"URL:MAL" infection - need help

[Blues12]

Sometimes Firefox opens unwanted popup-windows and Avast blocks them with msg referred to a "URL:MAL" infection.
These popups are random and  related to safe websites. I have a Win7 system with the most updated patches.
Could anyone help me to clean my pc ?
Thanks in advance.

[magna86]

Hi, let's check that. During this case I will use multiple tools for the best possible analysis and malware removal.



Please download Farbar Recovery Scan Tool and Zoek.exe and save both tools to your Desktop.

Note for Farbar Recovery Scan Tool (aka FRST):
You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Note for Zoek.exe:
Do not launch Zoek.exe yet! We shall use it later.


FRST Scan:

• Double-click on FRST/FRST64 to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

[Asyn]

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Edit: Follow Magna86's advice.

[Blues12]

Can I send the txts via email or external attach ? The post limit is always exceeded.

[Pondus]

thats why you attach the logs....not copy and paste.   

[Blues12]

OK, my attachments 

[magna86]

Hi, I don't see malware here. FRST does show that problem has been created by some extensions in Firefox.

Ok, time for Zoek Script.


ZOEKScript:

1. Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.


2. Double-click on zoek.exe to run it;
Please wait while the tool does not start...

3. Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

createsrpoint;
C:\Windows\System32\lpksetup.exe;i
torntv2@torntv.com.xpi;ff
installer-list;
uninstall-list;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
filesrcm;
FFdefaults;
firefoxlook;
chromelook;

4. Click on button

Upon completion it will create zoek-results.log. Please wait until a logreport opens (this can be after reboot).


5. Save notepad to your Desktop and attach here zoek-results.log[/list]
Note: It will also create a log in the C:\ directory named "zoek-results.log"

[Blues12]

The Zoek results

[magna86]

Ok, re-run Zoek.exe as you did before with this script:

Code: [Select]

emptyclsid;
C:\*.txt;f
0920a8308c812cccacc0e96dbbb6604e819a50dc3cac2e6476050597be5ac725_lp.key;ff
0920a8308c812cccacc0e96dbbb6604e819a50dc3cac2e6476050597be5ac725_lp.key;ff
chrdefaults;
resethosts;
nbmafkdmkkckhggblphicnnhlgljnoje;CHR
C:\Program Files (x86)\TornTV.com;fs
emptyalltemp;
ipconfig /flushdns >> %temp%\log.txt;b
autoclean;
Whait while zoek process script and then attach fresh created Zoek log.


And then tell me how does your computer running now?

[Blues12]

The new zoek-log is attached.

Now at a first glance all seems ok: i checked it out both Explorer and Firefox searches and I don't have unwanted popups. 
But I guess I have to test  some more time.
Question: what your patch has modified ? I saw some corrections/deletions to the browser in the zoek cmdlist.

Thanks again.

[magna86]

It should be fine now. 

Question: what your patch has modified ? I saw some corrections/deletions to the browser in the zoek cmdlist.

Zoek is tool created by smeenk and it's designed for helpers to perform various actions by reading commands it receives. Zoek works at command level.

The first zoek script was created new system restore point before any fix, then zoek was reset Firefox to default settings and remove "torntv" adware (toolbar) extensions from Firefox browser, and perform some additional check.

Second zoek script has deleted some empty and unnecessary registry keys (similar as registry cleaner), remove the other extensions from Firefox and "torntv" from Chrome and it's related file/folder from system and registry. Zoek has also perform an additional cleaning / tuning systems removing some junk files from the system's various locations (temp files), emptied your DNS cache.

I'm good right?     

-----------------------------------

It is necessary to remove used tools and its related files:


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.



I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

[Blues12]

   You have been absolutely fantastic !
Three days of stress are gone due to your precious help !
Thanks again: your forum has a new follower.

[bob3160]

  You have been absolutely fantastic !
Three days of stress are gone due to your precious help !
Thanks again: your forum has a new follower.

Hugs, Kisses and a Thank You are always greatly appreciated.