wpad.net/wpad.dat

Viruses and worms
1

Hi!
Since yesterday I keep getting warnings about wpad.net/wpad.dat. But when I scan for it, I can’t find it. Is it real/dangerous malware? Can you help me?
I have attached all the logs you asked for in the sticky.

Thanks so much!
Michelle

2

What warning…what does it say?

You may attach a screenshot

3

Malicious URL blocked
Object: http://wpad.net/wpad.dat
Infection: URL:Mal
Proces: C:\Windows\System32\svchost.exe
(roughly translated)
This is the url avast sends me to when I ask for more information: http://www.avast.com/nl-nl/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fnl-nl%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Windows\System32\svchost.exe&p_obj=http://wpad.net/wpad.dat&p_var=.%2Ffa%2Fnl-nl%2Fvirus-alert-default&p_elm=7&p_lex=302&p_lid=nl-nl&p_lng=nl&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_vep=8&p_ves=0&p_vbd=1497&p_hid=56b18f65-7be6-46a4-b455-b26c252135d2 (dutch webpage)
There’s no real logic to when the notice comes and goes, but it’s pretty annoying. Also, at sometimes after the warning I can’t seem to reach some internetpages, but I’m not quite sure it’s related…

Thanks for your help!

4

Malware Removers are notified, it may take some time before they arrive

5

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

6

Okay, thanks for your reply. Done that. Attached the files.

7

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
MountPoints2: {e3cf9689-49a5-11e2-9bae-e06995fab977} - "K:\LaunchU3.exe" -a
HKLM-x32\...\Run: [] - [x]
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xEE7C7C89643ACB01
C:\Users\Han\AppData\Local\Temp\aqbarqcr.exe
C:\Users\Han\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Han\AppData\Local\Temp\secuniasi5506324964509094113.dll
C:\Users\Han\AppData\Local\Temp\Setup.X86.nl-NL_O365HomePremRetail_1afb5e45-0bc4-4798-a1ce-775254b8e25c_TX_DB_ (1).exe
C:\Users\Han\AppData\Local\Temp\SkypeSetup.exe
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

------------ Next ----------------

Scan with Combofix:

[*] Please download ComboFix and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

8

Done that. Here are the logs.

9

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

10

Okay, here’s the log again (no objects found)

11

Absolutely nothing suspiciously in logs.

12

Okay, good to know. Thanks
So what can I do about the popup warnings? Is there a way to disable them for this particular warning?

13

Start Avast update, maybe fp.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

14

I uninstalled ComboFix and updated Avast, but keep getting the popups. What do you mean with ‘fp’?

15

FP = false positive / http://antivirus.about.com/b/2007/02/13/what-is-a-false-positive.htm

16

Thanks for all your help.
I don’t get the popups anymore (I added the url to the ignore list), and there seems to be no malware so I am perfectly happy now! Thanks!

17

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

:slight_smile:

18

I have same problem

can you help me with that i noticed that you made important note that the steps does not apply on every computer

i get the same message every time that a threat has been detected wpad.net/wpad.dat keeps popping on and on

can you help :slight_smile:

i already installed farbar and made the scan and the 2 notepads popped

19

This was a false positive and the last streaming update should have fixed it… Try a manual update just to be sure :slight_smile: