ndiswan.exe harmful webpage

Hi all,

Since the last 4-5 weeks I get multiple times per day the message below, since a boot scan does not reveal any virus, should I report this as a false positive?


http://www.divshare.com/img/thumb/26265552-c67.JPG

If not, what other checks do I need to do?

Thanks
Alex

https://forum.avast.com/index.php?topic=53253.0

OK here are my logs.

By the way, I got the same above message few minutes ago.

Thanks
Alex

Thank you for providing the logs.
Please do not change anything to your system so we can have a good look at the logs and help you.

Let me know if this clears it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {9250BEDF-1BFB-4B9B-9BCB-75710F53A530} URL = BHO: Expat Shield Class -> {3706EE7C-3CAD-445D-8A43-03EBC3B75908} -> C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll No File BHO: Hotspot Shield Class -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File Toolbar: HKCU - No Name - {724D43A0-0D85-11D4-9908-00400523E39A} - No File FF NetworkProxy: "backup.gopher", "93.63.71.211" FF NetworkProxy: "backup.gopher_port", 0 FF NetworkProxy: "gopher", "93.63.71.211" FF NetworkProxy: "gopher_port", 8080 FF NetworkProxy: "type", 0 C:\Users\AD\cyggcc_s-1.dll C:\Users\AD\cygstdc++-6.dll C:\Users\AD\cygwin1.dll C:\Users\AD\iperf.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hi,

I got the the Fixlog.txt file (attached) but I cannot run AdwCleaner.exe as it is blocked by Avast.
It does not allow me to white list it either…

Thank you
Alex

Could you retry a download, use the bleeping.com site. As the download works for me now

It is not the download the problem, but running the program, it’s blocked and deleted by Avast

Could you confirm that avast is updated as I have no problems running it on my system

For whatever reason, I tried now and it worked, last night I tried three times, no way, file removed.
Anyhow, here the results.

Are the alerts still occurring ?

For the moment I did not get another one today, but if I will, I’ll let you know.
Did you notice anything bad was removed?

Thank you for your help!
Alex

Not really as it was all adware stuff. When you are happy let me know and I will tidy up

Hi,

What shall I do with this instead?
This is coming up from time to time, say weekly.
I have always used VLC and keep it updated, but this message pops-up since a few months now.

Thanks
Alex

Personally unless you use the toolbar I would recommend uninstalling it. Otherwise just ignore the weekly prompts

Not really as it was all adware stuff. When you are happy let me know and I will tidy up

Hi,

Bad news… it 's back… and I was not even on the Internet, the computer was on and suddenly I heard the “threat has been detected” message.

Any ideas what else we can do?

Cheers
Alex

OK bigger tool time

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK, here’s the combofix report.

Alex

Let me know if that cures it, I cannot remove the offending file as it is part of your network WAN Miniport IP\ndiswan.exe

Nope, it’s alive and kicking.
If it’s part of my WAN Miniport IP, how do I get rid of it?
It’s blocked by Avast every time but there must be a way to identify what triggers this?

Alex