Another URL:Mal infection

[essexboy]

You are still showing GCI/Fsecure on the system

Could you run a fresh FRST scan please

[REDACTED]

GCi security is still on my PC.. but it has been disabled and unloaded, I also turned off Windows defender with the exception of windows firewall. I am using exclusively Avast free virus protection with Windows firewall. Here is the log u requested.

[essexboy]

Once done could you run an Avast Boot scan please

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM-x32\...\Run: [F-Secure Manager] => C:\Program Files (x86)\GCI Security Guard\Common\FSM32.EXE [201128 2009-11-18] (F-Secure Corporation)
HKLM-x32\...\Run: [F-Secure TNB] => C:\Program Files (x86)\GCI Security Guard\FSGUI\TNBUtil.exe [1655464 2011-08-22] (F-Secure Corporation)
Toolbar: HKLM-x32 - Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files (x86)\GCI Security Guard\NRS\iescript\baselitmus.dll (F-Secure Corporation)
FF HKLM-x32\...\Firefox\Extensions: [litmus-ff@f-secure.com] - C:\Program Files (x86)\GCI Security Guard\NRS\litmus-ff@f-secure.com
FF Extension: Browsing Protection - C:\Program Files (x86)\GCI Security Guard\NRS\litmus-ff@f-secure.com [2011-04-22]
R2 F-Secure Gatekeeper Handler Starter; C:\Program Files (x86)\GCI Security Guard\Anti-Virus\fsgk32st.exe [221608 2009-11-18] (F-Secure Corporation)
S3 FSDFWD; C:\Program Files (x86)\GCI Security Guard\FWES\Program\fsdfwd.exe [846248 2009-11-18] (F-Secure Corporation)
R2 FSMA; C:\Program Files (x86)\GCI Security Guard\Common\FSMA32.EXE [188840 2009-11-18] (F-Secure Corporation)
S3 FSORSPClient; C:\Program Files (x86)\GCI Security Guard\ORSP Client\fsorsp.exe [60352 2013-06-05] (F-Secure Corporation)
R3 F-Secure Gatekeeper; C:\Program Files (x86)\GCI Security Guard\Anti-Virus\minifilter\fsgk.sys [202176 2013-07-10] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\GCI Security Guard\HIPS\drivers\fshs.sys [59784 2009-11-18] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2012-08-15] ()
R0 fsbts; C:\Windows\SysWOW64\Drivers\fsbts.sys [42672 2011-08-17] ()
S1 FSES; C:\Windows\System32\drivers\fses.sys [50384 2011-04-22] (F-Secure Corporation)
R1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [94024 2009-11-18] (F-Secure Corporation)
R1 fsvista; C:\Program Files (x86)\GCI Security Guard\Anti-Virus\minifilter\fsvista.sys [16768 2009-11-18] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
C:\Program Files (x86)\GCI Security Guard
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

im still getting pop-ups on a pretty regular basis, here is the log u requested. the avast boot scna showed no viruses or anything out of the ordinary.

[essexboy]

Lets see if I can locate it using two different tools

First :

Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as..
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt  to explorer.txt  to allow it to be attached

Second :

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:

Do you want to skip supplementary searches?
click NO[/list]

• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
  

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[REDACTED]

I think I misunderstood the instructions for the explorer exe but here is the log I did receive after running it, and the log for the  start-ups

[essexboy]

Could you open the silent runners log please and select File > Save as..
Then in the encoding dropdown box at the bottom select ANSI and save.
Then attach that log please

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

C:\Users\Dirtbag\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

here are the logs u asked for.

[REDACTED]

so far no new pop-ups... ill keep u posted if they begin again.

[REDACTED]

well.. I had thought we had finally stopped the URL:Mal pop-ups but I have received 3-4 at a time in the last few hours. If I haven't said it yet thank u for your help and patience in this matter Essexboy, and for not giving up. if it means anything my PC is running faster and smoother than it has in some time even with the pop-ups which Avast seems to be blocking from ruining my PC or stealing my personal info.

[essexboy]

These new ones are exceedingly difficult to track down, but we will get it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

2014-10-24 21:45 - 2014-10-24 21:45 - 00003136 _____ () C:\Windows\System32\Tasks\{32848E10-8664-418F-98CB-A818780BBEB0} 
2014-10-21 18:09 - 2014-10-30 17:26 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-10-17 17:35 - 2009-07-13 21:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

here are the logs u requested.

[essexboy]

If the alerts are still appearing could you run an Avast bootscan please

[REDACTED]

well.. looks like they are gone this time but they sometimes disappear for days and my internet was down for maintenance yesterday so I haven't gotten a chance to make sure they are gone, but ill keep u posted, but for now they seem to be gone, hopefully for good this time. Avast ran its own boot scan when I restarted my PC yesterday and found nothing out of the ordinary.

[essexboy]

OK let me know when you are happy and I will tidy up