My system is infected - please help me clean it!

Yes, I replied to all messages and followed all steps.
There is no reply after @dbrisendine post (« Reply [b]#16[/b] on: 25 December 2016, 20:23:52 ») before you posted today ... or do i need glasses!

Not sure why you can’t see my reply.

Here is my reply to last message from @dbrisendine: https://forum.avast.com/index.php?topic=194487.msg1356118#msg1356118

That is reply « Reply #11 on: 25 December 2016, 11:39:02 »

There are several replys after that, including @dbrisendine with new instructions « Reply #16 on: 25 December 2016, 20:23:52 »

Oops! my fault - I was expecting the rely chain on the same page and did not notice the second page link.
Sorry about that - will soon get into the act.
Thanks for pointing out!

Sorry @dbrisendine, I replied late since I misunderstood the pagination of the forum messages!
I have attached Fixlog.txt
Unfortunately my problem is not solved - I am still getting those ugly pop ups from Avast related to wpad.dat, svchost.exe etc

Let me know the next step I should take!

I apologize sincerely. I left out some proper syntax and the registry fix was not valid. This Fixlist is properly formatted and should do the trick.


https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on 

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

Sorry to get back late!

I downloaded the used your latest fixlist.txt and then performed fix with FRST .I have attached the generated Fixlog.txt

Unfortunately my problem is still unresolved and I am still getting continuous pop up alerts from AVAST regarding wpad.dat, svchost.exe etc. Perhaps the frequency of alerts has reduced, not sure though.

By the way, I detected a program CheckNDISPort.exe as startup enabled in task manager - not sure if it is harmful - still I disabled it’s startup. Mentioned it, if it provides any clue to you. FYI, apart from WIFI, I also use a dongle for internet (may be ZTE make)

I am not sure why wpad.dat (about which I found lot of documentation in web) is so hard to fix. I have two premium and regularly updated software, namely Avast and Malware Bytes (MBAM) - still I find myself helpless in the face of this menace.

Waiting for next set of instructions.

Thanks and Regards

Too limited a search in the registry (reason we haven’t got this fixed yet). As to the reason why your protection software doesn’t fix this is they do not see this as a malware issue; the adware is using standard OS settings but has locked you to a IP web address that sends out malware.


Run a search with FRST.

  • Right click on FRST on your desktop and select “Run as Administrator…” When the tool opens click Yes to disclaimer.
  • Type browserupdatecheck:wpad into the Search Box.
  • Press the Search Registry button.
  • It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
  • Please attach the log file back here.

I have the file SearchReg.txt (after searching for browserupdatecheck:wpad in registry)

I had a look at the file and it seemed it return empty search results!

waiting for your next set of instructions!

thanks and regards,

Make the search for the same text but change the : to a ;
Sorry

Thanks for the updated search string
Yes, this time there were some search results.
Let me know your diagnosis

Attached the file SearchReg.txt

waiting for your next set of instructions!

thanks and regards,

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

I disable silent/gaming mode in Avast! But I am not getting any alert pops ups as was happening earlier related to wpad/svchost etc

Wow - it seems it got fixed!! Is it?

In order to ensure, I ran FRST once again as admin and did a ‘Search Registry’ for “browserupdatecheck;wpad” - it did return some search results which contain the word “wpad”. I have attached the file SearchReg.txt, in case you want to have a look. Does non-empty search result mean anything? Is the problem still hidden and not fully resolved yet? Yes, I know you did not ask me do a registry search this time, but I was really curious! Hope you are not offended!

Thanks a lot!

Do I need to do anything else?

By the way, I have always enabled “Animate icon when scanning” in Avast and I have seen (since I installed Avast), that it always remains animated - does always remaining animated icon mean “Avast is always monitoring” or “Avast is always scanning as long as PC is on”

Thanks and Regards

Your system should be free of the browserupdatecheck malware; see if it stays alert free for a day or so and then report back.

Running a scan or a search with FRST is fine; you learn by trying and observing. The WPAD service / routine is part of Windows itself and there is nothing inherently bad with WPAD; only if it is locked into pointing your system to a malware server.

Great answer! Awesome - thanks!

Surely would report back after a day!

Thanks and Regards,

I am happy to report, after more than 24 hours, I have not received any wpad pop up alerts from Avast. It seems my problem is resolved!

I am grateful to you and the forum for this awesome free service!

Regards,

If everything else if fine for you (Avast is running / scanning with no warnings, etc.) then I will remove our tools and get you on your way …

Clean up of Malware Removal Tools
Now that we are through using these tools, let’s clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

[]Download Delfix from here to your desktop and double click it to start the program
[*]Ensure Remove disinfection tools is ticked
Also tick:
[
]Create registry backup
[*]Purge system restore

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFix%20Standard%20Selection_zpswethifs1.png

[*]Click Run
[*]The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system. Please attach the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.

==Some Tools to consider to help keep your system safe ==

Unchecky is a small service that runs in the background to help keep those “extra toolbars” and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here.

Also, consider keeping MalwareBytes Antimalware in your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won’t have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and uBlock Origin add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online


I’ll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!

Awesome!
Thanks friend for such great help!

I will work on the purging tools and other tips that you mentioned and will get back soon!

Regards,

I have taken the following steps:

  • Ran Delfix. attached the log file (note all the executables I downloaded earlier as per recommendation of this forum are not in my desktop but in a custom folder. Should I remove all those executable such aswmbr.exe FRST.exe or retain them? Delfix did not delete them)

  • Installed Unchecky

  • Installed CryptoPrevent (free version) and set protection in default mode. Should I set maximum protection?

  • How good is CryptoPrevent Premium? Is there any other software better than CryptoPrevent?

  • Note I have Malware Bytes 3.0 Premium - not the free MalwareBytes Antimalware . Will running the Malware Bytes 3.0 Premium be a problem?

  • Installed addons NoScript and uBlock Origin in my firefox browser.

Thanks to you and the forum for your help!

Regards,

  1. Please delete the tools that Delfix did not find on the desktop. We would want you to download fresh copies (if the need arises) since these tools are constantly updated to combat the ever changing ways of malware.

  2. CryptoPrevent Premium is the same as the Free version except that it gets automatic rules and program updates. Personally, I find the default level of protection to be fine, especially if there is additional protection software running.

  3. MalwareBytes 3.0 Premium should be fine.

  4. You are very welcome. Come back here any time you need help. :slight_smile: