.exe] => (Block) C:\07_downloads\winamp566_full_en-us\winamp.exe FirewallRules: [UDP Query User{DBAB9E63-FAA5-4F58-BF94-D2644776A6CC}C:\07_downloads\winamp566_full_en-us\winamp.exe] => (Block) C:\07_downloads\winamp566_full_en-us\winamp.exe C:\Users\owner\AppData\Local\Chromatic C:\Users\owner\AppData\Local\Temp\nsd77DF.tmp C:\Users\owner\AppData\Local\wd Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I guess I run this on the account I’m currently running. and no, I have no updated deluge. I have never used it or updated it before this all happened unless it automatically updated it self without telling me. Should I remove it since I have use deluge in weeks. anyways, when I run FRST I get…

http://wpad.browserupdatecheck.in/wpad.dat
URL:Mal
C:\07_Downloads\drivers_and_software\virus_scanner\FRST64.exe

ok, so I ran the fix and restarted my computer but still get them notification.
is it because I running the 64 bit version of FRST?

No it is just that these are hard ones to track down

For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

For 64bit systems, download SystemLook from here.

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:


:Regfind
browserupdatecheck
wpad
wpad.browserupdatecheck.in

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

ok, here’s what i got with system

Ta I will now need to work a reg fix from that

Download the TCPIP.reg from here https://dl.dropboxusercontent.com/u/73555776/tcpip.reg to your desktop Use right click on the link and select save as…
Right click the file and select merge
Allow the warnings then reboot

On reboot let me know if the alerts still occur

Contents of reg fix

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "SearchList"="" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters] "SearchList"="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "SearchList"=""

Awesome it it works, I have not received anymore threats. now to switch over to my other account and if it’s being threatened. Thanks a lot, you’re a life saver. :slight_smile:

Well that took some tracking down :slight_smile:

Let me know how the computer is on all accounts

Ok, everything ok on this one too. I was afraid my computer and all my data was compromised and would have to format my computer if it there was no fix. If I were left things as there were and not have it removed. how much of a danger would that put my system? Well, I’m glad I don’t have to worry about that now. Anyways, Thanks again for all the help. I can’t thank you enough. :slight_smile:

As Avast was blocking it then there was no danger, what it would have done is compromise your DNS server

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: