Author Topic: URL:Mal popups  (Read 2629 times)

0 Members and 1 Guest are viewing this topic.

Offline mattymadore

  • Newbie
  • *
  • Posts: 12
URL:Mal popups
« on: November 23, 2014, 08:37:43 PM »
Receiving many URL:Mal popups with all browsers.  How can we avoid being infected by these? Son only downloads and installs STEAM games. Is there software out there to prevent these items from ever getting on the system to begin with?

Thank you for any assistance you can provide.  Also, do you see anything in here that would prevent Windows Updates?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal popups
« Reply #1 on: November 23, 2014, 08:55:35 PM »
Hi what errors are you getting with windows updates ?

Hi you will need to fully uninstall Chrome as it has been changed to developer build.  This means there are no security restrictions on it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO-x32: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKU\S-1-5-21-1241720918-2345475059-1800243958-1005 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-1241720918-2345475059-1800243958-1005 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1241720918-2345475059-1800243958-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Extension: (savinshop) - C:\Users\Kendrick.parker-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehpahghlicpnpopgpffdnhedldgmaebj [2014-11-22]
2014-11-22 15:08 - 2014-11-23 13:46 - 00000000 ____D () C:\ProgramData\deal4real
2014-11-22 15:08 - 2014-11-22 15:09 - 00000000 ____D () C:\ProgramData\11e65f9dd0015b0d
2014-11-22 14:48 - 2014-11-22 14:49 - 01937010 _____ () C:\Users\Kendrick.parker-PC\Downloads\HoxHud P8.3 Self-installer.exe
2014-11-22 10:33 - 2014-11-22 10:33 - 00000000 ____D () C:\Users\Kendrick.parker-PC\Documents\Optimizer Pro

EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
FINALLY

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Offline mattymadore

  • Newbie
  • *
  • Posts: 12
Re: URL:Mal popups
« Reply #2 on: November 23, 2014, 09:48:42 PM »
Windows Update continues to present this error code: Code 80070002

AdwCleaner[S0].txt


# AdwCleaner v4.101 - Report created 23/11/2014 at 15:42:42
# Updated 09/11/2014 by Xplode
# Database : 2014-11-23.7 [Live]
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : Kendrick - PARKER-PC
# Running from : C:\Users\Kendrick.parker-PC\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\Program Files (x86)\NCH Software

***** [ Scheduled Tasks ] *****

Task Deleted : driverupdate startup

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16766


-\\ Mozilla Firefox v33.1.1 (x86 en-US)


*************************

AdwCleaner[R0].txt - [2542 octets] - [23/11/2014 15:15:24]
AdwCleaner[S0].txt - [2444 octets] - [23/11/2014 15:42:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2504 octets] ##########

Offline mattymadore

  • Newbie
  • *
  • Posts: 12
Re: URL:Mal popups
« Reply #3 on: November 23, 2014, 09:49:17 PM »
FSS.txt

Farbar Service Scanner Version: 21-07-2014
Ran by Kendrick (administrator) on 23-11-2014 at 15:47:03
Running from "C:\Users\Kendrick.parker-PC\Downloads"
Microsoft Windows 7 Home Premium   (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal popups
« Reply #4 on: November 23, 2014, 10:08:57 PM »
Could you run the relevant MSFixit on this page and then try windows updates http://support.microsoft.com/kb/971058

How is the computer behaving at the moment ?

Offline mattymadore

  • Newbie
  • *
  • Posts: 12
Re: URL:Mal popups
« Reply #5 on: November 23, 2014, 10:19:19 PM »
I'm still receiving threat notifications from Avast for URL:Mal items.  The Windows Update fix doesn't resolve the issue.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2780
  • Volunteer
Re: URL:Mal popups
« Reply #6 on: November 23, 2014, 10:26:41 PM »
Deleted.
« Last Edit: November 23, 2014, 10:51:47 PM by Michael (alan1998) »
SOC Analyst, Digital Forensics & Incident Response (no cert), SIEM Design and Management, HTB Competitor & Pentesting (no cert). I occasionally write custom applications for threat detection...

Personal security is a mindset, not an application. Think before clicking.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal popups
« Reply #7 on: November 23, 2014, 10:44:45 PM »
Have you uninstalled Chrome yet ?

Offline mattymadore

  • Newbie
  • *
  • Posts: 12
Re: URL:Mal popups
« Reply #8 on: November 23, 2014, 11:21:52 PM »
Yes, chrome is uninstalled. I'm providing updated logs, not sure if it helps. Also screenshot of the URL:Mal message.  No threats detected by malwarebytes.

Offline mattymadore

  • Newbie
  • *
  • Posts: 12
Re: URL:Mal popups
« Reply #9 on: November 24, 2014, 02:01:54 AM »
Appears to be working now, no popups. There was an add in for Mozilla that was still causing trouble, but I removed that.  Now I'll try and figure out the Windows update, so I don't need to wipe the system.

Thanks for the help.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal popups
« Reply #10 on: November 24, 2014, 04:38:39 PM »
Did the MS fixit give you the option for Aggressive ? If so and it did not work then download and run SRT from here http://support.microsoft.com/kb/947821/en-gb