All of a sudden I’ve started receiving Avast notices indicating that a Malicious URL has been blocked. Infection: URL:Mal and Object hxxp://wpad.net/wpad.dat (changed the tt to xx of course)
The process which triggers this can be a number of things from Skype to IE to even opening the Avast window itself.
As most stubborn PC enthusiast I tried to find a fix first myself…so hopefully I haven’t messed things up to enable proper identification of the culprit…
Anyway, as the sticky topic says I attached the logs from AdwCleaner, Malwarebytes, OTL and aswMBR. However, one thing I need to mention here is that the first time I ran OTL it did show the ‘extra’ txt file, however, when I ran it again (as I had been trying a few things with ‘spy searchers’ in the mean time) it did not give me the ‘extra’ file again and I had already threw out the old one…
As I have no clue where to start (as apparently most ‘standard’ solutions didn’t appear to work) I sincerely hope you guys will be able to help me out!
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Somehow I did not think that would cure it. It is probably a scheduled task running trying to get an update
Could you download Autoruns from here http://technet.microsoft.com/en-us/sysinternals/bb963902 to your desktop
Extract the files
Right click Autoruns and select run as administrator
Under Options > Filter options… tick hide Microsoft entries
Allow it to rescan
Then screenshot all the entries and attach it here
Not sure if you wanted to have all entries, or just the one under scheduled tasks…However, as all entries resulted in a massive, ‘non-screenshotable’ list, I just screenied the scheduled task part as per your example.
Alas…the popup persists. Just for the record, attached the screenshot of Autoruns after reboot (so unticked before reboot, and was still unticked after reboot).
I just noticed 2 others with a similar issue posted…maybe there is a common denominator?
Anyway, just want to thank you for the help so far, much appreciated!
There may be I would need to run a log comparison.
I will try the sledgehammer approach as this programme looks in a slightly different area to the others
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Ran Combofix as instructed (with Avast shield disabled until pc restart), however, same wpad errors keep occuring.
Combofix did deinstall my Curse Client (which is a well known addon updater for World of Warcraft), which asked me if I wanted to reinstall after reboot (but I didn’t do for now) but the popup keeps being generated by Skype and Kies (Samsung phone software).
One other strange thing (which might be completely unrelated) when I hit the reply button on this forum, it first tries to save a file called ‘index’ the first three times (which I cancel) before actually letting me into the reply box. Might be due to chrome, but its a bit of a strange ‘bug’…
Anyway, attached the combofix log file as requested!
The index thing is a forum bug which seems to appear randomly … So if you temporarily disable Skype and Kies updaters does that stop the alerts ? The Wpad alert is based on a programme accessing the net and getting updated IP’s 99% of the time it is malware
For the record, Kies has showed 2 different popups if I remember correctly. One for Kies itself and one for the tray agent or something of that order. Next to these I already mentioned Skype (1 error) and Curse (no error after combofix deinstalled it) and finally avast. However, the avast error might be gone now as it previously already started when I just opened the window and that didn’t happen anymore last night. Will have to check and make a more thorough inventory when I’m back home to see if there are others.
Started up PC (before disabling the updaters), got all the error messages (was first boot of the day, so it most likely also got the avast update). Then disabled Skype and Kies via msconfig → startup. Rebooted, and no error messages appeared after reboot (even though the first boot also gave the error with avast causing it).
Then, as a test, I started up skype manually, and the error popped up. Started up Kies, no error. Not sure if this is useful info or just related to how the updater is embedded in the software…
Anyway, after that I tried a number of other programs of which I knew they would go online. For example the world of warcraft launcher (which checks if the game is up to date) the World of Tank launcher (which does the same, and started downloading an update actually) and VLC Mediaplayer which I even manually had check if there was an update. All started and ran without the error popping up. Again, not sure if this is useful info, but it might give you something
Btw, the first boot (so before disabling the updater) also prompted the ‘regular’ warning, but this time for dfscv (next to the standard ones such as skype and kies)…hadn’t seen that one before. But as said, that was before the startup disable exercise.
So far so good. Did a reboot at some point to see if that would change anything and nothing happened. Browsed for a bit, opened up and played some warcraft, opened some other random programs, kept skype closed (after the reboot) but did open Kies, but that didn’t give any issues.
Now, the analyst in me wants to re-enable them to see if the problem comes back…or atleast try to renable kies first to see if that indeed didn’t do anything and skype after. However, my brain is telling me not to:)
So, what would the sensible next steps be? Deinstalling and re-installing skype seems like the logical thing to do…but as I got myself in this situation in some way, I thought I’d ask first
Out of curiosity I do have a question though: How come if Skype is the culprit, and tries to update the IP addresses, why does that affect/how does that cause avast to also show warning for the other programmes?
A re-install of Skype would be a good idea, as Avast alerting on other programmes would indicate that the Skype updater is hijacking their connections.
K, just uninstalled Skype, but as the msconfig still shows the skype startup option I guess it left some registry entries. Now this is most likely harmless, but to avoid any issues, is it wise to do a registry clean action and if so, any recommended software for it?
If this is completely harmless I can just reinstall skype, but would like to verify before having to go through the entire exercise again
Ok, reinstalled skype (initially with the ‘auto start when windows starts up’ feature enabled), and presto, the error popup is back. Next, disabled the auto start up feature (from skype’s own menu this time) and no issue after reboot. However, as soon as you start up skype the error comes back again.
