Virus Issue. Fedup with the popup

Hi,
I’m getting this notification:
URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe
Attaching the initial files of Farbar recovery tool.
Please help.
Regards,
Mahima

Hello,

Looking for help still…
Zoek.exe found a lot of issues and used the fix functionality to fix those & restarted the machine.
But still issue persists.

Will appreciate if someone can help.

Regards,
Mahima

Please do not try any more self-fixes specially with specialized tools. Await my next reply.

Reset Google Chrome after completing the following steps.

[*]Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
CloseProcesses:
Emptytemp:
HKLM\...\Run: [gmsd_in_007010002] => [X]
HKU\S-1-5-21-742050042-1688449921-1910185277-1000\...\MountPoints2: {4189226b-9625-11e4-940e-7071bcbc998f} - M:\AutoRun.exe
HKU\S-1-5-21-742050042-1688449921-1910185277-1000\...\MountPoints2: {e14d0ecc-744e-11e4-b556-806e6f6e6963} - L:\Setup.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
AutoConfigURL: [HKLM] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-19] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-20] => file://C:\Windows\system32\Drivers\winpacket.pac
2015-06-19 23:21 - 2015-06-19 23:21 - 00000000 ____D C:\Program Files\predm
CMD:bitsadmin /reset /allusers
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[
]Attach the log in your next reply.[/list]


[*]Step # Fix with AdwCleaner
[*]Download AdwCleaner by Xplode to your Desktop from the following link.
[list][]Download Link #1
[
]Download Link #2
[*]Right-click on AdwCleaner.exe and choose Run as administrator;
[*]Click on Scan and let the program run unhindered;
[*]When done, click on Clean and allow the system to reboot after it is done;
[]A log will be opened automatically after the restart;
[
]Attach the log in your reply.[/list]


[*]Required Log(s):
[]FRST Fix Log
[
]AdwCleaner Log

Regards,
Valinorum

Hi,
Performed all the steps mentioned by you… Have attached the logs as well…

Still getting an error now…
Can see two file names now… one is svchost.exe and another is chrome.exe

Also error is now coming for avastui.exe
:-[
Please help
Have scanned again using Frst.exe and have attached those logs as well… Not sure what is going wrong…

Regards,
Mahima

Hi,
Can you tell me what kind of error you are receiving? Are you using F5 Networks VPN Manager?


[*]Step #3 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-742050042-1688449921-1910185277-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} C:\Users\Admin\AppData\Local\Temp\f5tmp\urxvpn.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\Users\Admin\AppData\Local\Temp\f5tmp\f5tunsrv.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\InstallerControl.cab#-1,-1,-1,-1
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} C:\Users\Admin\AppData\Local\Temp\f5tmp\urxshost.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\Users\Admin\AppData\Local\Temp\f5tmp\urxhost.cab

CHR Extension: (Google Wallet) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-01]
CHR HKLM\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx

CHR HKLM\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
OPR Extension: (F5 Networks Plugin Host) - C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Extensions\bfjhelpopbdbnlfmjkbkfkbfmbneaeob [2015-01-07]

S3 f5ipfw; C:\Windows\system32\drivers\urfltwlh.sys [28392 2014-04-08] (F5 Networks, Inc.)

R3 urvpndrv; C:\Windows\System32\DRIVERS\covpnwlh.sys [40528 2014-04-08] (F5 Networks, Inc.)

2015-06-07 20:22 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe
2015-06-07 20:22 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe

2015-06-07 20:22 - 2015-04-25 14:48 - 00053248 _____ C:\Windows\zlib.dll
2015-06-07 20:22 - 2013-12-05 18:06 - 00003542 _____ C:\Windows\mstdcvtr.bat
2015-06-07 20:22 - 2013-06-05 18:08 - 00004122 _____ C:\Windows\plofgye
2015-06-07 20:22 - 2013-06-05 18:07 - 00004194 _____ C:\Windows\soxe
2015-06-07 20:22 - 2013-06-05 18:06 - 00000038 _____ C:\Windows\initcvtr.bat

Task: {4CEF2583-DA21-4E22-9A6A-E616D9D3BF0A} - \avastBCLRestart_chrome.exe No Task File <==== ATTENTION

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt;
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[*]After the completion, a log will be produced;
[*]Copy and Paste the contents of the log in your next reply.[/list]


[*]Required Log(s):
[*]FRST Fix Log

Regards,
Valinorum

Hi,
It is the same error as mentioned in the original post… however, am seeing new exe names now…
one is avastui.exe and another is chrome.exe which was not coming earlier.
I am not using any F5 network… but had given the PC to a friend who was using it for work from home…
She might be using it…
Please let me know if I have to uninstall it.
I am in office currently and will try the solution posted by you once I am home.

Thanks for all the help.

Regards,
Mahima

Yes, uninstall it please. If you cannot, proceed to the fix I listed above.

Still getting the same popup…
I dont know what is going wrong.
Also I am not able to see V5 network in my installed programs in control panel…
Not sure from where do I uninstall it.
have attached the fixlog for the latest run for your reference.

Regards,
Mahima

Provide me another fresh FRST scan log. This is a new type of infection.

Hi,
I managed to uninstall the software after I posted my reply…
It was with a different name.
Will provide a fresh log once am back home tonite.
Thanks for all the support… really appreciated…

Regards,
Mahima

Hi,
Have attached a fresh log for Frst.txt and Addition.txt…
I observed a strange behavior today…
I saw 2 exe in task manager… one was DWX.exe and another PEVS.exe

I found the name suspicious and clicked on the exe and tried to open the file location…
the moment I clicked open file location the exe disappeared from the task manager…

Mahima

Good morning…
The number of times the popup is coming has considerably doubled up now…
its just not letting me do anything.

Help pls

Hi,

This is a new malware so please be patient. I shall perform two new scans to locate the source–

[*]Step #4 SystemLook Search
[*]Please download SystemLook by jpshortstuff to your Desktop from the suitable link below.
[list][]Download Link for 32-bit System.
[
]Download Link for 64-bit System
[*]Right-click and choose Run as administrator;
[*]In the search box, copy and pasted the following code in the code-box.
[/list]

:filefind
*browserupdatecheck*
*wpad*
*wpad.browserupdatecheck.in*
PEVS.exe
DWX.exe

:folderfind
*browserupdatecheck*
*wpad*
*wpad.browserupdatecheck.in*

:Regfind
browserupdatecheck
wpad
wpad.browserupdatecheck.in

[*]Click on Look;
[]After the scan a log will be opened;
[
]Attach the log in your next reply.


Re-run FRST64.exe(or, FRST.exe) and type the following in the Search box.

browserupdatecheck;wpad.browserupdatecheck.in;wpad;

Click on Search Registry.
After the search, FRST will produce a log called Search.txt. Attach the log in your next reply.


[*]Required Log(s):
[]SystemLook Report
[
]Farbar Log–
[list][*]Search.txt
[/list]

Regards,
Valinorum

Getting below error when I click on the link to download SystemLook Search.

Not Found

The requested URL /SystemLook.exe was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Do we have any alternate link to download it?

Hello,
Downloaded it from another location…

attached are the logs for your reference.

Regards,
Mahima

[*]Step #5 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
CloseProcesses:
Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reboot:
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[
]Attach the log in your next reply.[/list]


Download TCPIP.reg to your Desktop. Righ-click on it and choose ‘Merge’. Click ‘OK’ to the warning messages. Restart the PC after the merge is complete. Report me the result.


[*]Required Log(s):
[*]FRST Fix Log

Regards,
Valinorum

Done…
attached is the fixlog…
however, am still getting the popup alerts…

Had forgot to restart the machine…
Now not getting any popups after the restart…

Yuhuuuuuu
Thank you so much for helping me out with so much patience…

CAn you tell me what was it? and where was it hiding…

Regards,
Mahima

The initial files were removed earlier and it was hiding as a Google Chrome extension. Later it also modified the TCPID registry keys too. Please monitor the PC for 12 hours and report me the result If the issue is resolved, we shall move on to the clean up phase.