Dealing with URL:Mal issue

[REDACTED]

Hey, I've been dealing with popups like this:

Infection Blocked

URL: http://wpad.browserupdatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I'm not really sure how to deal with this, but I believe it starts with me creating some sort of log.
Can someone well-versed in this help me out? Thank you.

[Asyn]

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

I don't really want to start another discussion here, but something I've never seen before happened when I try to download Farbar. I get a suspicious file warning from an unrelated file whenever I click to download it from the source provided, and Firefox just won't download it.

Is there another trusted source I can get it from?

[Asyn]

It's a FP, you can safely allow the download.

[TwinHeadedEagle]

Monitoring...

[REDACTED]

Here are the logs.

[TwinHeadedEagle]

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
  
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

Code: [Select]

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
  
• Push Run Script and wait patiently. The scan may take a couple of minutes.
  
• When the scan completes, a zoek-results logfile should open in notepad.
  
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[REDACTED]

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Federation on Sat 07/18/2015 at  2:24:00.90.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Federation\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

7/18/2015 2:25:10 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Users\Federation\AppData\Roaming\Publish Providers deleted successfully
C:\Users\Federation\AppData\Roaming\SynthMaker deleted successfully
C:\Users\Federation\AppData\Local\EmieSiteList deleted successfully
C:\Users\Federation\AppData\Local\raco deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSUService deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\splashtopremoteservice deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\splashtopremoteservice deleted successfully

==== FireFox Fix ======================

ProfilePath: C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default

---- Lines Triple Pose removed from prefs.js ----
user_pref("extensions.Triple Pose.aul", "1432094134215");
user_pref("extensions.Triple Pose.irl", true);
user_pref("extensions.Triple Pose.is", "rerbspus");
user_pref("extensions.Triple Pose.ug", "48B3F05C-D86C-4B2C-8705-E7CE1A5FC0B9");
---- FireFox user.js and prefs.js backups ----

user_20150718_0244_.backup
prefs_20150718_0244_.backup

==== Batch Command(s) Run By Tool======================


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


==== Deleting Files \ Folders ======================

C:\PROGRA~2\VST deleted
C:\PROGRA~2\Wincy deleted
C:\Users\Federation\AppData\Local\AVG Web TuneUp deleted
C:\Program Files\AVG Web TuneUp deleted
C:\PROGRA~2\Splashtop deleted
C:\PROGRA~2\COMMON~1\AVG Secure Search deleted
C:\PROGRA~3\AVG Web TuneUp deleted
C:\PROGRA~3\AVG Security Toolbar deleted
C:\PROGRA~3\Splashtop deleted
C:\PROGRA~3\AVG Secure Search deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Federation\AppData\Local\BTServer.log deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\Federation\AppData\LocalLow\AVG Web TuneUp deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\AVG Web TuneUp deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\Windows\SysWOW64\LavasoftTcpService.dll deleted
C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini deleted
C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default\jetpack deleted
"C:\ProgramData\193847656" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default
user_pref("browser.startup.homepage", "http://pergamum-purgatorium.boards.net/");
user_pref("browser.search.defaulturl", "https://www.google.com/search/?trackid=sp-006");
user_pref("browser.search.defaultengine", "Google (avast)");
user_pref("browser.search.defaultenginename", "Bing");
user_pref("browser.search.defaultenginename.US", "Google Default");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [06/30/2015 12:16 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\FEDERA~1\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default
- WOT - C:\Users\Federation\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
- WOT - %ProfilePath%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Video DownloadHelper - %ProfilePath%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- Firefox Security Update - %AppDir%\browser\extensions\jid1-sXWNoXABeFqKYg@jetpack.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Federation\AppData\Roaming\Mozilla\Firefox\Profiles\lcbw4huv.default
FD82108FD60B63010325D9AF6F00AF99   - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll -   Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found[]
eeafbffkmccheohnooflcnppngmobeoe - No path found[]
ellbonkjdmgdghkojcjmomekmjpdffde - No path found[]
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[03/30/2015 08:40 PM]
fllgpcmelbfhcligbphaaplminjpbiad - No path found[]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[03/30/2015 08:40 PM]
hpjocjloojeicikiokfiekcdpojgfefc - No path found[]
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found[]
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found[]
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found[]
oaobejgaaiojgggjojlcpbembaoajbmc - No path found[]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found[]
eeafbffkmccheohnooflcnppngmobeoe - No path found[]
ellbonkjdmgdghkojcjmomekmjpdffde - No path found[]
fllgpcmelbfhcligbphaaplminjpbiad - No path found[]
hpjocjloojeicikiokfiekcdpojgfefc - No path found[]
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found[]
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found[]
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found[]
oaobejgaaiojgggjojlcpbembaoajbmc - No path found[]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Users\Federation\Downloads\Sylvania Synet7Wid OS'\Windows CE\A. WINDOWS CE V 1.0\script\System Disk\Windows\Profiles\guest\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Users\Federation\Downloads\Sylvania Synet7Wid OS'\Windows CE\A. WINDOWS CE V 2.0\script\System Disk\Windows\Profiles\guest\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\1503LPTH will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\32AH7Q5U will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\3G5RO0JI will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\51I7GKYP will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\6H5ZR832 will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\82MBQMZB will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BAQN4KYU will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BPBCF7DT will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\DR0UDDQS will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S17NH37N will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S39XWJR6 will be deleted at reboot
C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\X4MZGEI2 will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Federation\AppData\Local\Mozilla\Firefox\Profiles\lcbw4huv.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=1100 folders=113 1041741171 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Federation\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\FEDERA~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\1503LPTH" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\32AH7Q5U" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\3G5RO0JI" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\51I7GKYP" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\6H5ZR832" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\82MBQMZB" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BAQN4KYU" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\BPBCF7DT" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\DR0UDDQS" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S17NH37N" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\S39XWJR6" not found
"C:\Users\Federation\AppData\Local\Microsoft\Windows\INetCache\IE\X4MZGEI2" not found

==== EOF on Sat 07/18/2015 at  2:55:37.31 ======================

[REDACTED]

Anyway, I've still got the popups.

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Make sure that Addition option is checked.
  
• Press Scan button and wait.
  
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
  

Please include their content into your next reply.

[REDACTED]

Here are the logs.

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Press the Fix button just once and wait.
  
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.
  

Please attach it to your reply.

[REDACTED]

Righteo.

I haven't seen the popup yet, so I'm just waiting to see, I guess.

[REDACTED]

Gah...

The popup persists.

[TwinHeadedEagle]

http://download.bleepingcomputer.com/win-services/8/Tcpip.reg

Dowload and execute above .reg file. Restart your PC. Let me know if this fixed your issue.