Constant warning pop-ups of URL:Mal from Windows\Explorer.EXE

[REDACTED]

This just started a couple of days ago, and at first it was always this URL noted "http://bnud7nkk.com/ads.php?sid=1911", but today there have been different URLs listed in the Object field. When it first started I attempted to use System Restore to a point a few hours before this started, but it didn't fix the problem. Now I have to run Avast on silent/gaming mode, otherwise the warning pop-ups come up every 10 seconds or so. It's definitely slowing my computer down.

I read the sticky about Malwarebytes and Logs, and have attached the logs below (Malwarebytes didn't find anything, and when I tried to run aswMBR scan I kept getting a message that said scan error).

Any help would be GREATLY appreciated.

[essexboy]

Let me know if this stops it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll"
2015-10-30 12:10 - 2015-10-30 18:56 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz
2015-10-30 12:09 - 2015-10-30 18:56 - 00000000 ___HD C:\ProgramData\{EFFC3E07-AED7-4C3C-992F-2C5EB14AF4A8}
2015-05-28 11:04 - 2015-05-28 11:04 - 0000000 _____ () C:\Users\JJ\AppData\Local\{408BBB69-B524-41B0-B402-B6A30B4EEDF7}
2015-06-09 12:27 - 2015-06-09 12:27 - 0000000 _____ () C:\Users\JJ\AppData\Local\{AFAE5EA6-9D79-4E5A-9EDA-811637AD2F8C}
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

No pop-ups in the past 20 min, so I think this did the trick! Thank you so much, this was driving me crazy.

You're the man, essexboy! 

Log attached.

[REDACTED]

It looks like I spoke too soon

Just got another warning pop-up, also URL:Mal, but this time instead of explorer.EXE it's coming from C:\Program Files\Google\Chrome\Application\chrome.exe

I just FRST again and have attached the logs.

[essexboy]

OK did you use a USB stick or download a programme at 2015-11-03 10:54  as that was when it was re-installed

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll"
2015-11-03 10:52 - 2015-11-03 11:31 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz
2015-11-03 10:54 - 2015-11-03 10:54 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage
2015-11-02 23:40 - 2015-11-02 23:40 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieUserList
2015-11-02 23:40 - 2015-11-02 23:40 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieSiteList
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

I didn't use a USB stick or download a program. I only got that warning pop-up a couple of times, though, so not nearly as frequently as the one that was really slowing me down before.

Thanks again for all your help. It is sincerely appreciated.

Log attached below.

I'll let my computer run for a little bit and do a few re-starts over the next hour and let you know if I get any more warning pop-ups.

[essexboy]

Aye, if it does come back I will need to look deeper

[REDACTED]

At the risk of jinxing it, so far so good after the last fix you provided.

THANK YOU!!!!

[essexboy]

If all is still well tomorrow let me know and I will remove my tools

[REDACTED]

I jinxed it. After leaving the computer off for a few hours, I just booted it up and got about 20 warning pop-ups in a row. I opened Chrome pretty soon after boot up, so I'm not sure if that set them off. I'll get a barrage of them that Avast blocks, then nothing for a few minutes, then another barrage.

It's the same URL:Mal and chrome.exe deal, and they all point to ninthclub(dot)com.

Logs posted below.

[essexboy]

Chrome is about the most insecure browser around at the moment and there are multiple ways that it is being infected that are hidden from all my scanners

Re-install Chrome

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome.
 Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

[Eddy]

Essexboy,

looks like this wasn't fixed or has returned:
HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll"

[essexboy]

Yes it is probably coming from Chrome synching I need to reset that first before anything else

[REDACTED]

Okay, I will do that here in a little bit and report back.

Also, on startup I'm getting some windows that pop-up for a couple of seconds (not from Avast) that say "Injector Loaded" and "BC Loaded". That's also something that wasn't happening before all this started.

Once again, many thanks for your assistance.

[essexboy]

Once you have uninstalled Chrome run this quick fix before re-installing

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll"
2015-11-03 12:46 - 2015-11-03 12:46 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieUserList
2015-11-03 12:46 - 2015-11-03 12:46 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieSiteList
2015-11-03 12:45 - 2015-11-03 18:55 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.25.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{47F21A73-EC36-4FA4-9908-DE9C9E8E2AFE}\InprocServer32 -> C:\ProgramData\{EFFC3E07-AED7-4C3C-992F-2C5EB14AF4A8}\secproc.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\psuser.dll (Google Inc.)
Task: {1586B352-007B-470C-9695-9AFA8690B812} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3056341256-334452140-1155790583-1001Core => C:\Users\JJ\AppData\Local\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that