Author Topic: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection  (Read 23850 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Hmm could you run the registry search again please as that is where that is generated from

REDACTED

  • Guest
What would you like me to enter as the registry search term?

Here's the latest wpad.dat threat.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
wpad.browsersecurity.info;wpad.dat

The delineator is a semicolon

REDACTED

  • Guest
Well, you asked me to do this just recently, and the results are the same. This time I closed Outlook when I ran it.

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-01-30 17:33:19)
Running from C:\Users\J\Downloads
Boot Mode: Normal

================== Search Registry: "wpad.browsersecurity.info;wpad.dat" ===========

====== End of Search ======

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Aye I did but if you look back then the first time you ran it nothing showed, but there was a result on the second run

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

REDACTED

  • Guest
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #35 on: February 01, 2016, 08:27:21 AM »
So, no further suggestions?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76017
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #36 on: February 01, 2016, 08:29:16 AM »
So, no further suggestions?
See Reply #34.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

REDACTED

  • Guest
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #37 on: February 04, 2016, 08:51:15 AM »
Here (attached) is the log from ComboFix. A couple of caveats. When it was running before the restart, it threw up a series of error messages, such as the ones I'm attaching about various files, saying first that it couldn't back them up and then that it couldn't backup and then couldn't restore several files in the C:\Windows\System32 (or maybe they were all in C:\Windows\System32\config, I'm not sure.) There were a total of maybe 5 or 8 such files, with two error messages for each.

Also, when the system restarted and ComboFix came back up to finish its process, there was an instruction to not run any other programs while ComboFix was generating the log, but it was too late for that, as some program automatically come up on my system at startup, and I hadn't known to turn them off. One of the programs that started at that point was the Avast virus protection you had indicated I should disable. I did disable it (disabled  all shields) but only until the "next startup" so it came up automatically after the startup. Please, let me know if I need to rerun ComboFix because of this.

REDACTED

  • Guest
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #38 on: February 04, 2016, 08:52:42 AM »
Meanwhile, threats are still being detected.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #39 on: February 04, 2016, 03:52:06 PM »
Hmm this is a bit baffling,..  Could you run this fix and let me know the result..

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #40 on: February 05, 2016, 10:50:28 AM »
Here is the fixlog. Avast was still generating detected threat warnings as FRST was running, and as soon as the comp came back up after reboot it generated another one. They're not all the same. One of them had the application as FRST iteslf! A lot of them are either about Outlook or Winword. The one that came up first after system reboot is about svchost. I'm attaching it. But they're all wpad.dat.


---

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by J (2016-02-05 01:27:41) Run:3
Running from C:\Users\J\Downloads
Loaded Profiles: J (Available Profiles: J)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers


*****************

Restore point was successfully created.

========= reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f =========

ERROR: The parameter is incorrect.



========= End of Reg: =========


=========  netsh advfirewall reset =========

Ok.


========= End of CMD: =========


=========  netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


=========  netsh int ip reset c:\resetlog.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


=========  ipconfig /release =========


Windows IP Configuration

No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.

Tunnel adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : fd39:9860:3a45:7223:79a1:60e:5c66:e922
   Link-local IPv6 Address . . . . . : fe80::e0de:3c9b:9388:6c10%22
   Autoconfiguration IPv4 Address. . : 169.254.108.16
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::7581:daa:1b79:3238%15
   Default Gateway . . . . . . . . . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{EC52FBE5-99F1-4A1C-92FA-1564329809FA}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{18218E84-26D9-4010-BA90-C81377E1BB86}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.gateway.2wire.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{788E6285-C7A3-4156-B245-75AD089945A2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{62F0BC6E-35B1-4F77-BCF6-E2CAD3EC8E6E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


=========  ipconfig /renew =========


Windows IP Configuration

An error occurred while renewing interface Local Area Connection 2 : unable to contact your DHCP server. Request has timed out.
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.

Tunnel adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : fd39:9860:3a45:7223:79a1:60e:5c66:e922
   Link-local IPv6 Address . . . . . : fe80::e0de:3c9b:9388:6c10%22
   Autoconfiguration IPv4 Address. . : 169.254.108.16
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : gateway.2wire.net
   Link-local IPv6 Address . . . . . : fe80::7581:daa:1b79:3238%15
   IPv4 Address. . . . . . . . . . . : 192.168.0.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{EC52FBE5-99F1-4A1C-92FA-1564329809FA}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{18218E84-26D9-4010-BA90-C81377E1BB86}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{47687138-694F-43BD-9743-503A54227CAE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{788E6285-C7A3-4156-B245-75AD089945A2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{62F0BC6E-35B1-4F77-BCF6-E2CAD3EC8E6E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


=========  netsh int ipv4 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


=========  bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 376.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 01:32:00 ====

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #41 on: February 05, 2016, 09:12:00 PM »
Not forgotten you, I am currently trying to figure out where this is hiding and what tool could find it

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #42 on: February 07, 2016, 12:55:56 PM »
OK you will need to upload the zip analysis to a file sharing site or dropbox for me to collect

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
When the tool opens select "File" > "Standards scripts"


Place a tick in :

 
5. Update signature database


Then press "Execute selected scripts"


Once that has execute then
select "File" > "Standards scripts"
Place a tick in :

3.   Advanced  System Analysis with malware removal mode enabled


When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Upload virusinfo_syscure to to a site for me to collect



REDACTED

  • Guest
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #43 on: February 12, 2016, 11:01:43 AM »
Sorry for the delay. Didn't have time for several days to deal with this issue. Here are the logs.

https://www.dropbox.com/sh/x379gj05rliduxt/AADOpb-cP2MlF__4gYK-e5Qla?dl=0.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast keeps blocking an http://wpad.browsersecurity.info/wpad.dat infection
« Reply #44 on: February 12, 2016, 02:38:38 PM »
Let me know if this stops it


FIX

Open AVZ as before
Click "File" > "Custom scripts"


A dialogue will open
Copy and paste the following script into the marked space then press run


Script for insertion :

Code: [Select]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DelCLSID('{E6FB5E20-DE35-11CF-9C87-00AA005127ED}');
 DelBHO('{2670000A-7350-4f3c-8081-5663EE0C6C49}');
 DelBHO('{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}');
 DeleteFile('C:\Program Files (x86)\Mobogenie\DaemonProcess.exe','32');
 BC_DeleteFile('C:\Program Files (x86)\Mobogenie\DaemonProcess.exe');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mobilegeni daemon','command');
 DeleteFile('C:\Users\J\Downloads\tools v5.3.1.zip.exe','32');
 BC_DeleteFile('C:\Users\J\Downloads\tools v5.3.1.zip.exe');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Ensure that you copy from begin to end