Author Topic: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection  (Read 22882 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Still working your way through your instructions, but so far the THREAT HAS BEEN DETECED popups are still going strong.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Are they still related to the wpad entries

Could you run another registry search for me please

Enter the following data in the FRST search box and press search registry


wpad.browsersecurity.info;wpad.dat

REDACTED

  • Guest
Yes, still related. Let me get through your previous checklist and then I'll run another registry search.

REDACTED

  • Guest
Here are the AdwCleaner results you asked for earlier.

# AdwCleaner v5.030 - Logfile created 25/01/2016 at 02:39:08
# Updated 17/01/2016 by Xplode
# Database : 2016-01-25.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : J - J-HP
# Running from : C:\Users\J\Downloads\adwcleaner_5.030.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[-] File Deleted : C:\Users\J\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocifcogajbgikalbpphmoedjlcfjkhgh

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Reimage.exe
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKCU\Software\Reimage
[-] Key Deleted : HKCU\Software\reimagerepair
[-] Key Deleted : HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key Deleted : [x64] HKLM\SOFTWARE\Reimage
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Reimage Repair
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\searchnu.com

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2205 bytes] ##########

REDACTED

  • Guest
And here's the result of the wpad.browsersecurity.info;wpad.dat registry search in FRST.

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-25 02:53:05)
Running from C:\Users\J\Downloads
Boot Mode: Normal

================== Search Registry: "wpad.browsersecurity.info;wpad.datwpad.browsersecurity.info;wpad.datwpad.browsersecurity.info;wpad.dat" ===========


===================== Search result for "wpad.browsersecurity.info" ==========

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-1a-70-e1-b3-6b]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

===================== Search result for "wpad.dat" ==========

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-18-f8-fc-b3-bc]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3142DACA-A70C-4FA8-8D89-76BE9E073974}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-1a-70-e1-b3-6b]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FDF2C48-F807-44D9-B3CA-286B311C7367}]
"WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"
====== End of Search ======

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
After this then let me know if it stops

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete  "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete  "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that


REDACTED

  • Guest
Here's the fix log. wpad.dat Threat Has Been Detected popups still going.

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-25 21:36:09) Run:2
Running from C:\Users\J\Downloads
Loaded Profiles: J (Available Profiles: J)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete  "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete  "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************

Restore point was successfully created.

========= reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete  "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete  "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg add "HKEY_USERS\S-1-5-21-581647834-421146410-1571146747-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-581647834-421146410-1571146747-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-581647834-421146410-1571146747-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


=========  bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 452.1 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 21:37:58 ====

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Have the alerts now ceased

REDACTED

  • Guest
Nope, still going. Not quite as often as before, but plenty often.

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
hy agian jpek please run and attach a fresh scan o frst and can you provide a picthure of what avast say it will give essexboy some information where to loctat the infection, is the popup still related to the wpap infection or does it say something else?
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

REDACTED

  • Guest
Which scan do you want me to do? The FRST?

Here is a picture of one recent popup (attached). It's all about the wpad.dat, but sometimes it gives an IP address after the http and sometimes it doesn't mention Outlook. Mostly, they've looked like this lately though.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Hmm when I reset the registry dat that should have gone, but it is now appearing to be from office which would tend to point the finger at an e-mail

Lets check the registry again


Enter the following data in the FRST search box and press search registry


wpad.browsersecurity.info;wpad.dat

REDACTED

  • Guest
Short and sweet:

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-28 01:08:53)
Running from C:\Users\J\Downloads
Boot Mode: Normal

================== Search Registry: "wpad.browsersecurity.info;wpad.dat" ===========

====== End of Search ======

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Do you use office to collect e-mails ?  And does this occur when office is not running

REDACTED

  • Guest
I use Outlook for emails. I closed it  and this is what the wpad.dat error started generating: