Author Topic: http://wpad.browserupdatecheck.in/wpad.dat virus  (Read 21774 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
http://wpad.browserupdatecheck.in/wpad.dat virus
« on: June 30, 2015, 12:19:13 PM »
Hi

I am getting many malware notifications since last two days, which looks like the below...

URL:               http://wpad.browserupdatecheck.in/wpad.dat
Infection:       URL:Mal
Process:         C:\Windows\System32\svchost.exe

Can someone help, please....

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #1 on: June 30, 2015, 12:21:59 PM »
We need the log files as instructed in the sticky at the top of this forum.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #2 on: June 30, 2015, 12:33:54 PM »
Monitoring.

REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #3 on: June 30, 2015, 01:26:48 PM »
Here is the log file by Zoek...


REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #4 on: June 30, 2015, 01:34:19 PM »
Here are the log files from Farbar Recovery Scan Tool...

REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #5 on: June 30, 2015, 01:46:55 PM »
Here is the log file from aswMBR...

Please help....

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #6 on: June 30, 2015, 01:55:05 PM »
Those users infested by this malcode, Web Attack: WPAD Spoofing, could get protection (after the malware/adware, (BrowserHijacker) has been cleansed by a qualified remover) through this patch: http://www.microsoft.com/windows/ie/download/critical/patch6.htm

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #7 on: June 30, 2015, 02:17:16 PM »
Thanks Polonus for the information. I will wait for the removal instructions of this malware and then will download and install this patch.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #8 on: June 30, 2015, 02:51:44 PM »
Please bump! this thread later (for two or three hours) as I can't look the logs right now.  ;)

REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #9 on: June 30, 2015, 05:33:23 PM »
Hi Sir,

I am also getting this adcash.com virus when I click any links in Firefox or IE, I think, both these viruses are related to each other.

Can you please help....

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #10 on: June 30, 2015, 07:53:41 PM »
notice to myself: check again the auto config url's


Hi rajuvprasad,






1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
CreateRestorePoint:
Folder: C:\ProgramData\FlashBeat
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
CMD: bitsadmin /reset /allusers

CloseProcesses:
HKLM-x32\...\Run: [mbot_in_241] => [X]
HKLM-x32\...\Run: [gmsd_us_627] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3016000360-1041427054-1883944200-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
S2 insvc_1.10.0.14; "C:\Program Files (x86)\Infonaut_1.10.0.14\Service\insvc.exe" [X]

Hosts:
C:\ProgramData\FlashBeat\FlashBeat.exe
C:\WINDOWS\system32\Drivers\winpacket.pac
C:\Program Files (x86)\Infonaut_1.10.0.14

RemoveProxy:
Task: {E11CDD73-3DFB-461C-8E0B-122658557868} - \ESXTWQNGL No Task File <==== ATTENTION
Task: {EF66B45D-8CA2-4FEA-AC81-11E8E7402B25} - \JJYMKAFR1 No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\JJYMKAFR1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION

EmptyTemp:
End



2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.




REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #11 on: June 30, 2015, 08:34:16 PM »
Hi Sir,

Please find attached the Fixlog.txt attached...

REDACTED

  • Guest
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #12 on: June 30, 2015, 09:14:50 PM »
Hi Sir,

It's 1 AM now for me, please let me know my next steps, I will execute them tomorrow morning.
As of now the virus still exists.

Thanks a lot for your kind help...

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #13 on: June 30, 2015, 10:22:51 PM »
I wonder if the Adcash.com detection is not somehow related to an insecure plug-in install- Babylon toolbar or Conduit Search crap/adware, all very persistent and to be cleansed under guidance of a qualified malware remover, so follow magna86's instructions to the dot. I hope he will soon cleanse your computer of these undesirable "guests"  ;D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: http://wpad.browserupdatecheck.in/wpad.dat virus
« Reply #14 on: July 01, 2015, 10:57:13 AM »
Hello,

No need to wait me all day here. When I get my free time, I visit forum and revied my cases.





Please download Zoek tool by Smeenk () from here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
    If you are unsure how to do this please read this or this Instruction.

  • Double click on zoek.exe to run the tool. Please wait while the tool does not start...
  • Click on More Options and check box only for AutoClean;
  • Click on button.
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"
Then, reset Google Chrome back to defaults settings, here is how to;
https://support.google.com/chrome/answer/3296214?hl=en




And finally, please run again FRST tool, press Scan button and post me fresh created FRST.txt logreprot fo re-analysis.