My system is infected - please help me clean it!

[REDACTED]

A month ago I contacted and explained my problem. Then I was said in this forum that my system is infected. Accordingly I downloaded the tools, scanned my PC and attached the generated logs. I use the paid version of Malware Bytes and Avast but they could not solve my problem.

Here is a description of my problem: I used 4 browsers - firefox, chrome, opera and avast-safe-zone browsers. Out of these chrome and avast safezone browsers gets affected (other browsers dont) and they stop functioning by not being able to display web pages complaining of proxy server problem.The problem sometimes automatically vanishes and again returns back. Another problem, is when I use Avast in normal mode (not silent/gaming mode), there is constant popup (1 min interval) from Avast complaining of threats from a program called svchost.exe.

So I have explained the problem and also attached the logs. Please diagnose my problem and help me resolve it!

[Pondus]

FRST will produse two logs frst.txt and addition.txt

frst.txt is missing

[REDACTED]

sorry missed it - I have attached it now

[REDACTED]

Please let me know the status of diagnosis

[Pondus]

One of those listed here will reply https://forum.avast.com/index.php?topic=53253.0

[dbrisendine]

Before we make any other changes to the system, what happens if you stop using (or actually uninstall) the NordVPN BETA service / VPN?  Does the problem go away then?

[REDACTED]

I recently installed NordVPN beta.
The problems existed much earlier.
So do you think uninstalling NordVPN beta would be of any use?

[dbrisendine]

You have had (or have) several VPNs on your system.  This one is a BETA; it is possible that it triggers an adverse seting in the network stack.  What happens if you remove all the VPNs?

[REDACTED]

Earlier I had ExpressVPN - I purchased it - was not satisfied - got refunded and uninstalled. ExpressVPN was also recent and my problems existed even before installing ExpressVPN.

In any case I will listen to your advice and uninstall NordVPN, my current VPN and report to you shortly.

Let me explain you my current situation: My browsers Chrome and Avast which sometimes don't work (as I reported to this forum earlier) is working now. But svchost.exe continuous threat alert by Avast continues.

I will report to you the situation after uninstalling NordVPN

[REDACTED]

I uninstalled NordVPN beta (By the way I asked NordVPN support - they said Beta does not mean beta version - "Beta" is just part of the app name).

I uninstalled NordVPN, restarted machine (though I was not prompted to restart) and disabled silent/gaming mode of Avast and then in quick succession I got 2 pop up alerts of whose image I have attached. These alerts are not just related to svchost.exe but of all sorts of, even including avast executables.

It's really crazy that one has to suffer still even after buying two reputed security software such Avast Premium and Malware Bytes premium. Don't know what I am missing! Are these false alerts or real threats? How can a Avast executable be a threat?

please see attached images

[dbrisendine]

Thanks for the information.  Let's see if we can get a handle on the wpad issue first then clean some of the leftover files.

FIRST >>>>

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.


SECOND >>>>

Run a search with FRST.

• Right click on FRST on your desktop and select "Run as Administrator..." When the tool opens click Yes to disclaimer.
• Type wpad into the Search Box.
• Press the Search Registry button.
• It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
• Please attach the log file back here.

[REDACTED]

I have attached SearchReg.txt and Fixlog.txt
Perhaps the process is not complete. Still I disabled silent/gaming mode of Avast and again I am getting those pop up alerts from Avast (attached image). Does that mean the infection is still existent? Why is Web Proxy Auto-Discovery (WPAD) creating trouble?

Earlier I used to use cracked software - Did they implant this trouble?
Now I have removed all crack software (excepting one which I will remove today) and currently using only free or paid software.

Thanks for your support!

Regards,

[Eddy]

WPAD sets your dns servers to servers that are spreading malware.

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22689

[REDACTED]

Thanks a lot for your voluntary support!

Waiting for the next decisive step!

[REDACTED]

I have remove the last piece of crack software but I guess traces and remnants of such software might remain. Challenge is cleaning up my system now. I am having only reputed paid or free software in my system now.

Looking for your continued support!

Regards,