Constant warning pop-ups of URL:Mal from Windows\Explorer.EXE

[REDACTED]

Sorry it's taken me a day to respond - I wanted to give this newest fix a little time to see if it was going to work. Unfortunately, after no trouble yesterday, the warning pop-ups for URL:Mal from chrome.exe directing to ninthclub(dot)com have returned. I followed your directions about uninstalling Chrome, running the fix you provided, then reinstalling Chrome as provided, with a couple of caveats: when I go to Google Sync, I don't see a "Stop and Clear" button, but instead a button that says "Reset Sync" - I clicked that. Then, when uninstalling Chrome, I don't see an option about user data or settings, but instead a box that says "Also delete your browsing data" - I clicked that, as well.

Attached is the log after running the fix yesterday (after uninstalling Chrome), as well as my FRST logs from this morning after the problem returned (after reinstalling Chrome yesterday).

Thanks again - this is turning out to be a persistent little sh!t.

[essexboy]

OK something is reinstalling the folder and file, this leading me to suspect and installer programme on the system

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll"
2015-11-04 15:29 - 2015-11-04 15:29 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieUserList
2015-11-04 15:29 - 2015-11-04 15:29 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieSiteList
2015-11-04 15:28 - 2015-11-05 09:24 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:

Do you want to skip supplementary searches?
click NO[/list]

• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
  

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[REDACTED]

I can't seem to get Silent Runners to run. When I double-click on it, it just opens up a document in WordPad. The FAQ on their website says that when that happens to use the command prompt to launch it, but after navigating to the directory in which it's saved, I try cscript.exe "Silent Runners.vbs" and get the response "can not find script file". When I use the dir command, I see that it's Silent Runners.vbs.txt - is that the problem? I tried cscript.exe "Silent Runners.vbs.txt" and it didn't like that, either. I've attached a screen shot of my attempt to run Silent Runners via the command prompt.

I've also attached the log after running the most recent fix.

[essexboy]

Right click the vbs and select run as admin

[REDACTED]

I don't have that option when I right-click on it.

I've attached a screen shot of the options when I right-click on it.

[REDACTED]

Nevermind, I found a YouTube video that showed me how to tweak the folder settings so that I could change it to a .vbs. Will report back when it's done.

[REDACTED]

Okay, I've attached the log from Silent Runners below.

Thanks again essex, you're a huge help.

[essexboy]

Sorry the forum has corrupted that could you open your copy of the log and select save as and ensure that ansi is checked and then attach again please

[REDACTED]

Okay, re-saved it with ANSI and attached below.

It's been a full day now, and no warning pop-ups, so I think the most recent fix took care of the last of it *knock on wood*

Many thanks, essexboy. You've been really awesome.

[essexboy]

OK nothing showing under windows installer or hidden tasks ...  Could you monitor for one further day please