am experiencing similar problems to what others are. I have been getting popup warnings from avast for several days now.
URL: http//wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Program Files\AVAST Software\Avast\avastui.exe
URL: http//wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
THEN
Start FRST again and in the se3arch box type/copy and paste :
browserupdatecheck.in;wpad.dat
The press search registry and attach that log as well
hi
I have done as what u have instructed and i have attached the logs as well
OK lets now start clearing up
First :
Right click this link and select save target as… https://dl.dropboxusercontent.com/u/73555776/tcpip.reg
Save TCPIP.reg to your desktop
Double click TCPIP.reg and allow the file to merge accept all warnings
NEXT
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com SearchScopes: HKU\S-1-5-21-3744543867-2895560261-2303018261-1000 -> {AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} URL = hxxp://www.daemon-search.com/search?q={searchTerms} BHO: No Name -> {A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C} -> No File FF DefaultSearchEngine: oursurfing FF SelectedSearchEngine: oursurfing FF Homepage: hxxp://www.oursurfing.com/?type=hp&ts=1442145042&z=086573bf1600fe9e9729ec5g2z7z7oag2z1wde6z0o&from=amt&uid=FUJITSUXMHY2160BH_K405T862RSUDT862RSUDX FF SearchPlugin: C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\searchplugins\ask-search.xml [2015-09-09] FF SearchPlugin: C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\searchplugins\oursurfing.xml [2015-09-15] FF Extension: Object Browser - C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\Extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com [2015-09-13] FF Extension: Default SearchProtected - C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\Extensions\defsearchp@gmail.com [2015-09-13] FF Extension: Music Box - C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\Extensions\MUB-SAE@iacsearchandmedia.com.xpi [2015-09-09] FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\extensions\defsearchp@gmail.com FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Admin PC\AppData\Roaming\Mozilla\Firefox\Profiles\55r1o27m.default\extensions\deskCutv2@gmail.com CHR HomePage: Default -> hxxp://www.oursurfing.com/?type=hp&ts=1442145042&z=086573bf1600fe9e9729ec5g2z7z7oag2z1wde6z0o&from=amt&uid=FUJITSUXMHY2160BH_K405T862RSUDT862RSUDX CHR StartupUrls: Default -> "hxxp://www.oursurfing.com/?type=hp&ts=1442145042&z=086573bf1600fe9e9729ec5g2z7z7oag2z1wde6z0o&from=amt&uid=FUJITSUXMHY2160BH_K405T862RSUDT862RSUDX" CHR Extension: (EverSave) - C:\Users\Admin PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2015-09-14] 2015-09-13 22:37 - 2015-09-13 22:37 - 00003176 _____ C:\Windows\System32\Tasks\{70F813CC-E768-4469-9B30-D9BA94BDF485} 2015-09-13 19:59 - 2015-09-13 19:59 - 00004216 _____ C:\Windows\System32\Tasks\Winupdate 2015-09-13 19:59 - 2015-09-13 19:59 - 00004194 _____ C:\Windows\System32\Tasks\EssentialUpdateMachine 2015-09-13 19:59 - 2015-09-13 19:59 - 00000008 _____ C:\END 2015-09-13 19:59 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe 2015-09-13 19:59 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe 2015-09-13 19:59 - 2007-10-28 19:25 - 00007168 _____ (www.commandline.co.uk) C:\Windows\pgbmaf.exe 2015-09-13 17:41 - 2015-09-15 19:58 - 00002438 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5_user.job 2015-09-13 17:41 - 2015-09-15 19:58 - 00002438 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5.job 2015-09-13 17:41 - 2015-09-13 17:41 - 00005468 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5 2015-09-13 17:40 - 2015-09-15 19:58 - 00003130 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-7.job 2015-09-13 17:40 - 2015-09-15 19:58 - 00003130 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-6.job 2015-09-13 17:40 - 2015-09-13 17:40 - 00006160 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-7 2015-09-13 17:40 - 2015-09-13 17:40 - 00006158 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-6 2015-09-13 17:38 - 2015-09-15 19:58 - 00005510 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-6.job 2015-09-13 17:38 - 2015-09-15 19:58 - 00005174 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-7.job 2015-09-13 17:38 - 2015-09-15 19:58 - 00004486 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-4.job 2015-09-13 17:38 - 2015-09-13 17:40 - 00000000 ____D C:\Users\Admin PC\AppData\Local\BrowserHelper 2015-09-13 17:38 - 2015-09-13 17:38 - 00008538 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-6 2015-09-13 17:38 - 2015-09-13 17:38 - 00008204 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-7 2015-09-13 17:38 - 2015-09-13 17:38 - 00007516 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-4 2015-09-13 17:37 - 2015-09-15 19:58 - 00005176 _____ C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-11.job 2015-09-13 17:37 - 2015-09-13 17:37 - 00008206 _____ C:\Windows\System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-11 2015-09-13 17:37 - 2015-09-13 17:37 - 00000000 ____D C:\Users\Public\Documents\ShopperPro 2015-09-13 17:34 - 2015-09-15 19:58 - 00001018 _____ C:\Windows\Tasks\CSCN4ZZ1wlGwZ40pX.job 2015-09-13 17:34 - 2015-09-15 19:58 - 00001004 _____ C:\Windows\Tasks\tJxjv5MJbE.job 2015-09-13 17:34 - 2015-09-13 17:34 - 00004054 _____ C:\Windows\System32\Tasks\CSCN4ZZ1wlGwZ40pX 2015-09-13 17:34 - 2015-09-13 17:34 - 00004040 _____ C:\Windows\System32\Tasks\tJxjv5MJbE 2015-09-13 17:33 - 2015-09-14 17:43 - 00000920 _____ C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job 2015-09-13 17:33 - 2015-09-13 17:38 - 00003918 _____ C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineUA 2015-09-13 17:33 - 2015-09-13 17:38 - 00003664 _____ C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineCore 2015-09-13 17:32 - 2015-09-15 19:58 - 00000916 _____ C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job 2015-09-13 17:32 - 2015-09-13 19:01 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 2015-09-13 17:32 - 2015-09-13 17:32 - 00000000 ____D C:\Users\Admin PC\AppData\Local\globalUpdate 2015-09-13 17:21 - 2015-09-13 17:21 - 00000102 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat 2015-09-09 14:01 - 2015-09-09 14:01 - 00002976 _____ C:\Windows\System32\Tasks\{47B993F4-9E01-46B9-92BE-BFC11C77927D} 2015-09-04 08:45 - 2015-09-04 08:45 - 00000000 ____D C:\Users\Admin PC\Documents\Systweak 2015-04-19 17:50 - 2015-04-19 17:50 - 0005872 _____ () C:\Users\Admin PC\AppData\Roaming\CSCN4ZZ1wlGwZ40pX 2015-04-14 21:58 - 2015-04-14 21:58 - 0004387 _____ () C:\Users\Admin PC\AppData\Roaming\tJxjv5MJbE Task: {06DC6734-8C87-491C-A118-D548C27C96D9} - System32\Tasks\tJxjv5MJbE => C:\Users\Admin PC\AppData\Roaming\tJxjv5MJbE.exe <==== ATTENTION Task: {1432CA22-F3CA-4752-9577-F870E034E018} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-7 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-7.exe <==== ATTENTION Task: {198E8DC3-2F62-4FBA-8A8A-6D2010AB73CA} - System32\Tasks\globalUpdateUpdateTaskMachineCore => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION Task: {319DFEE2-680E-4581-AE7D-11CA139AB757} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5_user => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5.exe <==== ATTENTION Task: {378EAD73-5078-4EA1-8E3A-306134664BF3} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5.exe <==== ATTENTION Task: {53E14E29-9D0F-417E-97FC-F8E74DEFBE4D} - System32\Tasks\globalUpdateUpdateTaskMachineUA => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION Task: {56778729-F7C2-4A3C-B236-700EB7D4E2A8} - System32\Tasks\EssentialUpdateMachine => chp.exe <==== ATTENTION Task: {62EF8CF7-FEA0-4C91-8708-DCD30D7FC7A3} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-6 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-6.exe <==== ATTENTION Task: {7235B78D-3D8A-42CA-90F9-5C997A6063D0} - System32\Tasks\CSCN4ZZ1wlGwZ40pX => C:\Users\Admin PC\AppData\Roaming\CSCN4ZZ1wlGwZ40pX.exe <==== ATTENTION Task: {729BCC42-EEA4-4F50-AAFE-9231522CA5B9} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-7 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-7.exe <==== ATTENTION Task: {73A9F28D-BF42-4D48-B1C8-FC2D6388D2BD} - System32\Tasks\ASO-AutoCheckUpdate7Days => C:\Program Files (x86)\Advanced System Optimizer 3\CheckUpdate.exe [2015-07-16] (Systweak Software) Task: {A2B1CADD-DA73-4A3C-87E2-0EB1356B278A} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-11 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-11.exe <==== ATTENTION Task: {AE1BB46C-2446-4DD2-A92A-A581ED9830EA} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-6 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-6.exe <==== ATTENTION Task: {C7B682D8-D0D4-42B0-A168-FBD1CD897C9E} - System32\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-4 => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-4.exe <==== ATTENTION Task: {F1F60D23-3DE5-40BB-B3D8-6458CE700324} - System32\Tasks\Winupdate => chp.exe <==== ATTENTION Task: C:\Windows\Tasks\ASO-AutoCheckUpdate7Days.job => C:\Program Files (x86)\Advanced System Optimizer 3\CheckUpdate.exe Task: C:\Windows\Tasks\CSCN4ZZ1wlGwZ40pX.job => C:\Users\Admin PC\AppData\Roaming\CSCN4ZZ1wlGwZ40pX.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-6.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-6.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-7.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-1-7.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-11.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-11.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-4.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-4.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5_user.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-5.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-6.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-6.exe <==== ATTENTION Task: C:\Windows\Tasks\ee9c74e6-cd98-463e-a97b-6dffce6105f3-7.job => C:\Program Files (x86)\Object Browser\ee9c74e6-cd98-463e-a97b-6dffce6105f3-7.exe <==== ATTENTION Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION Task: C:\Windows\Tasks\tJxjv5MJbE.job => C:\Users\Admin PC\AppData\Roaming\tJxjv5MJbE.exe <==== ATTENTION Reg: reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f C:\Users\Admin PC\AppData\Roaming\tJxjv5MJbE.exe C:\Program Files (x86)\globalUpdate C:\Program Files (x86)\Object Browser C:\Users\Admin PC\AppData\Roaming\CSCN4ZZ1wlGwZ40pX.exe C:\Program Files (x86)\Advanced System Optimizer 3 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
i have done all the things what u have instructed and i am attaching the log report too…
What problems do you have now ?
i have the same problem as before but now i have less popups. and whenever i boot the window i am getting a new blank cmd window named “syswow”
OK could you run a fresh FRST scan please also run a registry search as before for
browserupdatecheck.in
yes i have done the test aNd im attaching the logs
Whilst I look at the main logs
Right click this link and select save target as… https://dl.dropboxusercontent.com/u/73555776/tcpip.reg
Save TCPIP.reg to your desktop
Double click TCPIP.reg and allow the file to merge accept all warnings
Could you post a screenshot of the syswow popup please
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3744543867-2895560261-2303018261-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx OPR Extension: (Object Browser) - C:\Users\Admin PC\AppData\Roaming\Opera Software\Opera Stable\Extensions\kfgaibfbmkjgmimhbbaikfnpkkjkpoan [2015-09-13] 2015-09-13 19:59 - 2013-12-05 18:06 - 00003542 _____ C:\Windows\mstdcvtr.bat 2015-09-13 19:59 - 2013-06-05 18:08 - 00004122 _____ C:\Windows\plofgye 2015-09-13 19:59 - 2013-06-05 18:07 - 00004194 _____ C:\Windows\soxe 2015-09-13 19:59 - 2013-06-05 18:06 - 00000038 _____ C:\Windows\initcvtr.bat Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
i have done the fix process and still getting the problem. and i note that im getting this problem only on browser opening.
i have attached the log and screen shot of syswow popup
Which browser does this occur in ?
Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and attach it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.
done the procedure and here is the log attached
it is occuring in all the browsers
I hate this forum… Could you open the silent runners log and select save as
And ensure that ANSI is selected
So you are still getting this alert ? wpad.browserupdatecheck.in
Could you run a further FRST registry search as I would like to know how it is being re-installed
yes still having the problem and now i have enabled the ansi in silent runner log and im attaching it
ran the frst scan and i have attached the logs as well
Hmm still showing in control sets 1 and 2
Right click this link and select save target as… https://dl.dropboxusercontent.com/u/73555776/tcpip.reg
Save TCPIP.reg to your desktop
Double click TCPIP.reg and allow the file to merge accept all warnings
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
i have done the combo fix test as u instructed , and now for halfanhour i am not getting the wpad popup but a still have that syswow popup at the startup . my computer is working normal as before nothing disgusting. i am attaching the combofix log here. ill notify u whwn i get any wpad popup