Warnings related to wpad.dat

system · 2015-06-30T19:51:52.000Z

Zoek didn’t finish when left overnight. Restarted and tried again this evening, results posted.

system · 2015-07-01T09:59:27.000Z

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

system · 2015-07-01T10:23:11.000Z

Fixlog attached, warning persists.

system · 2015-07-01T10:24:36.000Z

How is the situation now?

system · 2015-07-01T10:27:03.000Z

Still getting warnings reading:

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: D:\Program Files\AVAST Software\Avast\AvastUI.exe

system · 2015-07-01T10:31:29.000Z

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

system · 2015-07-01T10:36:47.000Z

Warning persists, different target processes.

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\SkyDrive.exe, D:\Program Files\AVAST Software\Avast\AvastUI.exe, C:\Windows\System32\svchost.exe

Basically anything attempting to transfer data through the internet.

system · 2015-07-01T10:40:08.000Z

Download
http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png
Malwarebytes Anti-Rootkit to your desktop.

[*]Double-click the icon to start the tool.
[*]It will ask you where to extract it, then it will start.
[*]Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
[*]Click in the introduction screen “next” to continue.
[*]Click in the following screen “Update” to obtain the latest malware definitions.
[*]Once the update is complete select “Next” and click “Scan”.
[*]When the scan is finished and no malware has been found select “Exit”.
[*]If malware was detected, make sure to check all the items and click “Cleanup”. Reboot your computer.
[*]Open the MBAR folder and paste the content of the following files in your next reply:

[*]“mbar-log-{date} (xx-xx-xx).txt”
[*]“system-log.txt”

system · 2015-07-01T10:52:31.000Z

Logs.

system · 2015-07-01T11:18:02.000Z

https://sites.google.com/site/cannedfixes/eset-online-scanner/ESETOnline.png
Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

[*]Accept the Terms of Use and click Start.
[*]Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

[*]Download esetsmartinstaller_enu.exe that you’ll be given link to.
[*]Double click esetsmartinstaller_enu.exe.
[*]Allow the Terms of Use and click Start.

To perform the scan:

[*]Make sure that Remove found threats is unchecked.
[*]Scan archives is checked.
[*]In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
[*]Click Start
[*]The program will begin to download it’s virus database. The speed may vary depending on your Internet connection.
[*]When completed, the program will begin to scan. This may take several hours. Please, be patient.
[*]Do not do anything on your machine as it may interrupt the scan.
[*]When the scan is done, click Finish.
[*]A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.Don’t forget to re-enable previously switched-off protection software!

system · 2015-07-02T10:27:56.000Z

ESET log attached.

system · 2015-07-02T10:31:27.000Z

How is the situation now?

I feel this may be a false positive, hold on whilst I ask Avast to check this out.

system · 2015-07-02T21:57:17.000Z

Warnings continue, although I was instructed to set ESET not to remove threats so I figure that the last step did not do anything other than produce a log.

magna86 · 2015-07-05T10:52:52.000Z

Hello marc.rnglow,

Do you still need help?

system · 2015-07-06T20:22:36.000Z

Yes, warnings are the same as always. Any conclusion on whether or not these are a false positive?

magna86 · 2015-07-06T21:12:15.000Z

marc.rnglow post:21:

Yes, warnings are the same as always. Any conclusion on whether or not these are a false positive?

Hello,

No, this isn’t a falce detection, we know that now. I’ll need fresh look at logs.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type browserupdatecheck.in;wpad.dat into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

system · 2015-07-07T06:20:51.000Z

FRST64 logs attached.

Would you be able to share what exactly this malware is attempting to do?
Just curious because at one point I was instructed to disable Avast, so I’m assuming the malware completed the operation that is currently being prevented from doing by the Avast client.

magna86 · 2015-07-07T12:29:33.000Z

Hi,

Would you be able to share what exactly this malware is attempting to do?

I can't as I don't know. No one from my users does not know how this malware at all arrived on their computers. No one does not know the scource of the infections (dropers or live link to malware itself) so I can't test it myself in secured environment liek virutal mashines.

Until we get a valid malware/adware copy, little I can say except that it uses wPAD tehnology. My guesses are that this installation is attempted to be installed but avast! blocks its attempt and adware installation failed. But before it has been interrupted and blocked, installer adds some registry changes and avast! report them via his heuristics behavior but unable to process these leftovers as it should be, thus alearts.

Tell me will this fix your problem?

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CreateRestorePoint:
Reg: reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v SearchList /t REG_SZ /d "" /f

RemoveProxy:
Task: {7B1319EC-EDC9-4597-A75A-741766ECB9EB} - System32\Tasks\Run_dregol => d:\Users\Marc\AppData\Roaming\Run_dregol\UpdateProc\UpdateTask.exe <==== ATTENTION
Task: C:\Windows\Tasks\Run_dregol.job => d:\Users\Marc\AppData\Roaming\Run_dregol\UpdateProc\UpdateTask.exe <==== ATTENTION

File: d:\Users\Marc\AppData\Roaming\Run_dregol\UpdateProc\UpdateTask.exe

Reboot:
HKU\S-1-5-21-2148889511-2369990875-2801628819-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dregol.com/?f=1&a=drg_camstd_15_27&cd=2XzuyEtN2Y1L1Qzu0F0C0A0AtCyEyByCtD0F0Bzz0A0BtBtDtN0D0Tzu0StCtBzztDtN1L2XzutAtFtCtCtFtAtFtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StD0B0DyCtB0A0FtCtGtB0AtA0CtGyE0EyC0BtGtDyByD0EtGyEyE0CtCyByCyD0ByD0F0Czy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyCyEzzyD0EyEyBtGzzyCyDtAtGyEyDyBtBtGzy0CtD0FtGzyyBzytC0A0CtByEtCyDzztC2QtN0A0LzuyE&cr=1033540487&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_camstd_15_27&cd=2XzuyEtN2Y1L1Qzu0F0C0A0AtCyEyByCtD0F0Bzz0A0BtBtDtN0D0Tzu0StCtBzztDtN1L2XzutAtFtCtCtFtAtFtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StD0B0DyCtB0A0FtCtGtB0AtA0CtGyE0EyC0BtGtDyByD0EtGyEyE0CtCyByCyD0ByD0F0Czy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyCyEzzyD0EyEyBtGzzyCyDtAtGyEyDyBtBtGzy0CtD0FtGzyyBzytC0A0CtByEtCyDzztC2QtN0A0LzuyE&cr=1033540487&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_camstd_15_27&cd=2XzuyEtN2Y1L1Qzu0F0C0A0AtCyEyByCtD0F0Bzz0A0BtBtDtN0D0Tzu0StCtBzztDtN1L2XzutAtFtCtCtFtAtFtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StD0B0DyCtB0A0FtCtGtB0AtA0CtGyE0EyC0BtGtDyByD0EtGyEyE0CtCyByCyD0ByD0F0Czy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyCyEzzyD0EyEyBtGzzyCyDtAtGyEyDyBtBtGzy0CtD0FtGzyyBzytC0A0CtByEtCyDzztC2QtN0A0LzuyE&cr=1033540487&ir=
SearchScopes: HKU\S-1-5-21-2148889511-2369990875-2801628819-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_camstd_15_27&cd=2XzuyEtN2Y1L1Qzu0F0C0A0AtCyEyByCtD0F0Bzz0A0BtBtDtN0D0Tzu0StCtBzztDtN1L2XzutAtFtCtCtFtAtFtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StD0B0DyCtB0A0FtCtGtB0AtA0CtGyE0EyC0BtGtDyByD0EtGyEyE0CtCyByCyD0ByD0F0Czy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyCyEzzyD0EyEyBtGzzyCyDtAtGyEyDyBtBtGzy0CtD0FtGzyyBzytC0A0CtByEtCyDzztC2QtN0A0LzuyE&cr=1033540487&ir=
SearchScopes: HKU\S-1-5-21-2148889511-2369990875-2801628819-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_camstd_15_27&cd=2XzuyEtN2Y1L1Qzu0F0C0A0AtCyEyByCtD0F0Bzz0A0BtBtDtN0D0Tzu0StCtBzztDtN1L2XzutAtFtCtCtFtAtFtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StD0B0DyCtB0A0FtCtGtB0AtA0CtGyE0EyC0BtGtDyByD0EtGyEyE0CtCyByCyD0ByD0F0Czy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyCyEzzyD0EyEyBtGzzyCyDtAtGyEyDyBtBtGzy0CtD0FtGzyyBzytC0A0CtByEtCyDzztC2QtN0A0LzuyE&cr=1033540487&ir=

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

system · 2015-07-09T05:46:15.000Z

So far, there were no errors. So the problem seems to be resolved!

Thank you, do you accept donations in some form?

magna86 · 2015-07-09T19:58:23.000Z

Glad I could help. Posted logs appear cleans and show no signs of active infection. You should be good to go …

We’re gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I’ll give you a few tips for reading.

• The following will implement some post-cleanup procedures:

http://www.mcshield.net/pg/images/arrow.png
Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.

• Learn how to protect yourself:

=> In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader

=> I recommend that you use one of the fantastic opportunities provided by
http://www.mcshield.net/pg/images/avast5.png
avast! AntiVirus.

For security protection, an active AntiVirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes’ Anti-Malware and perform ‘Threat Scan’ from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.

• Extra text for reading:

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.

• The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ ;
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Stay safe.

Best Regards,
magna86

Announcements