Jump to content

Removal instructions for wpad.com.gr


Recommended Posts

  • Staff
What is wpad.com.gr?

The Malwarebytes research team has determined that wpad.com.gr is adware. These adware applications display advertisements not originating from the sites you are browsing.
This particular one hijacks Google search results by using an Automatic Configuration script parked at wpad.com.gr.

How do I know if my computer is affected by wpad.com.gr?

You may see these Scheduled Tasks:

warning3.png

This warning during install:

warning1.png

and these settings in Internet Explorer > Internet Options > Connections > LAN settings:

warning2.png

This is the content of the pac file (Proxy Auto-Config File):

pacfiles.png

How did wpad.com.gr get on my computer?

Adware applications use different methods for distributing themselves. This particular one was offered as a Windows crack.

How do I remove wpad.com.gr?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of wpad.com.gr?
  • No, Malwarebytes' Anti-Malware removes wpad.com.gr completely.
  • This hijacker creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the wpad.com.gr adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.
 

protection1.png


The web protection module also blocks acces to the hijackers IP-address:
 

protection2.png


Technical details for experts

Possible signs in FRST logs:
 AutoConfigURL: [S-1-5-21-{userID}] => hxxp://wpad.com.gr/server.pac
 C:\Windows\System32\Tasks\Adobe Flash Update
 C:\Windows\System32\Tasks\Adobe Flash Scheduler
 C:\Windows\Tasks\Adobe Flash Update.job
 C:\Windows\Tasks\Adobe Flash Scheduler.job
 () C:\Program Files (x86)\Common Files\reset.txt
 () C:\Program Files (x86)\Common Files\update.txt
 C:\Users\{username}\AppData\Local\Temp\KMSpico.exe

Task: {4612BAA8-27BC-4B2E-91DD-81C7BB87F4F2} - System32\Tasks\Adobe Flash Update => Wscript.exe //nologo //B //E:vbscript "C:\Program Files (x86)\Common Files\update.txt"
Task: {DEB97F2A-2498-43E5-91C5-2AFE12FC4B45} - System32\Tasks\Adobe Flash Scheduler => Wscript.exe //nologo //B //E:vbscript "C:\Program Files (x86)\Common Files\reset.txt"
Task: C:\Windows\Tasks\Adobe Flash Scheduler.job => Wscript.exe J/nologo /B /E:vbscript C:\Program Files (x86)\Common Files\reset.txt
Task: C:\Windows\Tasks\Adobe Flash Update.job => Wscript.exe K/nologo /B /E:vbscript C:\Program Files (x86)\Common Files\update.txt
Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    In the existing folder C:\Program Files (x86)\Common Files
       Adds the file reset.txt"="5/19/2016 8:48 AM, 2584 bytes, A
       Adds the file update.txt"="5/19/2016 8:48 AM, 1748 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file Adobe Flash Scheduler"="5/19/2016 8:48 AM, 2676 bytes, A
       Adds the file Adobe Flash Update"="5/19/2016 8:48 AM, 3124 bytes, A
    In the existing folder C:\Windows\Tasks
       Adds the file Adobe Flash Scheduler.job"="5/19/2016 8:48 AM, 392 bytes, A
       Adds the file Adobe Flash Update.job"="5/19/2016 8:48 AM, 394 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures]
       "Adobe Flash Scheduler.job"="REG_BINARY, ................................
       "Adobe Flash Scheduler.job.fp"="REG_DWORD", 458894477
       "Adobe Flash Update.job"="REG_BINARY, ................................
       "Adobe Flash Update.job.fp"="REG_DWORD", 1842094772
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Caphyon\Advanced Installer\Scheduled Tasks\{47006D3F-FFE8-426F-A5A1-09AEB930E23F}]
       "FlashUpdate1"="REG_DWORD", 1
       "FlashUpdate1_1"="REG_DWORD", 1
       "FlashUpdate1_1_ID"="REG_SZ", "Adobe Flash Update"
       "FlashUpdate1_ID"="REG_SZ", "Adobe Flash Scheduler"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
       "AutoConfigURL"="REG_SZ", "http://wpad.com.gr/server.pac"
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
       "EnableAutoProxyResultCache"="REG_DWORD", 0
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/19/2016
Scan Time: 9:24 AM
Logfile: mbamAutoConfigURL.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.19.01
Rootkit Database: v2016.05.06.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 311529
Time Elapsed: 7 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 4
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4612BAA8-27BC-4B2E-91DD-81C7BB87F4F2}, Delete-on-Reboot, [b7062aad1b7e300650467268ea19fe02], 
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DEB97F2A-2498-43E5-91C5-2AFE12FC4B45}, Delete-on-Reboot, [d6e76671efaa58de95006179e61d8d73], 
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Adobe Flash Scheduler, Delete-on-Reboot, [5568edea7d1c0531484fbf1b41c29070], 
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Adobe Flash Update, Delete-on-Reboot, [c8f55d7a1a7f74c231672eac9f648c74], 

Registry Values: 3
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4612BAA8-27BC-4B2E-91DD-81C7BB87F4F2}|Path, \Adobe Flash Update, Delete-on-Reboot, [b7062aad1b7e300650467268ea19fe02]
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DEB97F2A-2498-43E5-91C5-2AFE12FC4B45}|Path, \Adobe Flash Scheduler, Delete-on-Reboot, [d6e76671efaa58de95006179e61d8d73]
Hijack.AutoConfigURL.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://wpad.com.gr/server.pac, Quarantined, [8736a4335346c175711d716917ec4ab6]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 5
Hijack.AutoConfigURL.PrxySvrRST, C:\Users\{username}\Desktop\setup.exe, Quarantined, [15a8a92e9504c4725ca4291a956f966a], 
Hijack.AutoConfigURL.PrxySvrRST, C:\Windows\System32\Tasks\Adobe Flash Scheduler, Quarantined, [17a63f9888113df9771a7d5d5da6c33d], 
Hijack.AutoConfigURL.PrxySvrRST, C:\Windows\System32\Tasks\Adobe Flash Update, Quarantined, [e2dba1369306f3438a088258f80b54ac], 
Hijack.AutoConfigURL.PrxySvrRST, C:\Windows\Tasks\Adobe Flash Scheduler.job, Quarantined, [c4f901d63a5fdd595b3838a20ff44eb2], 
Hijack.AutoConfigURL.PrxySvrRST, C:\Windows\Tasks\Adobe Flash Update.job, Quarantined, [e9d4dafdb6e3999db6de0bcff112d12f], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.