Virus: http:\\wpad.browserupdatecheck.in/wpad.dat

My avast free antivirus is reporting this…I am facing this problem from two days…i have tried using maleware removing programs…this shit is not getting removed

Infection details:
URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Program Files\AVAST Software\Avast\avastui.exe

Hi this first run will not clear it as I may need to do a search after

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Ok sir…thanks

Please untick use download manager option

FRST.txt - http://www.datafilehost.com/d/842b8d5b
Addition.txt -http://www.datafilehost.com/d/31d08cb9

dropbox links:

FRST.txt -https://www.dropbox.com/s/6ja7l6mnp00id36/Addition.txt?dl=0
Addition.txt -https://www.dropbox.com/s/97alv4oi52dbifo/FRST.txt?dl=0

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: FF Extension: XUL Cache - C:\Users\nikhil1994\AppData\Roaming\Mozilla\Firefox\Profiles\wjqelr1l.default\Extensions\{7c0f957d-e22b-492b-9c15-abac029fd06f} [2015-05-03] 2015-07-23 18:27 - 2015-07-23 21:31 - 00000000 ____D C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP 2015-07-23 18:00 - 2015-07-23 20:57 - 00000024 _____ C:\autoexec.bat 2015-07-19 13:57 - 2015-07-19 13:57 - 00004216 _____ C:\Windows\System32\Tasks\Winupdate 2015-07-19 13:57 - 2015-07-19 13:57 - 00004194 _____ C:\Windows\System32\Tasks\EssentialUpdateMachine 2015-07-19 13:57 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe 2015-07-19 13:57 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe 2015-07-19 13:57 - 2013-12-05 18:06 - 00003542 _____ C:\Windows\mstdcvtr.bat 2015-07-19 13:57 - 2013-06-05 18:08 - 00004122 _____ C:\Windows\plofgye 2015-07-19 13:57 - 2013-06-05 18:07 - 00004194 _____ C:\Windows\soxe 2015-07-19 13:57 - 2013-06-05 18:06 - 00000038 _____ C:\Windows\initcvtr.bat Task: {8330E629-B511-4FA9-A71E-9F2B04969294} - System32\Tasks\EssentialUpdateMachine => chp.exe <==== ATTENTION Task: {E300F6AA-5165-43B2-A763-076CE20F1350} - System32\Tasks\Winupdate => chp.exe <==== ATTENTION RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.


Having done that we will now search for the main miscreant :

Start FRST and copy/paste the following into the search box
Click search registry and attach the resultant log

browserupdatecheck.in;wpad.dat

I think we have found the mischief in search.txt in registry :slight_smile:

AdwCleaner[S1].txt- https://www.dropbox.com/s/1md9xzh4qh214o4/AdwCleaner[S1].txt?dl=0
Fixlog.txt - https://www.dropbox.com/s/qnonrxbu3tsxo7g/Fixlog.txt?dl=0
Search.txt- https://www.dropbox.com/s/ltxhg0qcp7qz2ro/Search.txt?dl=0

Right click this link https://dl.dropboxusercontent.com/u/73555776/tcpip.reg and select save target as…
Save to your desktop as tcpip.reg
Double click this file an allow to merge, accept the warnings
Reboot and the alerts should be history

Great Sir…problem fixed!!I think mischief was in registry…but will this problem come in future :slight_smile:

No this sort of thing comes in spurts and the latest attack has now wound down :slight_smile:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

I am also having this issue.

Please help

Ted

Please download and run FRST

I have run the frst.exe and I have both txt files on my desktop. Spyhunter is identifying frst as malware.

Ted

hey tberts54 please attach the logs here so essexboy can have look at them :slight_smile: second why do you run spyhunter? im no expert but if i get it right the reputation of spyhunter can be question. antivirusprogams will be pop up on frst seens it will update almost daily but its safe to use.

spyhunter appeared in most of the forum articles as an effective removal tool. I was apprehensive always. I initially decided not to spend the $40 for the program, but they offered the product for $10 when I went to uninstall the program. I ran it with marginal results. I have had good 2-way communications with their tech support staff. Even 2 remote intervention sessions. At this point they say they can find nothing. AVAST and Malwarebytes don’t report problems, but AVAST reports malware hits about twice an hour. Very curious why scans are not finding it, but webshield reports it so often.

I do appreciate your assistance, and will probably allow the spyhunter subscription to expire.

Trying to attach the 2 txt files from the FRST scans, not seeing an attach button. :-\

Ted

OK Attachments here

Automated programmes do not know where to look for this malware, and even if they were programmed to find it they could really ruin your day when they try to remove it

You have McAfee running as well that need to be uninstalled

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:47574 FF Extension: No Name - C:\Users\cindy\AppData\Roaming\Mozilla\Firefox\Profiles\8gjl1k2j.default\extensions\d4db60df25f14dae9dd18@185c395f9e794c9ab86be3eb.com [not found] 2015-07-07 19:52 - 2015-07-07 19:52 - 00003066 _____ C:\WINDOWS\System32\Tasks\{668DA14B-D036-41F0-A9B8-728BEB6910B7} Task: {16C026B1-8E82-441A-B3FD-471B625E5E2D} - \Dregol lera No Task File <==== ATTENTION Task: {583D1208-0230-44EA-BFE3-833F9B4124BC} - \avabvbavad No Task File <==== ATTENTION Task: {99EF9905-26FA-4CC8-9593-1C072DBB490D} - \MaxComputerCleaner_Start No Task File <==== ATTENTION Task: {AD067733-4B9F-4567-AF84-AEF80F846723} - \Winfix Helper No Task File <==== ATTENTION Task: {D1EC1338-2A58-4833-A594-3CA94A2207DC} - \ProPCCleaner_Start No Task File <==== ATTENTION Task: {FD7653CA-32D2-4999-8DBC-D1A99E61C786} - \EssentialUpdateMachine No Task File <==== ATTENTION RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

NEXT

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

FINALLY

Start FRST and copy/paste the following into the search box
Click search registry and attach the resultant log

browserupdatecheck.in;wpad.dat

Adw txt file

Updated 09/07/2015 by Xplode

Database : 2015-07-26.2 [Server]

Operating system : Windows 8.1 (x64)

Username : cindy - CINDYS

Running from : C:\Users\cindy\Downloads\adwcleaner_4.208.exe

Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\maxcomputerclenner
Key Deleted : HKCU\Software\SlimWare Utilities Inc
Key Deleted : HKLM\SOFTWARE\SlimWare Utilities Inc

***** [ Web browsers ] *****

-\ Internet Explorer v11.0.9600.17840

-\ Mozilla Firefox v


AdwCleaner[R0].txt - [6630 bytes] - [21/07/2015 17:17:18]
AdwCleaner[R1].txt - [833 bytes] - [26/07/2015 10:29:24]
AdwCleaner[R2].txt - [1205 bytes] - [26/07/2015 10:40:34]
AdwCleaner[S0].txt - [6315 bytes] - [21/07/2015 17:18:40]
AdwCleaner[S1].txt - [896 bytes] - [26/07/2015 10:30:40]
AdwCleaner[S2].txt - [1029 bytes] - [26/07/2015 10:41:13]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1088 bytes] ##########

frst search

When I tried to uninstall McAfee, I got an error message.

Navigation to this page has been cancelled

??

BTW, Still getting the webshield alerts on wpad.browserupdatecheck.in