Avast WEBforum

Other => Viruses and worms => Topic started by: desireezenna on October 09, 2013, 09:11:31 PM

Title: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 09:11:31 PM
hi  everybody

 im desiree and got also wpad.net/wpad.dat troubles.
first it started at skype now ot gos to other things like  google chrome exe  and other things,,
i did a malware scan  and so far the comp is clean,, i hope but stil got that padthing,,
please can  somebody help me.
thanks all
Title: Re: wpad.net/wpad.dat
Post by: Pondus on October 09, 2013, 09:19:31 PM
follow instructions and attach logs (not copy and paste)  http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done, removal experts will be notified and help you
when finish, all tools used will be removed

Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 09:21:40 PM
oke thank you wil start on that
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 10:32:46 PM
grrr my logs wont post
Title: Re: wpad.net/wpad.dat
Post by: Secondmineboy on October 09, 2013, 10:35:20 PM
Are you attaching them?

Under the answer box is an option called attachments and other options.
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 10:44:34 PM
 again
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 10:48:48 PM
the otl  log is to large it wont let me post it
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 09, 2013, 10:50:28 PM
Can you attach that as well please
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 10:55:39 PM
Your file is too large. The maximum attachment size allowed is 512 KB.
thats what i get
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 09, 2013, 10:56:39 PM
Can you split the OTL log into two and attach each part separately ?
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 10:59:12 PM
part 1
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 10:59:48 PM
part 2
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 11:02:27 PM
hope this is oke  like that.. as im blondddd   grins
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 09, 2013, 11:05:11 PM
Oops that was the extras one there should be one just called OTL.txt on the desktop  that is the one I need .. Sorry :)
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 11:07:44 PM
grins oke il hunt again :)
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 09, 2013, 11:11:40 PM
erm cant find that ???
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 09, 2013, 11:16:53 PM
Run OTL again then please, there will only be one log this time :)

Use the same script as before
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 08:25:34 AM
i did that but  i get otltxt and its  to big to post. its the same  one as i did in 2 parts :(
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 08:58:26 AM
this is the extra text

oh and when i had run that otl again i get again something running in msdos and it saying ... c/windowes  then lots blah blah and its  to long. and that gos on for a  few min.
maybe thatwhy the  textlog is to big?
 :'(
Title: Re: wpad.net/wpad.dat
Post by: Pondus on October 10, 2013, 09:13:42 AM
Quote from: desireezenna on October 10, 2013, 08:25:34 AM
i did that but  i get otltxt and its  to big to post. its the same  one as i did in 2 parts :(
you can send it to Essexboy in mail ..... i will give you his mail address in a PM in a few minutes
see the My messages button at top of the forum....



Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 09:16:08 AM
smiles thank you
Title: Re: wpad.net/wpad.dat
Post by: Pondus on October 10, 2013, 09:18:37 AM
Quote from: desireezenna on October 10, 2013, 09:16:08 AM
smiles thank you
Essexboy will be back online later today, usually after work hours european time   ;)

Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 09:19:24 AM
but wont  he get that infection  either  if i send him mail?
Title: Re: wpad.net/wpad.dat
Post by: Pondus on October 10, 2013, 09:24:39 AM
Quote from: desireezenna on October 10, 2013, 09:19:24 AM
but wont  he get that infection  either  if i send him mail?
no, it is only a txt. log file ....
and if there is somone in this forum that knows how to protect himselfe from (and remove) infections, then it is him   ;D

Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 09:26:22 AM
 :)  oke wil send  it  to him right away thank you
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 10, 2013, 11:43:56 AM
OK lets kill this..  Did you install Splashtop ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=361&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=361&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1502761434-3598144597-1864420891-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.searchgol.com/?q={searchTerms}&babsrc=SP_ss&mntrId=94010018E786BA10&affID=125035&tsp=5030
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2865317&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.searchgol.com/?babsrc=HP_ss&mntrId=94010018E786BA10&affID=125035&tsp=5030"
FF - prefs.js..extensions.enabledAddons: plugin%40videofiledownload.com:1.5
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2865317&SearchSource=2&CUI=SB_CUI&UM=UM_ID&q="
[2012-04-01 02:08:36 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2013-10-09 06:26:31 | 000,000,000 | ---D | M] (BonanzaDeals) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\{f9d03c26-0575-497e-821d-f7956d23e0ca}
[2013-06-12 20:27:58 | 000,000,000 | ---D | M] ("Codec-V") -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\crossriderapp435@crossrider.com
[2013-10-09 06:27:17 | 000,000,000 | ---D | M] (SearchGol) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\ffxtlbr@searchgol.com
[2012-07-09 13:04:02 | 000,000,000 | ---D | M] (VideoFileDownload - Download YouTube Videos) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\plugin@videofiledownload.com
[2013-06-07 23:59:25 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\toolbar@ask.com
[2013-06-12 20:27:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\crossriderapp435@crossrider.com\chrome\content\extensionCode
[2013-10-05 03:05:26 | 000,007,537 | ---- | M] () (No name found) -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\extensions\firefox@whilokii.net.xpi
[2012-04-08 09:50:29 | 000,004,929 | ---- | M] () (No name found) -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}.xpi
[2013-03-30 10:44:47 | 000,000,931 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\conduit.xml
[2013-02-18 14:53:38 | 000,001,294 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\delta.xml
[2013-10-09 06:27:19 | 000,001,302 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\searchgol.xml
[2012-04-01 02:08:35 | 000,002,519 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\Search_Results.xml
[2012-04-01 02:08:35 | 000,002,519 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
O2:64bit: - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\x64\BROWSE~1.DLL File not found
O2 - BHO: (BonanzaDeals) - {fe063412-bea4-4d76-8ed3-183be6220d17} - C:\Program Files (x86)\BonanzaDeals\BonanzaDealsIE.dll (BonanzaDeals)
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKU\S-1-5-21-1502761434-3598144597-1864420891-1000..\Run: [C3] File not found
O4 - HKU\S-1-5-21-1502761434-3598144597-1864420891-1000..\Run: [iLivid] "C:\Users\cisca\AppData\Local\iLivid\iLivid.exe" -autorun File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll) - File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll) - File not found
[2013-10-09 21:25:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iMesh Applications
[2013-10-09 06:27:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\searchgol
[2013-10-09 06:27:13 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard
[2013-10-09 06:27:12 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Roaming\searchgol
[2013-10-09 06:27:07 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Whilokii
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Local\BonanzaDealsLive
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\ProgramData\BonanzaDealsLive
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BonanzaDealsLive
[2013-10-09 06:26:30 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BonanzaDeals
[2013-10-09 06:26:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BonanzaDeals
[2013-10-10 08:17:57 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\BonanzaDealsLiveUpdateTaskMachineCore.job
[2013-10-09 06:26:54 | 000,000,924 | ---- | C] () -- C:\Windows\tasks\BonanzaDealsLiveUpdateTaskMachineUA.job
[2013-10-09 06:26:49 | 000,000,920 | ---- | C] () -- C:\Windows\tasks\BonanzaDealsLiveUpdateTaskMachineCore.job

:Files
C:\Program Files (x86)\Whilokii
C:\Program Files (x86)\BonanzaDealsLive
C:\Users\cisca\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaimhpklononapfjngelgdokckfjekfc
C:\Users\cisca\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieadcoanfjloocmfafkebdnfefmohngj
C:\Users\cisca\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
C:\PROGRA~2\SEARCH~1
C:\Users\cisca\AppData\Local\iLivid

:Commands
[resethosts]
[emptytemp]
[Reboot]
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 08:28:49 PM
oke doing it now and thank you so much essex for helping.. sorry if i dont know things right away
 oke after the scan wil reboot adn  then run the  scan again,. but do i need to   post that stuff again in that  place?
i ment at fixes open space
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 08:31:31 PM
and  splashtop? i dont know what that is :-\
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 08:54:56 PM
oke  heres the new log
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 10, 2013, 09:24:14 PM
Hmm that did not appear to take could you run this fix please, when the computer reboots a log should appear.  Could you attach that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013-10-10 08:26:45 | 000,065,304 | ---- | M] (Whilokii) [Auto | Running] -- C:\Program Files (x86)\Whilokii\bin\utilWhilokii.exe -- (Util Whilokii)
SRV - [2013-10-09 06:26:34 | 000,148,976 | ---- | M] (BonanzaDeals) [On_Demand | Stopped] -- C:\Program Files (x86)\BonanzaDealsLive\Update\BonanzaDealsLive.exe -- (bonanzadealslivem)
SRV - [2013-10-09 06:26:34 | 000,148,976 | ---- | M] (BonanzaDeals) [Auto | Stopped] -- C:\Program Files (x86)\BonanzaDealsLive\Update\BonanzaDealsLive.exe -- (bonanzadealslive)
SRV - [2013-10-05 03:05:26 | 000,065,304 | ---- | M] (Whilokii) [Auto | Running] -- C:\Program Files (x86)\Whilokii\updateWhilokii.exe -- (Update Whilokii)
SRV - [2011-03-24 06:37:18 | 000,493,384 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe -- (WCUService_STC_FF)
SRV - [2011-03-22 10:37:16 | 000,497,480 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe -- (WCUService_STC_IE)
SRV - [2010-11-15 13:21:54 | 000,477,000 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe -- (SCBackService)
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=361&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=361&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1502761434-3598144597-1864420891-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.searchgol.com/?q={searchTerms}&babsrc=SP_ss&mntrId=94010018E786BA10&affID=125035&tsp=5030
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2865317&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.searchgol.com/?babsrc=HP_ss&mntrId=94010018E786BA10&affID=125035&tsp=5030"
FF - prefs.js..extensions.enabledAddons: plugin%40videofiledownload.com:1.5
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2865317&SearchSource=2&CUI=SB_CUI&UM=UM_ID&q="
[2012-04-01 02:08:36 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2013-10-09 06:26:31 | 000,000,000 | ---D | M] (BonanzaDeals) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\{f9d03c26-0575-497e-821d-f7956d23e0ca}
[2013-06-12 20:27:58 | 000,000,000 | ---D | M] ("Codec-V") -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\crossriderapp435@crossrider.com
[2013-10-09 06:27:17 | 000,000,000 | ---D | M] (SearchGol) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\ffxtlbr@searchgol.com
[2012-07-09 13:04:02 | 000,000,000 | ---D | M] (VideoFileDownload - Download YouTube Videos) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\plugin@videofiledownload.com
[2013-06-07 23:59:25 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\toolbar@ask.com
[2013-06-12 20:27:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cisca\AppData\Roaming\mozilla\Firefox\Profiles\yxdtp2dk.default\extensions\crossriderapp435@crossrider.com\chrome\content\extensionCode
[2013-10-05 03:05:26 | 000,007,537 | ---- | M] () (No name found) -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\extensions\firefox@whilokii.net.xpi
[2012-04-08 09:50:29 | 000,004,929 | ---- | M] () (No name found) -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}.xpi
[2013-03-30 10:44:47 | 000,000,931 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\conduit.xml
[2013-02-18 14:53:38 | 000,001,294 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\delta.xml
[2013-10-09 06:27:19 | 000,001,302 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\searchgol.xml
[2012-04-01 02:08:35 | 000,002,519 | ---- | M] () -- C:\Users\cisca\AppData\Roaming\mozilla\firefox\profiles\yxdtp2dk.default\searchplugins\Search_Results.xml
[2012-04-01 02:08:35 | 000,002,519 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
O2:64bit: - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\x64\BROWSE~1.DLL File not found
O2 - BHO: (BonanzaDeals) - {fe063412-bea4-4d76-8ed3-183be6220d17} - C:\Program Files (x86)\BonanzaDeals\BonanzaDealsIE.dll (BonanzaDeals)
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKU\S-1-5-21-1502761434-3598144597-1864420891-1000..\Run: [C3] File not found
O4 - HKU\S-1-5-21-1502761434-3598144597-1864420891-1000..\Run: [iLivid] "C:\Users\cisca\AppData\Local\iLivid\iLivid.exe" -autorun File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll) - File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll) - File not found
[2013-10-09 21:25:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iMesh Applications
[2013-10-09 06:27:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\searchgol
[2013-10-09 06:27:13 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard
[2013-10-09 06:27:12 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Roaming\searchgol
[2013-10-09 06:27:07 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Whilokii
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Local\BonanzaDealsLive
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\ProgramData\BonanzaDealsLive
[2013-10-09 06:26:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BonanzaDealsLive
[2013-10-09 06:26:30 | 000,000,000 | ---D | C] -- C:\Users\cisca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BonanzaDeals
[2013-10-09 06:26:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BonanzaDeals
[2013-10-10 08:17:57 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\BonanzaDealsLiveUpdateTaskMachineCore.job
[2013-10-09 06:26:54 | 000,000,924 | ---- | C] () -- C:\Windows\tasks\BonanzaDealsLiveUpdateTaskMachineUA.job
[2013-10-09 06:26:49 | 000,000,920 | ---- | C] () -- C:\Windows\tasks\BonanzaDealsLiveUpdateTaskMachineCore.job

:Files
C:\Program Files (x86)\Whilokii
C:\Program Files (x86)\BonanzaDealsLive
C:\Users\cisca\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaimhpklononapfjngelgdokckfjekfc
C:\Users\cisca\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieadcoanfjloocmfafkebdnfefmohngj
C:\Users\cisca\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
C:\PROGRA~2\SEARCH~1
C:\Users\cisca\AppData\Local\iLivid
C:\Program Files (x86)\Splashtop

:Commands
[resethosts]
[emptytemp]
[Reboot]
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 09:34:01 PM
oke running the new  scan :o im so gonne kill my comp hahahah
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 10:05:54 PM
heres the log after the reboot
what  is that weird wpadnet dat for thing? that more people get it?
now the quic scan
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 10, 2013, 10:18:26 PM
the quick scan log
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 10, 2013, 11:38:46 PM
It is used to get a list of IP addresses

Is Avast still alerting ?
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 11, 2013, 06:14:19 AM
yes its stil  alerting big times.. it say skype /phone exe.. then  alert windows sidebar, then sometimes it say avast exe.
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 11, 2013, 03:29:00 PM
OK run this fix

Then run the MSFixit here http://support.microsoft.com/kb/2719662

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013-09-05 10:34:30 | 000,171,680 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)

:Commands
[resethosts]
[emptytemp]
[Reboot]
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 11, 2013, 04:25:08 PM
did all and  here the   log.. bit  avast stil doing the same grrr.
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 11, 2013, 04:40:39 PM
Could you attach a screen shot of the alert please
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 11, 2013, 07:10:45 PM
oke screen shot and its first time i get this  new one.. normal its from skype phone exe or avast exe or windows sidebar(http://avast  alarm)
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 11, 2013, 07:12:46 PM
screen shot
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 11, 2013, 08:03:37 PM
Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 11, 2013, 08:49:24 PM
oke done it and log  attachd
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 11, 2013, 09:03:14 PM
now i lost all pictograms  in  bar below like avast and all others  i had there? ???
does that mean they dont run anymore?
and aiai i did skype on and right away that  alarm went off again
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 11, 2013, 10:48:06 PM
Is there a little up arrow next to the clock ? Click that and select customise
That will alow you to set them back on the bar again

I think I will report this to Avast as I feel that this may be a false positive on skype
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 12, 2013, 12:15:04 AM
smiles thank you an dim sorry for taking up all your time.. but hugs  you  tight .
your my hero for sure that you safe my comp from  getting fly lesson out the window.
 realy i thank you so much, :) :-* :)
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 12, 2013, 07:53:56 AM
so this means my comp is good again? no infection or malware troubles?
 :)
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 12, 2013, 03:07:42 PM
As it stands I can see no malware, I have asked Avast to look at this and one other thread where there are detections on Skype and Kies with no apparent malware

Are the alerts still appearing after updating Avast ?
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 13, 2013, 12:20:02 AM
 wel i found out when i turn on skype   avast starts to alert big times, and keeps alerting.. so i have turnd off skype for now and its quiet,
 hope avast can set that so i can use  skype again
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 13, 2013, 01:09:02 PM
I think I will install Skype to see if I get the same alerts
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 13, 2013, 09:46:04 PM
i stil get the  alarms from avast.. from skype  phone exe and from avast exe .. :-[
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 13, 2013, 11:27:45 PM
Hmm I now have Skype on my system and am not experiencing any alerts

Lets look deeper

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1  (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 14, 2013, 09:49:33 PM
im sorry didnt know how to stop  the other prgrams but i stopt avast
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 14, 2013, 10:19:31 PM
Did you install avgchrome at all ?
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 14, 2013, 10:29:52 PM
no never installed  avg.. i always use avast
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 14, 2013, 10:52:23 PM
OK lets remove that next.  It was installed four days ago 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:Commands
[CREATERESTOREPOINT]

:Files
c:\users\cisca\AppData\Local\avgchrome

:Commands
[resethosts]
[emptytemp]
[Reboot]
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 14, 2013, 11:15:40 PM
and the  new log. and avast stil dings happy  its alarm. ppffff..
im so sorry its hard ot get it out as i dont know anything form comps
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 14, 2013, 11:22:28 PM
i stil dont know  as i read all others aswell with same problems.. maybe its avast that has changed something? ?
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 15, 2013, 04:06:55 PM
I would not have thought so as I would be getting the alerts as well :)

Could you set up your computer to use OpenDNS (it is free) and let me know if the alerts continue, as I need to rule out a router infection

http://www.opendns.com/home-solutions/parental-controls/
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 16, 2013, 08:33:08 PM
Quote from: essexboy on October 15, 2013, 04:06:55 PM
I would not have thought so as I would be getting the alerts as well :)

Could you set up your computer to use OpenDNS (it is free) and let me know if the alerts continue, as I need to rule out a router infection

http://www.opendns.com/home-solutions/parental-controls/
oke now i get lost as i dont understand this i signd in  then it tels me to go to cpontol and network sharing... pff i dont know where that all is :-[
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 16, 2013, 08:43:01 PM
oke  found that part but now this?Windows   Go to Start menu -> Run -> Type cmd -> press Enter/Return   ipconfig /flushdns
i  realy dont know this part
dont know  what o done but Success! You're now using OpenDNS.
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 16, 2013, 08:53:06 PM
Is the alert still apparent ? 

Could yo go to control panel > internet options > Programs
Select manage addons and uninstall Skype toolbar
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 16, 2013, 08:54:29 PM
so far no alarm. i  cponnected my wacom tablet  and i have skype on but nothing yet. normal avast would scream like crasy,

what does this means?
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 16, 2013, 09:06:44 PM
Quote from: essexboy on October 16, 2013, 08:53:06 PM
Is the alert still apparent ? 

Could yo go to control panel > internet options > Programs
Select manage addons and uninstall Skype toolbar
just checked and i dont have a skype toolbar
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 16, 2013, 09:07:52 PM
That would indicate a router infection as OpenDNS bypasses the DNS server in your router.  Some malware can alter the DNS server in the router to use their one
Let it run for a while and if it holds I will tell you how to reset the router..  Meanwhile enjoy the peace an quiet :)
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 16, 2013, 09:10:16 PM
Quote from: essexboy on October 16, 2013, 09:07:52 PM
That would indicate a router infection as OpenDNS bypasses the DNS server in your router.  Some malware can alter the DNS server in the router to use their one
Let it run for a while and if it holds I will tell you how to reset the router..  Meanwhile enjoy the peace an quiet :)
:D ;D smiles wle it sure is quiet without the ding ding ding from avast.. now i got other problem hahaha people  2 doors from  my house been drilling for 4 months now every day.. maybe il send them to this also  i whant all  hushhhhhhh hahaha
//  joke). but oke il wait for the next step to get that infection out..   but dangggggg your great to help me like this. even im a paint in the butt as i dont know all
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 16, 2013, 09:14:33 PM
Nope, not a pain, as this type of malware changes all the time and is sometimes an exercise to track it down
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 16, 2013, 09:17:13 PM
oh but its a horizonbox  but my cuasing who come shere to play  on his laptop dont get the avast alarm tho
ph this is also good to know maybe this helps the others aswell with that wpad trouble
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 17, 2013, 09:33:13 AM
ghrrr sinds  2 days now i have to turn off avast to get on internet.. once im on  it its oke...
how do i change that setting in avast? that he allows me to go on internet
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 17, 2013, 03:50:15 PM
What firewall are you using ? And what error do you get
Title: Re: wpad.net/wpad.dat
Post by: desireezenna on October 17, 2013, 09:13:38 PM
just avast. i think. but i have to set avast off for 10 min  then i cant  get on here and other stuff then after 10 in avast turns  on  and  no problem
amd mo error i just cant get on internet unless i turn of avast for 10 min then all is oke
Title: Re: wpad.net/wpad.dat
Post by: essexboy on October 17, 2013, 10:36:17 PM
OK lets reinstall Avast to a pristine state

Download Uninstall Utility (http://www.avast.com/uninstall-utility) to your Desktop.
Download the correct version of Avast 
Avast Free (http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe)
Avast Pro (http://files.avast.com/iavs5x/avast_pro_antivirus_setup.exe)
Avast Internet Security (http://files.avast.com/iavs5x/avast_internet_security_setup.exe)
Avast Premier (http://files.avast.com/iavs5x/avast_premier_antivirus_setup.exe)
Disconnect from the net
Uninstall Avast via control panel

(https://dl.dropbox.com/u/73555776/aswclear.JPG)
----------