http:\\wpad.browserupdatecheck.in/wpad.dat

Hey forum. Seems like I am also experiencing this issue as a lot of others have. However I haven’t installed any new programs (that I know of) nor is there anything in my programs list that shouldn’t be there.

Infection Details:

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

It pops up randomly, and quite often over the course of me using the computer. I’ve attached all necessary logs. Thank you!

Could you let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-685782895-1145721402-2985593783-1001\...\Run: [GalaxyClient] => [X] FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found] 2015-06-14 15:27 - 2015-06-25 16:40 - 00000000 ____D C:\ProgramData\boost_interprocess 2015-06-04 16:46 - 2015-06-04 16:46 - 00000000 ____D C:\Program Files (x86)\Dealz Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

This did not stop it unfortunately. In fact it seems to have made it worse. While running the fix it popped up quite a bit and coming from various processes. I rebooted to run the adw scan and it popped up before the scan was run but nothing during. Once I rebooted again the pop up returned, coming from processes like chrome.exe, steam, and even avastui. I attached both logs.

OK we still have no idea where this is originating from … yet

For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

For 64bit systems, download SystemLook from here.

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:


:Regfind
browserupdatecheck
wpad
wpad.browserupdatecheck.in

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here you go!

Hi that is corrupted could you ensure that the txt file is saved as ASNI please

Try it now.

UPDATE: I restarted my PC and started up chrome (still getting popups by the way, more often now coming from avastui.exe and a few others) and I was asked to add the extension EverSave to chrome. Not knowing what is nor really wanting as well as not knowing where on earth it came from, I removed it from chrome.

Download the TCPIP.reg from here https://dl.dropboxusercontent.com/u/73555776/tcpip1.reg to your desktop. Use right click on the link and select save as…
Right click the file and select merge
Allow the warnings then reboot

On reboot let me know if the alerts still occur

Contents of reg fix

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
“SearchList”=“”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“SearchList”=“”

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c8-a7-0a-87-5a-eb]
“WpadDetectedUrl”=“”

I have not seen the alerts during my use since using that reg file. Did you figure out what it was?

Yes it was hiding in the registry :slight_smile:

Any further problems ?

Nope! That is all. Thank you so much for your help (:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

I was wondering. Would the .reg file from the dropbox link work on any computer affected by wpad.browserupdatecheck.in/wpad.dat or would be specific to Joshua86’s pc? I was going to try it out, but I get a 404 on the link.

It is specific to each system :slight_smile:

Alright. How would I got about getting this annoying thing off mine?

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0