wpad notification from avast

Infection details:
URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

Didn’t do anything yesterday, just turned my computer on today and went on reddit and youtube. No links taking me away from either site. I’ve been getting this notifcation a lot tonight. It was like 70 times in 20 mins, went away for a while, and now here and there. Did every scan and update that avast has too.
Anyway, I saw another thread from 2013 with this issue and a malware removal person said post Farbar logs, so here are mine attached, as well as Malwarebytes. Not sure what to do. It just says the threat is blocked but I’d like to remove it and not have this pop up all day.

– Malwarebytes has detected 3 threats as malware in internet settings, and gives me an option to remove selected but I will wait to see what someone that knows what they’re doing says to do.

Hello,

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Internet was down today when I ran it. Once I reconnected got the threat detected again
Here is the log:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Myrmidon on Tue 06/30/2015 at 14:20:45.71.
Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Myrmidon\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/30/2015 2:21:49 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~3\Riot Games deleted successfully
C:\Users\Myrmidon\AppData\Local\Adobe deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\Users\Myrmidon\AppData\Roaming\StepMania 5 deleted
C:\PROGRA~2\Dealz deleted
C:\Users\Myrmidon\AppData\Roaming\SpeedRunnersLog.txt deleted
C:\PROGRA~3\Package Cache deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Myrmidon\AppData\Roaming\Mozilla\Firefox\Profiles\hiwx6wcj.default
user_pref(“browser.search.defaultenginename.US”, “Google”);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [06/04/2015 07:45 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Myrmidon\AppData\Roaming\Mozilla\Firefox\Profiles\hiwx6wcj.default

  • Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
  • Adblock Plus - %ProfilePath%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox

  • Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
  • Skype Click to Call - %AppDir%\browser\extensions{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Myrmidon\AppData\Roaming\Mozilla\Firefox\Profiles\hiwx6wcj.default
2820FF3A306D6AEB8BFBBB753BD83EBE - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_194.dll - Shockwave Flash

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found
eeafbffkmccheohnooflcnppngmobeoe - No path found
ellbonkjdmgdghkojcjmomekmjpdffde - No path found
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[06/04/2015 07:45 PM]
fllgpcmelbfhcligbphaaplminjpbiad - No path found
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[06/04/2015 07:45 PM]
hpjocjloojeicikiokfiekcdpojgfefc - No path found
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found
oaobejgaaiojgggjojlcpbembaoajbmc - No path found

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found
eeafbffkmccheohnooflcnppngmobeoe - No path found
ellbonkjdmgdghkojcjmomekmjpdffde - No path found
fllgpcmelbfhcligbphaaplminjpbiad - No path found
hpjocjloojeicikiokfiekcdpojgfefc - No path found
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found
oaobejgaaiojgggjojlcpbembaoajbmc - No path found

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Myrmidon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Myrmidon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Myrmidon\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Myrmidon\AppData\Local\Mozilla\Firefox\Profiles\hiwx6wcj.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=9581 folders=62 129219240 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Myrmidon\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Myrmidon\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\MpCmdRun.log” not found
“C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low” not deleted

==== EOF on Tue 06/30/2015 at 14:43:48.19 ======================

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Ok here are the new versions after running farbar

Stand by until Avast team check this, it could be a false detection.

Ok thanks I hope so. Seems pretty popular over the last week or so in this forum.

Please run Windows Update and install all updates. Then tell me do you still have this warning.

I had one update available and installed it. So far, for ten minutes of browsing youtube and reddit while running steam and battlenet, not one pop up. Hopefully it’ll stay like this. If not, should I use the remove tool from Malwarebytes? Or does that do nothing/make things worse?

Edit - two minutes after posting, I got one notification.

Did you check Windows update again?

Actually yes I just came to post that I had another update just pop up with 7 security updates. I installed them like 30 mins ago, and haven’t had anything pop up yet. So crossing my fingers and hoping it stays that way lol.

Edit - - Little later and I have had two notifications.

User inavas725 asked me to examine his logs. But I will need pair of fresh logs. So, let’s start …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type browserupdatecheck.in;wpad.dat into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

.

Please download ZHPDiag to your desktop.

Take action to disable your antivirus and antispyware programs, as they may conflict with ZHPDiag

Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Installing ZHPDiag

[*] Double-click zhpdiag.exe to start the installation.
[*] Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
[*]Click multiple times “Suivant” in the installation process.
[*]Click “Installer” when asked and “Terminer” once the installation is complete.

Running ZHPDiag

[*]Double-click the shortcut ZHPDiag on your desktop.
[*]The user interface will appear, now select “Configureren”.
[*]If the tools default language isn’t set to English, click in the bottom right corner on the
http://www.imgdumper.nl/uploads7/52c0016c76e8d/52c0016c69f81-huisje.png
icon “Sélectionner une langue” and choose “Anglais”.
[*]Next, click on the
http://www.imgdumper.nl/uploads7/52c001f7f0bd3/52c001f7eec91-vergrootglas.png
icon in the bottom left “Diagnostic Options”.
[*]ZHPDiag is now scanning your computer. Please wait patiently until the scan is finished.

[thumb]http://hijackthis.nl/smeenk/ZHPDiag.PNG[/thumb]

The ZHPDiag.txt logfile

[*] When finished, a logfile named “ZHPDiag.txt” will appear on your desktop.
[*]Please post the logfile for further review in your next comment.

Thank you here are the files from farbar and ZHPDiag

Step#1

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CreateRestorePoint:
Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f

CloseProcesses:
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-11294209-4257628774-222361910-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx

Hosts:
R3 ALSysIO; \??\C:\Users\Myrmidon\AppData\Local\Temp\ALSysIO64.sys [X]

Reboot:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

Step#2

Please download file and save it to your desktop;
http://download.bleepingcomputer.com/win-services/7/Tcpip.reg
NOTICE: This file was written specifically for this OS, for use on that particular system. Running this on another machine/system may cause damage to the operating system

Run the file, allow merging into registry and reboot your PC after that.

Then, reset Chrome browsers back to defaults settings.
https://support.google.com/chrome/answer/3296214?hl=en

Now, monitor your PC and report here the computer behavior after these fixes?

Thank you :slight_smile: I have done everything in this post, and so far I haven’t had any popups. In the last two days they’ve come up later after thinking it was gone. Also, I do not have Chrome installed on this computer. I use firefox. Not sure if that makes a difference in anything you want me to do because Chrome was mentioned in your reply.