http://wpad.browserupdatecheck.in/wpad.dat

[REDACTED]

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Program Files\AVAST Software\Avast\avastui.exe

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

Apparently this is happening to a lot of people.
I keep getting the popup from Avast! from processes from Chrome to Steam.
No clue what caused it.

Oh, I also ran zoek since every thread I've come across for the same problem here asked for it.
Other logs were made after.
I'll provide it separately since only 4 attachments are allowed per post.

Let me know if I missed anything, thanks in advance.

[REDACTED]

zoek

[REDACTED]

Wait.

[REDACTED]

Pirate tool named AutoKMS for Microsoft Office has been detected in your system. You are, hereby, given the benefit of doubt and are asked to remove any pirated software located in your system. Future help will be denied if you choose to reiterate.

• Step #1 Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  • Open Notepad.exe. Do not use any other text editor software;
    
  • Copy and Paste the contents inside the code-box to your Notepad --
    

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
Task: {6EBB8686-5E0A-46E1-9358-81305A5712BB} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-06-08] ()
Task: {B2A10FB7-1369-40CE-977E-AF6251B739CD} - \avastBCLRestart_chrome.exe No Task File <==== ATTENTION
Task: {DDB32216-C227-4AF6-ACCF-FEFE4F529845} - \NOJDL1 No Task File <==== ATTENTION
Task: C:\Windows\Tasks\NOJDL1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
HKU\S-1-5-21-3439836924-162193635-2986529140-1001\...\MountPoints2: {d67e7345-08c3-11e5-8262-ac9e174dad4f} - "F:\SETUP.EXE"
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3439836924-162193635-2986529140-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx
CMD: bitsadmin /reset /allusers
End

• Click on File > Save as...
  
  • Inside the File Name box type fixlist.txt
    
  • From the Save as type drop down list, choose All Files
• Save the file to your Desktop;
  
• Re-run FRST.exe and click Fix;
  
  • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
• After the completion, a log will be produced;
• Attach the log in your next reply.

• Required Log(s):
  
  • FRST Fix Log

Regards,
Valinorum

[REDACTED]

I ended up running it twice because I forgot to uninstall Office after the first time and then I found that I couldn't uninstall it through the control panel at all.
At first it said that I didn't have permission from Admin and every time after that it has a Setup Error that says "The language of this installation package is not supported by your system"
It tells me that Office is running in another program when I try to delete it manually but doesn't say where and I don't see it on Task Manager.
Here's the second log from FRST, I deleted the first one by accident because I didn't think I'd need it.
PLThanks for response.

[REDACTED]

Are your facing your initial issue?

[REDACTED]

Yes, it's appearing less often, but it still happens every time I open Chrome or Steam and in general every few hours or so from svchost.

[REDACTED]

Please post a fresh FRST scan log for my perusal.

[REDACTED]

Here you go.

[REDACTED]

• Step # Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  • Open Notepad.exe. Do not use any other text editor software;
    
  • Copy and Paste the contents inside the code-box to your Notepad --
    

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
2015-06-08 07:46 - 2015-06-09 07:46 - 00000000 ____D C:\Windows\AutoKMS
2015-06-02 14:01 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\system32\ysxja.exe
015-06-02 14:00 - 2015-05-14 03:03 - 00007680 _____ C:\Windows\cfsvc.exe2015-06-02 14:00 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe2015-06-02 14:00 - 2015-04-25 05:18 - 00053248 _____ C:\Windows\zlib.dll2015-06-02 14:00 - 2013-12-05 07:36 - 00003542 _____ C:\Windows\mstdcvtr.bat2015-06-02 14:00 - 2013-06-05 08:38 - 00004122 _____ C:\Windows\plofgye2015-06-02 14:00 - 2013-06-05 08:37 - 00004194 _____ C:\Windows\soxe2015-06-02 14:00 - 2013-06-05 08:36 - 00000038 _____ C:\Windows\initcvtr.bat
Task: {4CEF2583-DA21-4E22-9A6A-E616D9D3BF0A} - \avastBCLRestart_chrome.exe No Task File <==== ATTENTION
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End

• Click on File > Save as...
  
  • Inside the File Name box type fixlist.txt
    
  • From the Save as type drop down list, choose All Files
• Save the file to your Desktop;
  
• Re-run FRST.exe and click Fix;
  
  • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
• After the completion, a log will be produced;
• Attach the log in your next reply.

• Required Log(s):
  
  • FRST Fix Log

Regards,
Valinorum

[REDACTED]

Fixlog.

[REDACTED]

Use the following script instead of the previous one for fixlist.txt and press "fix'. Tell me if the issue has resolved.

Code: [Select]

CloseProcesses:
2015-06-02 14:00 - 2015-05-14 03:03 - 00007680 _____ C:\Windows\cfsvc.exe
2015-06-02 14:00 - 2015-04-25 05:18 - 00295424 _____ (Groom-A-Zebu (tm) ) C:\Windows\cygavb.exe
2015-06-02 14:00 - 2015-04-25 05:18 - 00053248 _____ C:\Windows\zlib.dll
2015-06-02 14:00 - 2013-12-05 07:36 - 00003542 _____ C:\Windows\mstdcvtr.bat
2015-06-02 14:00 - 2013-06-05 08:38 - 00004122 _____ C:\Windows\plofgye
2015-06-02 14:00 - 2013-06-05 08:37 - 00004194 _____ C:\Windows\soxe
2015-06-02 14:00 - 2013-06-05 08:36 - 00000038 _____ C:\Windows\initcvtr.bat
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

[REDACTED]

Not resolved.

[REDACTED]

Hi,

This is a new malware so please be patient. I shall perform two new scans to locate the source--

• Step #3 SystemLook Search
  
  • Please download SystemLook by jpshortstuff to your Desktop from the suitable link below.
    
    • Download Link for 32-bit System.
      
    • Download Link for 64-bit System
  • Right-click and choose Run as administrator;
    
  • In the search box, copy and pasted the following code in the code-box.

Code: [Select]

:filefind
*browserupdatecheck*
*wpad*
*wpad.browserupdatecheck.in*

:folderfind
*browserupdatecheck*
*wpad*
*wpad.browserupdatecheck.in*

:Regfind
browserupdatecheck
wpad
wpad.browserupdatecheck.in


• Click on Look;
  
• After the scan a log will be opened;
• Attach the log in your next reply.

Re-run FRST64.exe(or, FRST.exe) and type the following in the Search box.

Code: [Select]

browserupdatecheck;wpad.browserupdatecheck.in;wpad;Click on Search Registry.
After the search, FRST will produce a log called Search.txt. Attach the log in your next reply.

• Required Log(s):
  
  • SystemLook Report
  • Farbar Log--
  • Search.txt

Regards,
Valinorum

[REDACTED]

No problem, I appreciate the help.
Broken link for SystemLook 64-bit.