little help removing http://wpad.browsersecurity.info/wpad.dat please

[REDACTED]

had this pop up in the last couple days,. i've run FRST, and have attached. if we can work together and help murderize it, that would be greatly appreciated

[Pondus]

FRST will produce two logs ( additions.txt ) if you followed instructions, so one is missing
See picture for what is selected

[REDACTED]

oh, sorry could of sworn i had that attached....

[dbrisendine]

What popup are you seeing?  Can you post a screenshot of it?

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the Code box below.  To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy.  Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2399731810-1161899897-192117391-1000\...\MountPoints2: {3f9720a7-34bd-11e5-a499-8c89a556251a} - "F:\Setup.exe"
CHR StartupUrls: Default -> "hxxp://search.fantastigames.com/453","hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48&sspv=CHAUTOTB","hxxp://search.babylon.com/?affID=110803&tt=4512_2&babsrc=HP_ss&mntrId=3262058b000000000000c0c1c05f6497"
CHR Extension: (Google Drive) - C:\Users\Sean Bauer\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20]
CHR Extension: (Google Search) - C:\Users\Sean Bauer\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sean Bauer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
U3 idsvc; no ImagePath
2016-07-05 20:02 - 2015-11-24 00:36 - 00166488 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET8F72.tmp
2016-07-05 20:01 - 2015-11-24 00:36 - 09798560 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET882B.tmp
2016-07-05 20:01 - 2015-11-24 00:35 - 10707032 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET8BF9.tmp
2016-07-05 20:01 - 2015-11-24 00:35 - 01515312 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET8FA5.tmp
2016-07-05 19:13 - 2015-11-24 00:31 - 00498176 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\SET8F60.tmp
2016-06-25 20:56 - 2015-11-24 00:36 - 09893144 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET4B9E.tmp
2016-06-25 20:56 - 2015-11-24 00:36 - 00176840 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET5D8A.tmp
2016-06-25 20:56 - 2015-11-24 00:35 - 10809000 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET53FD.tmp
2016-06-25 20:55 - 2015-11-24 00:35 - 01537512 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET5DBD.tmp
2016-06-25 20:53 - 2016-05-15 18:38 - 00874008 _____ (AMD) C:\WINDOWS\system32\SET674F.tmp
2016-06-25 20:52 - 2015-11-24 00:31 - 00506904 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\SET5D77.tmp
2016-06-25 20:51 - 2016-05-20 13:57 - 01315352 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\SET4BF1.tmp
2016-01-02 01:16 - 2016-01-02 01:16 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\Sean Bauer\AppData\Local\Temp\AMDCleanupUtility.exe
C:\Users\Sean Bauer\AppData\Local\Temp\CIMManifest.exe
C:\Users\Sean Bauer\AppData\Local\Temp\Cleanup.dll
C:\Users\Sean Bauer\AppData\Local\Temp\ddu.exe
C:\Users\Sean Bauer\AppData\Local\Temp\msvcm80.dll
C:\Users\Sean Bauer\AppData\Local\Temp\msvcp80.dll
C:\Users\Sean Bauer\AppData\Local\Temp\msvcr80.dll
C:\Users\Sean Bauer\AppData\Local\Temp\raptrpatch.exe
C:\Users\Sean Bauer\AppData\Local\Temp\raptr_stub.exe
Task: {0754C8EA-3CCE-4F22-B465-8EB67D003B46} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {22789F4F-21A5-44BE-9052-637FED964FDB} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {2FFE3AA5-DDAA-4947-9C00-BB63FC3FFB0A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {40024AB3-388B-48E4-84E8-1BA5ED5FAF00} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {44C3E914-A4E4-4E11-8A32-2F3596B8BBE1} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5E904F28-B92C-4753-8707-8414A4BD94C0} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {70D2E485-A49C-4179-9733-A966108A5814} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {9EA95270-9B0B-4693-A4BA-CADF62E7997C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {AF567FCA-6D71-43EC-883D-EC309A30A12C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D4D57449-8E76-4AC1-A080-86C8319DDA52} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {F2B47407-6CE8-4985-90BC-12D759F500A8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load. 

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.  Also, tell me how your system is running now.

[REDACTED]

ran that, now everytime i open a program, even avast it pops up, it popped up twice for each attachment, saying the same thing

[dbrisendine]

Alright; need to dig further for this one....


Run a search with FRST.

• Right click on FRST.exe on your desktop and select "Run as Administrator..." When the tool opens click Yes to disclaimer.
• Type wpad.browsersecurity.in;wpad into the Search Box.
• Press the Search Registry button.
• It will produce a log called search.txt in the same directory the tool is run from.
• Please copy and paste log back here.

Please attach the log search.txt in your reply.  Thanks.

[REDACTED]

Farbar Recovery Scan Tool (x64) Version: 13-07-2016 02
Ran by Sean Bauer (2016-07-14 20:39:27)
Running from C:\Users\Sean Bauer\Desktop
Boot Mode: Normal

================== Search Registry: "wpad.browsersecurity.in;wpad" ===========


===================== Search result for "wpad" ==========

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a0-63-91-8f-82-c2]
"WpadDecisionTime"="0xB6A429F1FEC5D101"

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a0-63-91-8f-82-c2]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDecisionReason"="0"

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDecision"="1"

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"

[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork"="{DF714289-BB6C-4C14-8683-ACD28056019D}"

[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDecisionTime"="0x16EE598121AED001"

[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"

[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF714289-BB6C-4C14-8683-ACD28056019D}]
"WpadDecisionReason"="0"

[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF714289-BB6C-4C14-8683-ACD28056019D}]
"WpadDecision"="1"

[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF714289-BB6C-4C14-8683-ACD28056019D}]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"

====== End of Search ======

[dbrisendine]

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the Code box below.  To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy.  Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
REG: reg delete "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
REG: reg delete "HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
REG: reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
REG: reg add "HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load. 

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.  Also, tell me how your system is running now.

[REDACTED]

still stays chrome.exe, svchost.exe and another i didn't get a chance to see were a threat....

[dbrisendine]

Please download Check Browsers LNK from here.

Double click on the file and accept the UAC permission if it asks.

When done, it will produce a Check_Browsers_LNK.log.  Please attach that.

[REDACTED]

done

[dbrisendine]

One last scan then I must call it a night (will check the logs again either first in morning or in a bit) ...


Please download Autologger.zip from here .
Double click the file and extract the file (Autologger.exe) to a folder of your choice (I would suggest you name it AutoLogger for ease of location later).
Double click on Autologger.exe to let it run and follow the prompts.
When finished, it will produce a file named CollectionLog-yyyy.mm.dd.zip [with the date of the logs] in the folder with AutoLogger.exe.  Please attach that here.

[REDACTED]

won't let me attach the zip, unpack it and just attach it that way?

[dbrisendine]

If you unpack it, there should be two log files and two txt files and one more zip file.  Save that zip file on your side and attach the other 4 files (2 .log filea and 2 .txt files).  Thanks.

[REDACTED]

Thanks by the way