Remove Http://46.165.229.29/wpad.dat?n virus

I provide voluntary computer assistance (typically for the very elderly and poor patrons) at our local library and have a patron with the virus Http://46.165.229.29/wpad.dat?n… She initially complained about sluggish computer processing (Toshiba laptop). She had no anti-virus tools on her computer so I installed Avast Free and Malwarebytes. Once installed, Avast gives a continual series of alerts related to this virus. I have looked across the web for potential removal tools and do not have much faith or trust in any of the solutions published. I have identified one forum member that had the same issue but there was no indication a solution was achieved. I would really like to help her without a total rebuild of her system… Any assistance would be greatly appreciated as I am always hesitant to jump into virus removal without full knowledge of how the virus should be removed… Malwarebytes is running on her computer as I write this on my personal computer. Thank you…

follow instructions, attach Malwarebytes and OTL log http://forum.avast.com/index.php?topic=53253.0

Greetings,
Thanks for the response… Have followed your instructions and am attaching the logs for the malware software as you asked. The virus is still being continually deflected by Avast every 15 seconds or so… Will await your next recommendations… Appreciate your help, Roy

Hi there, first you will need to uninstall TrendMicro… Details on this page http://esupport.trendmicro.com/solution/en-us/1037161.aspx?referral=1056551

Then

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-2790283380-1669114092-1841631851-1000\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3323912&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP7C370462-D7AB-4139-AF56-B12910E05B8B&q={searchTerms}&SSPV=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [] File not found
O4:64bit: - HKLM..\Run: [AS2014] C:\ProgramData\ahrpDn37\ahrpDn37.exe File not found
O4:64bit: - HKLM..\Run: [nkstap] C:\Users\owner\AppData\Roaming\nkstap.dll (Technologies Ltd.)
O4:64bit: - HKLM..\Run: [nsypl] C:\Users\owner\AppData\Roaming\nsypl.dll (Test Corporation)
O4:64bit: - HKLM..\Run: [Paixpoob] "C:\Users\owner\AppData\Roaming\Micoty\exlou.exe" File not found
O4:64bit: - HKLM..\Run: [Qaulazxaleyqsu] "C:\Users\owner\AppData\Roaming\Gyvunyxo\kubyho.exe" File not found
O4 - HKLM..\Run: [AS2014] File not found
O4 - HKLM..\Run: [BrowserSafeguard] "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe" File not found
O4 - HKU\S-1-5-21-2790283380-1669114092-1841631851-1000..\Run: [nkstap] C:\Users\owner\AppData\Roaming\nkstap.dll (Technologies Ltd.)
O4 - HKU\S-1-5-21-2790283380-1669114092-1841631851-1000..\Run: [nsypl] C:\Users\owner\AppData\Roaming\nsypl.dll (Test Corporation)
O4 - HKU\S-1-5-21-2790283380-1669114092-1841631851-1000..\Run: [Osbics] C:\windows\SysWow64\regsvr32.exe (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll) - File not found
[2014/02/06 14:54:05 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Local\BrowserSafeguard
[2014/02/06 14:26:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector
[2014/02/06 14:26:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Systweak
[2014/02/06 14:25:26 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Systweak
[2014/02/06 14:25:23 | 000,020,312 | ---- | C] (Systweak Inc., (www.systweak.com)) -- C:\windows\SysNative\roboot64.exe
[2013/09/24 13:38:39 | 000,376,832 | ---- | C] (Technologies Ltd.) -- C:\Users\owner\AppData\Roaming\nkstap.dll
[2013/09/24 13:38:33 | 000,770,048 | ---- | C] (Test Corporation) -- C:\Users\owner\AppData\Roaming\nsypl.dll
[2014/02/06 14:26:10 | 000,001,176 | ---- | M] () -- C:\Users\Public\Desktop\Advanced System Protector.lnk
[2014/02/06 14:23:38 | 000,000,000 | ---- | M] () -- C:\END
[2014/02/07 18:47:05 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\DefaultTab
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Diebqi
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Emvoozyg
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Gyvunyxo
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Luesreco
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Miafoco
[2014/02/06 16:04:26 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Micoty
2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Qukypu
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Riidbery
[2014/02/07 18:47:05 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Systweak
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Taivexfo
[2014/02/06 16:09:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Ydudag

:Reg
[-HKCU\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi Again,
With the exception of not being able to find the Trend software, I have followed all of your instructions and have attached the appropriate log files… The computer seems to be running normally now and, if you believe it to be clean based on the attached log files, it will be returned to its owner who will forever be grateful to you and your capabilities… I will leave Avast and Malarebytes on her machine, make sure she registers with the Avast site, and then give her a brief lecture on what sites and situations to avoid while browsing on the web… I will also monitor her machine occasionally to make sure she is being more careful… Thanks so much for everything, Roy Osborn

In the mean time more about this nasty browser hijacker virus here: http://removeallviruses.blogspot.nl/2013/09/delete-http4616522929wpaddatn-virus.html
link article author Tammy Brophe.

polonus

That looks really good now so lets tidy up before you give it back

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Thank you all ever so much… Will be using your recommendations as part of the internet “safety” course I provide at the local library. And thank you for putting this much effort into “someone else’s” problem to get it resolved… Need more folks like you in the world to help protect the elderly from the unsavory…