Url mal http:wpad.dat keeps poping up

system · 2015-07-01T02:37:07.000Z

For the last 24 hours iv been getting a popup form avast saying
Url http://wpad.browserupdatecheck.in/wpad.dat
Infection: Mal
Proses C:\Windows\System32\svchost.exe
And this affects most other proses that open.
Iv try everything and nothing worked so far. please help, thanks.
What i have used so far (Malwarebytes, Advast, Adwcleaner, Windows Malware Cleaner,TdssKiller)

Asyn · 2015-07-01T04:36:32.000Z

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

system · 2015-07-01T07:10:00.000Z

Here are the files but asw will take sometime cuz it is takeing forever to complete its scan.

Asyn · 2015-07-01T07:15:31.000Z

OK, now you’ve to wait a bit…

magna86 · 2015-07-01T12:08:15.000Z

Hello tannermateo,

No big deal here. You have the same problem as I described here but your malware is loaded here. We shall target malware using FRST and his scripts power. Google Chrome you’ll have to fix by yourself.

Bdw, my tip is to uninstall the RAMBooster.Net version 3.1 as it is flaged as PUP software. Will you uninstall this or not is up to you.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
CreateRestorePoint:
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
CMD: bitsadmin /reset /allusers

CloseProcesses:
S4 RepObeseBedew; "C:\Windows\SysWOW64\fumedbrabdisc.exe" [X]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-06-30] <==== ATTENTION

Hosts:
C:\Windows\SysWOW64\fumedbrabdisc.exe
C:\*.tmp

RemoveProxy:
Task: {4D9BF613-FB4B-4121-A032-4C8A1C928D69} - \DealPlyUpdate No Task File <==== ATTENTION

AlternateDataStreams: C:\ProgramData\.rdata:X]

RemoveDirectory: C:\AdwCleaner

EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then go here to read how and install MCShield;
https://forum.avast.com/index.php?topic=53253.0
Post here AllScans.txt log for review.

Now, it is time to fix Chrome browser. Uninstall browser and make shure Also delete your browsing data options is ticked. Then, download fresh Chrome installer and install. Sync your personal staff and settings by entering the gmail and then reset chrome back to defaults;
https://support.google.com/chrome/answer/3296214?hl=en

system · 2015-07-01T23:31:59.000Z

So i put the script in Frst. So all i do now is just scan with avast till it finds it because the popups are still happening.
And i deleted Chrome form the (x86), And Mcsheild has detected a problem but i cant find the scan log.
And the popups are still happening
But i did find that there were 2 malware programs when avast started up dealz and one other.

system · 2015-07-02T00:07:09.000Z

Found the log.
And i did a few scans on malwarebytes but the popups are still happening
I just finished a full scan on Avast and it still found nothing. But the popups are still there.

system · 2015-07-02T10:05:15.000Z

Is it possible that this might just be a false positive? The thing is that the day before this happen i downloaded nothing and no warnings of Mal were detected. this seem mal popup only happened after avast automatically booted on monday. Another thing is that None of my anti mal programs have found anything except some old keys and PUP that were not malware (all of which i deleted).

magna86 · 2015-07-02T11:12:47.000Z

Hi tannermateo,

Please be patient, we’re investigate it. Yes, this may be the FP and yet again, this may be some new trace of malware, unlikely though.

Bdw, my instructions clearly asking for FixLog.txt.

magna86 · 2015-07-02T14:48:19.000Z

Hello again tannermateo. It seems that the detection are right, I have just confirmed. So we’ll have to hunt a bit until we find out what caused it.

Post me FixLog.txt before I can continue.

Bdw, do you porhaps recall what are you doing before alearts has been started? Any visited site, any downloaded tool? Anything that may help me to hint the droper or source of this.

system · 2015-07-02T20:06:33.000Z

Here are the logs.
Here is a full run down of the day before the incident.
First i went on youtube than went on GTAmods.com and for the rest of the day i just played Project reality. and none of those sites seem to be suspicious and i don’t think that project reality could have even given out a virus.
The popups are also coming up more often for just about everything that has a proses on the task manager.
Also i have looked in the regedit and i did find some strange things like the url mal link inside of the WPAD regedit folder it might be something to look into.

magna86 · 2015-07-02T20:58:09.000Z

tannermateo post:11:

Also i have looked in the regedit and i did find some strange things like the url mal link inside of the WPAD regedit folder it might be something to look into.

Thanks for info, this might help. Yes, detection is wPAD related.

Essexboy and I, we are still investigate it as it would seems that detection is real but we can’t locate the source.

I have few shots before I start to get into loop of hunting but first, let’s preform that registry and system search.

Step#1

Please download SystemLook by jpshortstuff and save it to your Desktop.
http://jpshortstuff.247fixes.com/SystemLook.exe
Alter download link: http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

Right click on SystemLook.exe, select “Run As Administrator…” to run it. If prompted by UAC, please allow it.
If you receive an “Open file - security warning”… asking “Do you want to run this file?”, press the Run button.
Highlight and copy the following entries: into SystemLook’s main text entry window.

:filefind
*browserupdatecheck*
*wpad*
*wpad.browserupdatecheck.in*

:folderfind
*browserupdatecheck*
*wpad*
*wpad.browserupdatecheck.in*

:Regfind
browserupdatecheck
wpad
wpad.browserupdatecheck.in

Press the Look button to start the scan. The scan will take a while (porhaps, even more than hour), so please be patient…
When finished, a Notepad window will open with the results of the scan.
A file will be created (on your Desktop) with the results of the scan, named SystemLook.txt

Please post the contents of the SystemLook.txt file in your next reply.

Step#2

Please download RogueKiller x64bi version from the link below and save it to your Desktop:
Notice: download free version of the tool, links are below
http://www.adlice.com/softwares/roguekiller/

Launch the program. Wait for the Prescan to finish. Hit the “Scan” button. Wait for the scan to finish.
Leave all boxes checked, hit that “Delete” button. Wait for the end of deletion.

Please post me here RogueKiller report file.

system · 2015-07-02T22:09:03.000Z

Well i got the system look but rouge killer logs are locked behind a premium membership, although it did find lot a suspicious files and i will leave pics in next post to fit them all.

system · 2015-07-02T22:09:55.000Z

Here are all the pics found that were picked up by rouge killer.

magna86 · 2015-07-03T12:24:03.000Z

Yeah, RogueKiller’s site is … :

I’ve uploaded free version of the tool to my FTP site. Use this link for downlaod:
http://www.mcshield.net/personal/magna86/temp/RogueKillerX64.exe

Now, SystemLook log isn’t good too, log is disturbed and I can’t use that log in that form. But we made a discovery. Try to copy-paste the original system look log to pastebin site:
http://pastebin.com/
…and post here URL of the posted logs so I can read it.

Just in case, once again we shall use FRST for additional checks since SystemLook is unusefull for me in that form. Re-run FRST/FRST64 by double-clicking:

[*]Type browserupdatecheck;wpad.browserupdatecheck.in;wpad; into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for registry keys and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

system · 2015-07-03T20:29:49.000Z

http://pastebin.com/sJaaaQqQ theirs the past bin
And i got that search file for you.
But again the Rouge killer is still blocked behind a membership to get to the log search.

magna86 · 2015-07-03T21:00:17.000Z

This once RogueKiller really went rogue. … :

Anyway, this fix includes two steps.

Step#1

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CreateRestorePoint:
Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reboot:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Step#2

Download the following file (Tcpip.reg) and save it to your Desktop. Run the file and allow it to merge to registry and make changes. Again, reboot your PC.
http://download.bleepingcomputer.com/win-services/7/Tcpip.reg

NOTICE: This reg file was written specifically for this OS, for use on that particular machine. Running this on another machine may cause damage to the operating system

Please tell me the computer behavior after this fixing.

system · 2015-07-03T21:47:56.000Z

Well the Fixlist sceem to have made the popup less often but the TCPIP did the job. Thank you so very much, im afraid with out your help this would have never left my pc. If you can, keep this open in case it comes back.

magna86 · 2015-07-03T22:25:00.000Z

Shure. Please keep monitor your computer behavior and if alearts came back, just report here.

Announcements