Author Topic: I got URL:Mal popup keep showing up .. (Read 3374 times)

REDACTED · « **on:** August 03, 2014, 05:35:47 AM »

Hello ,
It's my first time here in this community

Anyways , i have a " URL:Mal " recently .When i open any browser " Firefox , chrome , internet explorer " it just shows up and keep showing like every 10~20 seconds non stop . Good to know that AVAST is doing his job , how wonderful !
I have tried every malware fighter but no real fixing to my issue . It detected some malwares , but nothing happen after that and the issue has been not fixed yet .
Here is my last logs , how can i get previous Malewarebytes scan log result ? cuz this one was the latest and it's clean ...

I have tried aswmbr , but crashed 3 times at the same dll file , why is that ?

Thanks in advance and i really appreciate your hard work

Asyn · « **Reply #1 on:** August 03, 2014, 08:09:13 AM »

Also attach your FRST log..!!
Instructions: https://forum.avast.com/index.php?topic=53253.0

REDACTED · « **Reply #2 on:** August 04, 2014, 07:20:44 PM »

Oh , I have already made one but forgot to attach it , here is my latest updated log.
And sorry for my reply delay . I had a problem to connect to the forum website , i really don't know what happen but the page won't load and it kept telling me
" Error gate way not found " and sometimes " connection interrupted " , usually i refresh again and the problem is fixed but nothing happened this time
I tried different browser but the same issue .Anyways , it works now... Does anyone know what to do if the problem happens again ?

Thank you for your reply

essexboy · « **Reply #3 on:** August 04, 2014, 07:31:03 PM »

Let me know if this cures it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Quote

GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=66807&st=home&tid=6724&ver=6.5&ts=1405807200000.000007&tguid=66807-6724-1405817452867-82D09486E258F31AA117F56AA2825C97
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.certified-toolbar.com?si=66807&st=bs&tid=6724&ver=6.5&ts=1405807200000.000007&tguid=66807-6724-1405817452867-82D09486E258F31AA117F56AA2825C97&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.certified-toolbar.com?si=66807&st=bs&tid=6724&ver=6.5&ts=1405807200000.000007&tguid=66807-6724-1405817452867-82D09486E258F31AA117F56AA2825C97&q={searchTerms}
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> No File
BHO: No Name -> {59724C01-39DF-8279-B8D9-963903150A54} -> No File
BHO: No Name -> {6B65453E-CF87-FB64-1D8A-C390D4E398A0} -> No File
BHO-x32: Adblocker -> {59724C01-39DF-8279-B8D9-963903150A54} -> C:\Program Files (x86)\Adblocker\YrvOF42kbX.dll No File
BHO-x32: pruicechop -> {6B65453E-CF87-FB64-1D8A-C390D4E398A0} -> C:\Program Files (x86)\pruicechop\7sH5f1FDDi.dll No File
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.autoconfig_url", "");
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.ftp", "");
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.ftp_port", 0);
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.http", "");
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.http_port", 0);
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.no_proxies_on", "localhost, 127.0.0.1");
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.share_proxy_settings", false);
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.ssl", "");
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.ssl_port", 0);
FF NetworkProxy: "user_pref("extensions.browsec.backup.network.proxy.type", 5);
FF NetworkProxy: "type", 4
FF user.js: detected! => C:\Users\Ahmed Rashed\AppData\Roaming\Mozilla\Firefox\Profiles\pydousxz.default\user.js
FF SearchPlugin: C:\Users\Ahmed Rashed\AppData\Roaming\Mozilla\Firefox\Profiles\pydousxz.default\searchplugins\Web Search.xml
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Jenes\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Jenes\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Jenes\AppData\Local\Chromatic Browser
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\Chromatic Browser
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser
2014-07-18 17:40 - 2014-07-18 17:40 - 00001056 _____ () C:\Users\Ahmed Rashed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
2014-07-18 17:35 - 2014-07-18 17:40 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\iLivid
2014-07-10 16:24 - 2014-07-10 16:24 - 00000000 __SHD () C:\Windows\SysWOW64\AI_RecycleBin
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Jenes\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Jenes\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Jenes\AppData\Local\Chromatic Browser
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Guest
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Ahmed Rashed\AppData\Local\Chromatic Browser
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo
2014-07-20 00:19 - 2014-07-20 00:19 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

REDACTED · « **Reply #4 on:** August 04, 2014, 08:24:44 PM »

Nothing happen , the URL:Mal keep showing when i open browser or visiting websites :/

I have seen search.certified-toolbar and home tab in the log , I'm sure it's something related to them , I have installed it as a part of an survery or free AP offer at aeriagames.com , you can make an account there and go to AP and then FREE AP offers . You can check how it's look like " Surveys , videos , downloads " I thought it's trusted since it's related to aeriagames but oh well ... This is bad actually ..

I didn't find AdwCleaner[S1].txt

Only AdwCleaner[S0] and AdwCleaner[RO] , I also had this error while scanning and while cleaning , when i clicked ok it continued without any problems .

Whatever you do keep doing it and thanks for help .

essexboy · « **Reply #5 on:** August 04, 2014, 09:25:27 PM »

Could you confirm that the alerts are still appearing

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.[/b]

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

REDACTED · « **Reply #6 on:** August 04, 2014, 10:43:51 PM »

Hmm , after using the fxlist and AdwCleaner i was getting the same URL : Mal message from avast .

But now , everything seems to be ok . The problem might be fixed .
'm not sure since this URL:Mal message is randomly shown up , some times every couple of seconds and sometimes when i visit any website . Sometimes it stops for a couple of hours and continue again like yesterday and continued today .

I really don't know how to thank you for your effort , really great job .You are the best

I will let you know if it continued again .

essexboy · « **Reply #7 on:** August 04, 2014, 11:20:47 PM »

Let me know tomorrow if all is well and I will tidy up

Author Topic: I got URL:Mal popup keep showing up .. (Read 3374 times)

REDACTED

I got URL:Mal popup keep showing up ..

Asyn

Re: I got URL:Mal popup keep showing up ..

REDACTED

Re: I got URL:Mal popup keep showing up ..

essexboy

Re: I got URL:Mal popup keep showing up ..

REDACTED

Re: I got URL:Mal popup keep showing up ..

essexboy

Re: I got URL:Mal popup keep showing up ..

REDACTED

Re: I got URL:Mal popup keep showing up ..

essexboy

Re: I got URL:Mal popup keep showing up ..