WPAD/wpad.dat Avast alert

There are a few posts around regarding this issue but I know that each system is different so I started a new thread. I think I picked it up on a hotel Wifi or that is the first place I recall seeing it. The screen shots below are the alerts I am getting.
Another thing I did was reimage my laptop to Dell Factory settings and then I put some items back on from a flash drive and then I started getting the alert again. So I Restored to a point to before I put those files on there and I still got the pop up. I am getting it at home and at work. Another work associate (our main IT guy, the only other person running Avast) had the pop up come up on his computer today after he was laughing at me for having it (I’m in IT as well). One of our network guys said it looked like DNS poisoning. I read something from Skull Security about pwning hotel guests and redirecting people. I can provide the link because I didnt think it was appropriate to post a link to a hack method on here.

My concern is if it is blocked by avast how many others are infected and how the heck do I get rid of it.

I would have tried to walk through the process others did but I am heeding the warning that those fixes are for that system only on a previous post.

I would have tried to walk through the process others did but I am heeding the warning that those fixes are for that system only on a previous post
yes the fix given is......but the logs you need to give us first are the same then the removal expert will make a fix for you :)

so we need logs from. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

Here is the MBAM Log and I have attached the AdwC log. Running OTL now.

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.30.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
csanders :: CLAYWORK-PC [administrator]

10/30/2012 6:30:05 PM
mbam-log-2012-10-30 (18-30-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 234596
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

OTL LOG

Here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-30 18:47:39

18:47:39.383 OS Version: Windows 6.1.7601 Service Pack 1
18:47:39.383 Number of processors: 4 586 0x2A07
18:47:39.383 ComputerName: CLAYWORK-PC UserName: csanders
18:47:48.696 Initialize success
18:47:49.351 AVAST engine defs: 12103001
18:47:55.311 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
18:47:55.326 Disk 0 Vendor: ST932042 D005 Size: 305245MB BusType: 3
18:47:55.326 Disk 0 MBR read successfully
18:47:55.326 Disk 0 MBR scan
18:47:55.342 Disk 0 Windows VISTA default MBR code
18:47:55.342 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
18:47:55.358 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11420 MB offset 81920
18:47:55.358 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 293784 MB offset 23470080
18:47:55.373 Disk 0 scanning sectors +625139712
18:47:55.451 Disk 0 scanning C:\Windows\system32\drivers
18:48:03.906 Service scanning
18:48:18.960 Modules scanning
18:48:38.366 Disk 0 trace - called modules:
18:48:38.896 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys halmacpi.dll iaStor.sys
18:48:38.912 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x87798030]
18:48:38.912 3 CLASSPNP.SYS[8bdbd59e] → nt!IofCallDriver → [0x87797310]
18:48:38.912 5 stdcfltn.sys[8bfcb896] → nt!IofCallDriver → [0x866503d0]
18:48:38.912 7 ACPI.sys[8b6953d4] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x85c0e028]
18:48:40.347 AVAST engine scan C:\Windows
18:48:41.891 AVAST engine scan C:\Windows\system32
18:50:02.169 AVAST engine scan C:\Windows\system32\drivers
18:50:08.393 AVAST engine scan C:\Users\CSanders.TOPGOLFUSA
18:50:57.471 AVAST engine scan C:\ProgramData
18:51:09.920 Scan finished successfully
18:55:21.829 Disk 0 MBR has been saved successfully to “C:\Users\CSanders.TOPGOLFUSA\Desktop\MBR.dat”
18:55:21.829 The log file has been saved successfully to “C:\Users\CSanders.TOPGOLFUSA\Desktop\aswMBR.txt”

I also reset my router to factory settings since I was told there was a possibility this was a router issue.
Is there anything else I need to post?

And how is this transmitted since I reset the computer to factory settings? Do I have something on my flash drive that I need to get rid of that could be transferring this back to my system?

Thanks in advance for your help

malware removers are notified. since most are on european time and in bed now, check back late tomorrow :wink:

Hi first we will reset the DNS and see if that clears it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Files
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I rebooted and then ran the OTL quick scan and right after it finished and showed the log, I got another Avast popup blocking the wpad again.

OK next stage

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O15 - HKLM\..Trusted Domains: ungerboeck.com ([]file in Trusted sites)
O15 - HKLM\..Trusted Domains: ungerboeck.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ungerboeck.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: sharepoint.com ([topgolf1] https in Trusted sites)
O15 - HKCU\..Trusted Domains: sharepoint.com ([topgolf1-admin] https in Trusted sites)
O15 - HKCU\..Trusted Domains: sharepoint.com ([topgolf1-my] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = topgolfusa.com

:Files
ipconfig /release /c
ipconfig /renew /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I am still getting popups saying Im infected.

Is your domain topgolfer ? If so could you check the contents of wpad.dat on the site

do you mean topgolfusa.com?

Yes sorry a touch of dyslexia there for a minute

I have talked to the person that handles our website to look at the wpad.dat file. Where would they look for this file?

It is somewhere within the seerver … Here is the MS spiel on it http://technet.microsoft.com/library/cc713344.aspx