wpad.updatecheck

[REDACTED]

Sorry about chiming in on another thread. Desperate people do stupid things.
 
Having the same issue as so many others it seems. No idea what program dropped this on me. I initially had some fake cleaner and dealz on chrome. Thought I got rid of them then these strange warnings from avast about ...

http:\\wpad.browserupdatecheck.in/wpad.dat

I went ahead and ran a couple of scans with zoek and frst but would appreciate any help available here. Thanks.

[Pondus]

I went ahead and ran a couple of scans with zoek and frst but would appreciate any help available here. Thanks.

First step, attach logs     


It is soon midnight in sentral europe so you may not reive any reply before tomorrow

[REDACTED]

That's fine. It can wait until tomorrow. Then I will not be interrupted as much either. Thank you.

[REDACTED]

I am back today. Will check the thread periodically.

[essexboy]

Could you let me know if this stops the alerts

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx
2015-06-16 16:44 - 2015-05-14 03:03 - 00007680 _____ C:\Windows\wnavga.exe
2015-06-16 16:44 - 2015-05-14 03:03 - 00007680 _____ C:\Windows\cfsvc.exe
2015-06-16 16:44 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe
2015-06-16 16:44 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe
2015-06-16 16:44 - 2015-04-25 05:18 - 00053248 _____ C:\Windows\zlib.dll
2015-06-16 16:44 - 2013-12-05 07:36 - 00003542 _____ C:\Windows\mstdcvtr.bat
2015-06-16 16:44 - 2013-06-05 08:38 - 00004122 _____ C:\Windows\plofgye
2015-06-16 16:44 - 2013-06-05 08:37 - 00004194 _____ C:\Windows\soxe
2015-06-16 16:44 - 2013-06-05 08:36 - 00000038 _____ C:\Windows\initcvtr.bat
Task: {5D27BFAB-2A25-49B9-991A-60E34EF7F775} - \avastBCLRestart_chrome.exe No Task File <==== ATTENTION
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

FRST is on my desktop. Will it work with fixlist there too? And should I disable AV?

[essexboy]

Yes they need to be together, and there is no need to stop the AV

[REDACTED]

Yes they need to be together, and there is no need to stop the AV

OK I ran it twice to confrm the log but both times the warning in Avast reappeared after opening Chrome and any navigation.

I just want to mention that this laptop is using a powerline adapter running through house wiring and that I have used DNS Bench and DNS Jumper but the DNS used are of my own ISP carrier first then other secondary. Just looking for common setups that may be in play here. Thanks again.

[REDACTED]

Overall I'm pretty clueless about this stuff but I'm wondering about the possibility it may have something to do with this in my services because Dealz is also mentioned. Maybe you could translate this page better than I can.


http://vms.drweb-av.es/virus/?i=4341934

Creates many entries including:

%PROGRAM_FILES%\Dealz\Uninstaller.lnk

And this runs in my services:

WinGraph   
[Optimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running. It can be disabled, though doing so will degrade application performance.]      

File not found: C:\Windows\wnavga.exe.exe      

[essexboy]

These wpad malware are difficult to track down as it could be any of your internet facing programmes that is hiding it.. 

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
2015-06-30 13:46 - 2015-06-30 13:46 - 00000000 ____D C:\Users\Public\Documents\Baidu
2015-06-30 13:46 - 2015-06-30 13:46 - 00000000 ____D C:\ProgramData\Baidu
S2 WinGraph; C:\Windows\wnavga.exe [X]
2015-06-30 15:55 - 2015-06-30 15:55 - 00000000 ____D C:\Users\KRH14\AppData\Roaming\ProductData
2015-06-16 16:44 - 2015-06-16 16:44 - 00000000 ____D C:\Users\KRH14\AppData\Local\{15ECAB24-002D-4B73-A086-77F0B36AF563}
C:\Windows\wnavga.exe
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Thank you and here's the next log.

[REDACTED]

It's a little confusing to me that even chrome is not open and I open a cleaner like AdwCleaner Avast gives the wpad.updatecheck warning but names itself as the process instead of the browser or the cleaning application.

[essexboy]

I feel this may be a false positive, hold on whilst I ask Avast to check this out

[REDACTED]

Oddly my computer seems to be bringing up webpages fine except for the interruptions by Avast. Was having trouble printing from here but could have been a symptom of diagnostics or Avast kicking in. Dealz and the fake cleaner aren't showing up in Chrome.

I didn't mention that SPTool was repeatedly removed on 6/18 by Avast. Don't know what SPTool or SearchProtect are or if they left damage/traces.

C:\Users\...\AppDate\Local\Temp\nsl9D5B.tmp

[REDACTED]

I'm having the same issue and I'm wondering if it's not a false positive also. It's linked to my svchost.exe process but when I ran frst like i was told to from my thread it just started popping up from other process's. Funny thing is when I uninstalled and completely removed avast and had no anti virus on my pc I had no pop up windows at all. When I reinstalled avast it told me it stopped pop up windows from opening immediately.