wpad.updatecheck

Sorry about chiming in on another thread. Desperate people do stupid things.

Having the same issue as so many others it seems. No idea what program dropped this on me. I initially had some fake cleaner and dealz on chrome. Thought I got rid of them then these strange warnings from avast about …

http:\wpad.browserupdatecheck.in/wpad.dat

I went ahead and ran a couple of scans with zoek and frst but would appreciate any help available here. Thanks.

I went ahead and ran a couple of scans with [b]zoek[/b] and [b]frst[/b] but would appreciate any help available here. Thanks.
First step, attach logs ;)

It is soon midnight in sentral europe so you may not reive any reply before tomorrow

That’s fine. It can wait until tomorrow. Then I will not be interrupted as much either. Thank you.

I am back today. Will check the thread periodically.

Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx 2015-06-16 16:44 - 2015-05-14 03:03 - 00007680 _____ C:\Windows\wnavga.exe 2015-06-16 16:44 - 2015-05-14 03:03 - 00007680 _____ C:\Windows\cfsvc.exe 2015-06-16 16:44 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe 2015-06-16 16:44 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe 2015-06-16 16:44 - 2015-04-25 05:18 - 00053248 _____ C:\Windows\zlib.dll 2015-06-16 16:44 - 2013-12-05 07:36 - 00003542 _____ C:\Windows\mstdcvtr.bat 2015-06-16 16:44 - 2013-06-05 08:38 - 00004122 _____ C:\Windows\plofgye 2015-06-16 16:44 - 2013-06-05 08:37 - 00004194 _____ C:\Windows\soxe 2015-06-16 16:44 - 2013-06-05 08:36 - 00000038 _____ C:\Windows\initcvtr.bat Task: {5D27BFAB-2A25-49B9-991A-60E34EF7F775} - \avastBCLRestart_chrome.exe No Task File <==== ATTENTION Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FRST is on my desktop. Will it work with fixlist there too? And should I disable AV?

Yes they need to be together, and there is no need to stop the AV

OK I ran it twice to confrm the log but both times the warning in Avast reappeared after opening Chrome and any navigation.

I just want to mention that this laptop is using a powerline adapter running through house wiring and that I have used DNS Bench and DNS Jumper but the DNS used are of my own ISP carrier first then other secondary. Just looking for common setups that may be in play here. Thanks again.

Overall I’m pretty clueless about this stuff but I’m wondering about the possibility it may have something to do with this in my services because Dealz is also mentioned. Maybe you could translate this page better than I can.

http://vms.drweb-av.es/virus/?i=4341934

Creates many entries including:

%PROGRAM_FILES%\Dealz\Uninstaller.lnk

And this runs in my services:

WinGraph
[Optimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running. It can be disabled, though doing so will degrade application performance.]

File not found: C:\Windows\wnavga.exe.exe

These wpad malware are difficult to track down as it could be any of your internet facing programmes that is hiding it…

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-06-30 13:46 - 2015-06-30 13:46 - 00000000 ____D C:\Users\Public\Documents\Baidu 2015-06-30 13:46 - 2015-06-30 13:46 - 00000000 ____D C:\ProgramData\Baidu S2 WinGraph; C:\Windows\wnavga.exe [X] 2015-06-30 15:55 - 2015-06-30 15:55 - 00000000 ____D C:\Users\KRH14\AppData\Roaming\ProductData 2015-06-16 16:44 - 2015-06-16 16:44 - 00000000 ____D C:\Users\KRH14\AppData\Local\{15ECAB24-002D-4B73-A086-77F0B36AF563} C:\Windows\wnavga.exe RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thank you and here’s the next log.

It’s a little confusing to me that even chrome is not open and I open a cleaner like AdwCleaner Avast gives the wpad.updatecheck warning but names itself as the process instead of the browser or the cleaning application.

I feel this may be a false positive, hold on whilst I ask Avast to check this out

Oddly my computer seems to be bringing up webpages fine except for the interruptions by Avast. Was having trouble printing from here but could have been a symptom of diagnostics or Avast kicking in. Dealz and the fake cleaner aren’t showing up in Chrome.

I didn’t mention that SPTool was repeatedly removed on 6/18 by Avast. Don’t know what SPTool or SearchProtect are or if they left damage/traces.

C:\Users.…\AppDate\Local\Temp\nsl9D5B.tmp

I’m having the same issue and I’m wondering if it’s not a false positive also. It’s linked to my svchost.exe process but when I ran frst like i was told to from my thread it just started popping up from other process’s. Funny thing is when I uninstalled and completely removed avast and had no anti virus on my pc I had no pop up windows at all. When I reinstalled avast it told me it stopped pop up windows from opening immediately.

I’ve uninstalled Avast and Chrome and deleted some DNS registry entries from Rogue Killer. Added back a redundant nameserver from DNS Jumper and after multiple reboots no trace of the offending DNS entries. I think I’ll reinstall Chrome first to check for bad extensions but debating on Avast. Navigation and tools seem fast just have to check printer connection.

Hoping to hear back tomorrow on possible issues or false positives.

Still waiting on whether to reinstall avast. Only Windows Defender running at this point. After reinstalling Chrome no bad extensions trying to reinstall. It took a couple of restarts for Chrome to go online but fine since then. The DNS warnings not there on RogueKiller either.

I think I had some issues but maybe not the exact ones Avast kept warning of. Either that or all the cleaning cleared some exploit or malware along the way. No odd behaviors yet today. I’m convinced we did some good through this process and hope to be able to reinstall Avast safely but still waiting and crossing fingers.

I have heard back from Avast now and they have double checked the detection and it is good…

Are the alerts still coming

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

OK Thanks. Ran another ADW Scan - results att:

Are you still getting the alerts ?