http://wpad.browserupdatecheck.in/wpad.dat virus

Hi

I am getting many malware notifications since last two days, which looks like the below…

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

Can someone help, please…

We need the log files as instructed in the sticky at the top of this forum.

Monitoring.

Here is the log file by Zoek…

Here are the log files from Farbar Recovery Scan Tool…

Here is the log file from aswMBR…

Please help…

Those users infested by this malcode, Web Attack: WPAD Spoofing, could get protection (after the malware/adware, (BrowserHijacker) has been cleansed by a qualified remover) through this patch: http://www.microsoft.com/windows/ie/download/critical/patch6.htm

polonus

Thanks Polonus for the information. I will wait for the removal instructions of this malware and then will download and install this patch.

Please bump! this thread later (for two or three hours) as I can’t look the logs right now. :wink:

Hi Sir,

I am also getting this adcash.com virus when I click any links in Firefox or IE, I think, both these viruses are related to each other.

Can you please help…

notice to myself: check again the auto config url’s

Hi rajuvprasad,

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
CreateRestorePoint:
Folder: C:\ProgramData\FlashBeat
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
CMD: bitsadmin /reset /allusers

CloseProcesses:
HKLM-x32\...\Run: [mbot_in_241] => [X]
HKLM-x32\...\Run: [gmsd_us_627] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
S2 insvc_1.10.0.14; "C:\Program Files (x86)\Infonaut_1.10.0.14\Service\insvc.exe" [X]

Hosts:
C:\ProgramData\FlashBeat\FlashBeat.exe
C:\WINDOWS\system32\Drivers\winpacket.pac
C:\Program Files (x86)\Infonaut_1.10.0.14

RemoveProxy:
Task: {E11CDD73-3DFB-461C-8E0B-122658557868} - \ESXTWQNGL No Task File <==== ATTENTION
Task: {EF66B45D-8CA2-4FEA-AC81-11E8E7402B25} - \JJYMKAFR1 No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\JJYMKAFR1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION

EmptyTemp:
End


2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Hi Sir,

Please find attached the Fixlog.txt attached…

Hi Sir,

It’s 1 AM now for me, please let me know my next steps, I will execute them tomorrow morning.
As of now the virus still exists.

Thanks a lot for your kind help…

I wonder if the Adcash.com detection is not somehow related to an insecure plug-in install- Babylon toolbar or Conduit Search crap/adware, all very persistent and to be cleansed under guidance of a qualified malware remover, so follow magna86’s instructions to the dot. I hope he will soon cleanse your computer of these undesirable “guests” ;D

polonus

Hello,

No need to wait me all day here. When I get my free time, I visit forum and revied my cases.

Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Click on More Options and check box only for AutoClean;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Then, reset Google Chrome back to defaults settings, here is how to;
https://support.google.com/chrome/answer/3296214?hl=en

And finally, please run again FRST tool, press Scan button and post me fresh created FRST.txt logreprot fo re-analysis.

Here is the new log file by Zoek…

Hi Sir,

I am not using Google Chrome and it is NOT installed on my machine.
I am using Mozilla Firefox. I have uninstalled it completely using REVO Uninstaller and re-installed it yesterday only.
Let me know if you want me to do that again today.

Also please find here new set of log files from Farbar Recovery Scan Tool…

Chrome has previusly been installed on this PC says my logs, thus I just wrote with no checking if Chrome currently is installed on PC.

These logs looks fine to me now. Any other issues?

Thanks a lot Sir, looks like the notifications have stopped for now and the adcash.com window popup looks resolved as well.
If I notice them again today I will update here in this thread.
Thank you very much once again for your help.

Hi Sir,

The wpad.dat notifications have started coming again…

I haven’t noticed any adcash.com popup windows though.