Author Topic: Virus Issue. Fedup with the popup  (Read 7915 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Virus Issue. Fedup with the popup
« on: June 30, 2015, 04:26:41 PM »
Hi,
I'm getting this notification:
URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe
Attaching the initial files of Farbar recovery tool.
Please help.
Regards,
Mahima

« Last Edit: June 30, 2015, 04:40:51 PM by mahiema »

REDACTED

  • Guest
Re: Virus Issue. Fedup with the popup
« Reply #1 on: July 01, 2015, 08:28:21 AM »
Hello,

Looking for help still..
Zoek.exe found a lot of issues and used the fix functionality to fix those & restarted the machine.
But still issue persists.

Will appreciate if someone can help.

Regards,
Mahima

REDACTED

  • Guest
Re: Virus Issue. Fedup with the popup
« Reply #2 on: July 01, 2015, 10:16:39 AM »
Please do not try any more self-fixes specially with specialized tools. Await my next reply.

REDACTED

  • Guest
Re: Virus Issue. Fedup with the popup
« Reply #3 on: July 01, 2015, 10:25:22 AM »
Reset Google Chrome after completing the following steps.

  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
Code: [Select]
Start
CreateRestorePoint:
CloseProcesses:
Emptytemp:
HKLM\...\Run: [gmsd_in_007010002] => [X]
HKU\S-1-5-21-742050042-1688449921-1910185277-1000\...\MountPoints2: {4189226b-9625-11e4-940e-7071bcbc998f} - M:\AutoRun.exe
HKU\S-1-5-21-742050042-1688449921-1910185277-1000\...\MountPoints2: {e14d0ecc-744e-11e4-b556-806e6f6e6963} - L:\Setup.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
AutoConfigURL: [HKLM] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-19] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-20] => file://C:\Windows\system32\Drivers\winpacket.pac
2015-06-19 23:21 - 2015-06-19 23:21 - 00000000 ____D C:\Program Files\predm
CMD:bitsadmin /reset /allusers
End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Attach the log in your next reply.



  • Step # Fix with AdwCleaner
    • Download AdwCleaner by Xplode to your Desktop from the following link.
    • Right-click on AdwCleaner.exe and choose Run as administrator;
    • Click on Scan and let the program run unhindered;
    • When done, click on Clean and allow the system to reboot after it is done;
    • A log will be opened automatically after the restart;
    • Attach the log in your reply.


  • Required Log(s):
    • FRST Fix Log
    • AdwCleaner Log
Regards,
Valinorum

REDACTED

  • Guest
Re: Virus Issue. Fedup with the popup
« Reply #4 on: July 01, 2015, 07:29:11 PM »
Hi,
Performed all the steps mentioned by you.. Have attached the logs as well..

Still getting an error now..
Can see two file names now.. one is svchost.exe and another is chrome.exe

Also error is now coming for avastui.exe
  :-[
Please help
Have scanned again using Frst.exe and have attached those logs as well.. Not sure what is going wrong..

Regards,
Mahima
« Last Edit: July 01, 2015, 07:38:01 PM by mahiema »

REDACTED

  • Guest
Re: Virus Issue. Fedup with the popup
« Reply #5 on: July 02, 2015, 10:11:09 AM »
Hi,
Can you tell me what kind of error you are receiving? Are you using F5 Networks VPN Manager?



  • Step #3 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
Code: [Select]
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-742050042-1688449921-1910185277-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} C:\Users\Admin\AppData\Local\Temp\f5tmp\urxvpn.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\Users\Admin\AppData\Local\Temp\f5tmp\f5tunsrv.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\InstallerControl.cab#-1,-1,-1,-1
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} C:\Users\Admin\AppData\Local\Temp\f5tmp\urxshost.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\Users\Admin\AppData\Local\Temp\f5tmp\urxhost.cab

CHR Extension: (Google Wallet) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-01]
CHR HKLM\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx

CHR HKLM\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-742050042-1688449921-1910185277-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
OPR Extension: (F5 Networks Plugin Host) - C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Extensions\bfjhelpopbdbnlfmjkbkfkbfmbneaeob [2015-01-07]

S3 f5ipfw; C:\Windows\system32\drivers\urfltwlh.sys [28392 2014-04-08] (F5 Networks, Inc.)

R3 urvpndrv; C:\Windows\System32\DRIVERS\covpnwlh.sys [40528 2014-04-08] (F5 Networks, Inc.)

2015-06-07 20:22 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe
2015-06-07 20:22 - 2015-04-25 14:48 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe

2015-06-07 20:22 - 2015-04-25 14:48 - 00053248 _____ C:\Windows\zlib.dll
2015-06-07 20:22 - 2013-12-05 18:06 - 00003542 _____ C:\Windows\mstdcvtr.bat
2015-06-07 20:22 - 2013-06-05 18:08 - 00004122 _____ C:\Windows\plofgye
2015-06-07 20:22 - 2013-06-05 18:07 - 00004194 _____ C:\Windows\soxe
2015-06-07 20:22 - 2013-06-05 18:06 - 00000038 _____ C:\Windows\initcvtr.bat

Task: {4CEF2583-DA21-4E22-9A6A-E616D9D3BF0A} - \avastBCLRestart_chrome.exe No Task File <==== ATTENTION

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
        Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
    [/list]



    • Required Log(s):
      • FRST Fix Log
    Regards,
    Valinorum

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #6 on: July 02, 2015, 12:04:52 PM »
    Hi,
    It is the same error as mentioned in the original post.. however, am seeing new exe names now..
    one is avastui.exe and another is chrome.exe which was not coming earlier.
    I am not using any F5 network... but had given the PC to a friend who was using it for work from home..
    She might be using it..
    Please let me know if I have to uninstall it.
    I am in office currently and will try the solution posted by you once I am home.

    Thanks for all the help.

    Regards,
    Mahima

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #7 on: July 02, 2015, 01:41:31 PM »
    Yes, uninstall it please. If you cannot, proceed to the fix I listed above.

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #8 on: July 02, 2015, 08:06:06 PM »
    Still getting the same popup..
    I dont know what is going wrong.
    Also I am not able to see V5 network in my installed programs in control panel..
    Not sure from where do I uninstall it.
    have attached the fixlog for the latest run for your reference.

    Regards,
    Mahima

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #9 on: July 02, 2015, 10:10:31 PM »
    Provide me another fresh FRST scan log. This is a new type of infection.

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #10 on: July 03, 2015, 07:55:32 AM »
    Hi,
    I managed to uninstall the software after I posted my reply..
    It was with a different name.
    Will provide a fresh log once am back home tonite.
    Thanks for all the support.. really appreciated..

    Regards,
    Mahima

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #11 on: July 03, 2015, 06:21:47 PM »
    Hi,
    Have attached a fresh log for Frst.txt and Addition.txt..
    I observed a strange behavior today..
    I saw 2 exe in task manager.. one was DWX.exe and another PEVS.exe

    I found the name suspicious and clicked on the exe and tried to open the file location...
    the moment I clicked open file location the exe disappeared from the task manager..

    Mahima

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #12 on: July 04, 2015, 08:46:01 AM »
    Good morning...
    The number of times the popup is coming has considerably doubled up now...
    its just not letting me do anything.

    Help pls

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #13 on: July 04, 2015, 11:14:24 AM »
    Hi,

    This is a new malware so please be patient. I shall perform two new scans to locate the source--

    Code: [Select]
    :filefind
    *browserupdatecheck*
    *wpad*
    *wpad.browserupdatecheck.in*
    PEVS.exe
    DWX.exe

    :folderfind
    *browserupdatecheck*
    *wpad*
    *wpad.browserupdatecheck.in*

    :Regfind
    browserupdatecheck
    wpad
    wpad.browserupdatecheck.in
      • Click on Look;
      • After the scan a log will be opened;
      • Attach the log in your next reply.



    Re-run FRST64.exe(or, FRST.exe) and type the following in the Search box.
    Code: [Select]
    browserupdatecheck;wpad.browserupdatecheck.in;wpad;Click on Search Registry.
    After the search, FRST will produce a log called Search.txt. Attach the log in your next reply.



    • Required Log(s):
      • SystemLook Report
      • Farbar Log--
        • Search.txt
    Regards,
    Valinorum

    REDACTED

    • Guest
    Re: Virus Issue. Fedup with the popup
    « Reply #14 on: July 04, 2015, 11:29:16 AM »
    Getting below error when I click on the link to download SystemLook Search.

    Not Found

    The requested URL /SystemLook.exe was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    Do we have any alternate link to download it?