Author Topic: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection  (Read 22881 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
I've seen a few different threads addressing the wpad.dat virus -- or fake virus? -- but never quite with my details and with responses I don't quite understand, so I thought I'd start from scratch. A week or two ago Avast starting finding and blocking what it claims to be an infection from a wpad.dat file. Sometimes the address is in the form of http:/<ip address>/wpad.dat where the ip address changes every few minutes. More recently the address is http://wpad.browsersecurity.info/wpad.dat.

The Avast activity around this virus has brought my computer to its knees. Now every few minutes, or every few seconds, Avast pops up its warning window, dings at me and says Threat Has Been Detected.  But there's almost no information about the threat. It gives the URL, says the infection is URL:Mal and, more recently gives the process address as C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.

I am running Avast with Windows 7. Somebody please help me get rid of this!


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Additionally run FRST a second time
Copy the following into the search box :

browsersecurity.info

Then press search registry

REDACTED

  • Guest
Here they are. More attachments in the next reply

REDACTED

  • Guest
And here are the rest of them.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
OK, now you've to wait a bit...
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

REDACTED

  • Guest
Oops. It seems I posted the aswMBR log prematurely. It wasn't done with the scan. Here it is again.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
You did not appear to do the registry search could you do that section again

Re-install Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome.
 Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

THEN

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
IFEO\tbdelta.exetoolbar783881609.exe: [Debugger] tasklist.exe
R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [7743472 2015-08-19] (Reimage®)
Toolbar: HKU\S-1-5-21-581647834-421146410-1571146747-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
2016-01-16 03:33 - 2016-01-16 03:34 - 00000000 ____D C:\ProgramData\Reimage Protector
2016-01-16 03:33 - 2016-01-16 03:33 - 00001901 _____ C:\Users\Public\Desktop\PC Scan & Repair by Reimage.lnk
2016-01-16 03:33 - 2016-01-16 03:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
2016-01-16 03:33 - 2016-01-16 03:33 - 00000000 ____D C:\Program Files\Reimage
2016-01-15 23:27 - 2016-01-16 03:35 - 00000150 _____ C:\windows\Reimage.ini
2016-01-15 23:27 - 2016-01-15 23:27 - 00772016 _____ (Reimage®) C:\Users\J\Downloads\ReimageRepair.exe
2016-01-16 03:34 - 2016-01-16 03:34 - 00004258 _____ C:\windows\System32\Tasks\ReimageUpdater
2016-01-16 03:34 - 2016-01-16 03:34 - 00003410 _____ C:\windows\System32\Tasks\Reimage Reminder
2016-01-16 03:33 - 2016-01-16 03:37 - 00000000 ____D C:\rei
2012-09-10 03:49 - 2012-09-10 03:49 - 0001050 ____H () C:\Users\J\AppData\Local\{793FD447-37EB-4083-B222-2E447297AF07}
2016-01-18 03:43 - 2016-01-18 03:43 - 00178938 _____ C:\windows\system32\ScanResults.xml
2016-01-18 03:34 - 2016-01-18 03:34 - 00000464 _____ C:\windows\system32\ScannerSettings
CustomCLSID: HKU\S-1-5-21-581647834-421146410-1571146747-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\J\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-581647834-421146410-1571146747-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\J\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-581647834-421146410-1571146747-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\J\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
Task: {4F3CA883-F142-4B19-897F-4C34237FE053} - System32\Tasks\Reimage Reminder => C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe [2015-11-10] (Reimage ltd.) <==== ATTENTION
Task: {BAE3D24C-2952-4E5F-B271-529189EAC31C} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2015-08-19] (Reimage®) <==== ATTENTION
Task: {91025437-894A-4B9C-96B4-A316B1668DBB} - System32\Tasks\Unblock-us => C:\Users\J\Downloads\unblock-us.exe [2014-02-13] ()
Startup: C:\Users\J\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jonniemouse - Shortcut.lnk [2015-12-22]
ShortcutTarget: jonniemouse - Shortcut.lnk -> C:\Program Files\jonniemouse\jonniemouse.ahk ()
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Cx].txt as well.

REDACTED

  • Guest
Hi. I don't use Chrome. I use Firefox. Do I still need to do this?

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
hey jpek yes please run the fix essexboy have posted for you and also go back and do the other steps he wanted aswell the registry serch.

even if you have no symtoms on your computer does not mean your computer is malware free.  ;)
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

REDACTED

  • Guest
Here is the registry search (attached). I uninstalled Chrome, but, since I don't use it, didn't bother with either the bookmark backup or the reinstallation. Now I'm about to start on the other steps.

REDACTED

  • Guest
I forgot to mention that, when Chrome was uninstalling, Internet Explorer opened up and gave me the following message. Don't know if it matters to this problem:

The proxy server isn’t responding
•   Check your proxy settings 127.0.0.1:8080.
Go to Tools > Internet Options > Connections. If you are on a LAN, click “LAN settings”.
•   Make sure your firewall settings aren’t blocking your web access.
•   Ask your system administrator for help.
Fix connection problems

-----
(I tried "fixing" but it failed).

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
follow instructions Essexboy gave in post above and attach requested logs






Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Looks like it was all related to the bad chrome, could you run FRST once more please so that I can check the proxy

REDACTED

  • Guest
Here is the fixlog. By the way, FRST "fixed" -- quaranteened an AutoHotKeys script called jonniemouse.ahk. This was NOT malware, but an essential mouse replacement program I use with my computer. I removed it from quarantine, but I hope the other cleanup programs don't zap it. It also used to run automatically on Startup and now doesn't anymore, and I'm not sure how to restore it.