Hi there,

I’m searching for some help as since yesterday evening Avast regularly tells me that a Program is trying to assess a suspicious URL : “wpad.net/wpad.dat”.
Even Avast exes are sometimes detected.

Even another computer I have at home gives me the same alerts since today.

As mentioned in the “Logs to assist in cleaning malware” thread, I’ve run some scans and the logs can be found attached to this post.
I’ve only got a problem with the “aswMBR.exe” scan as it crashes before completion.

I hope someone will be able to help me,

Thanks a lot in advance.

Hi I will need the OTL scan as well

Hi,

I have the same problem since today on my own computer, as well as my partners’.

Here they are.

I’ve compressed them into rar files and renamed them to “.log” to be able to post them. The files were too large.
You will need to rename them with a .rar extension, and decompress them, sorry for that.

@darats could you start your own thread please otherwise it will become confusing

This was my own thread, or maybe I don’t understand what you meant by “own thread”…

My apologies I meant hccdejonge

No problem

Could you let me know if this stops it, if it does not could you temporarily disable noip

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..network.proxy.socks: "108.62.255.79"
FF - prefs.js..network.proxy.socks_port: 1080
[2013/10/03 18:38:39 | 000,694,135 | ---- | M] () (No name found) -- C:\Users\Damien\AppData\Roaming\mozilla\firefox\profiles\z3joad51.default\extensions\jid1-qQSMEVsYTOjgYA@jetpack.xpi
[2013/09/26 06:56:11 | 000,030,047 | ---- | M] () (No name found) -- C:\Users\Damien\AppData\Roaming\mozilla\firefox\profiles\z3joad51.default\extensions\newtabtools@darktrojan.net.xpi
@Alternate Data Stream - 1283 bytes -> C:\ProgramData\Microsoft:NV2Kk30tuMnVD1Robbw
@Alternate Data Stream - 1099 bytes -> C:\ProgramData\Microsoft:rmwfzjJbInT5l0DuKRpq40Ku824Ce
@Alternate Data Stream - 1092 bytes -> C:\ProgramData\Microsoft:fgkbt9RTUT3UgqsuU0hXxp

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I did the fix, and it popped up back just after reboot.

I disabled noip (which I used to get rid of my dynamic IP address, allowing me to easily run a FTP server) and it seems it did the job. No alert since.

I will let you know what happen if I enable noip back, and if I restart my computer.

OK I feel it may be Noip downloading a fresh set of IP addresses that is alerting Avast

Let me know how it goes

Sorry for my late answer, it didn’t fixed it. Even disabling no-ip didn’t do anything.

I saw a lot of other posts about this wpad.dat infection. Do you think it could be false infection ??

I have reported it to Avast do you use Skype and Keis ?

Skype is installed but I’m not using it.

Keis… I don’t know what it is, so I’m not using it I guess.

Could I have a fresh OTL all users scan please

Here is the OTL Scan.

As last time : I’ve rared it and renamed it to .log to be able to post it here.

Does Avast said something already about this infection?

It is not related to Skype as I installed it on my system to check out and not a peep from Avast here. Could you attach a screenshot of the alert please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
O20:64bit: - AppInit_DLLs: (x) - File not found
O20 - AppInit_DLLs: (x) - File not found
@Alternate Data Stream - 296 bytes -> C:\Mount:$WIMMOUNTDATA

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here are 3 screenshots with 3 times the same errors but detected trough 3 different programs.

I will try your OTL fix now.

Time to go hunting

For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

For 64bit systems, download SystemLook from here.

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:regfind 
wpad.net

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here is the log :

[i]SystemLook 30.07.11 by jpshortstuff
Log created at 20:10 on 14/10/2013 by —
Administrator - Elevation successful

========== regfind ==========

Searching for “wpad.net”
No data found.

-= EOF =-[/i]

BTW it seems to have disappeared since the OTL fix.
I will try some reboots and wait a bit to see if it comes again.