This just started a couple of days ago, and at first it was always this URL noted “http://bnud7nkk.com/ads.php?sid=1911”, but today there have been different URLs listed in the Object field. When it first started I attempted to use System Restore to a point a few hours before this started, but it didn’t fix the problem. Now I have to run Avast on silent/gaming mode, otherwise the warning pop-ups come up every 10 seconds or so. It’s definitely slowing my computer down.

I read the sticky about Malwarebytes and Logs, and have attached the logs below (Malwarebytes didn’t find anything, and when I tried to run aswMBR scan I kept getting a message that said scan error).

Any help would be GREATLY appreciated.

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll" 2015-10-30 12:10 - 2015-10-30 18:56 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz 2015-10-30 12:09 - 2015-10-30 18:56 - 00000000 ___HD C:\ProgramData\{EFFC3E07-AED7-4C3C-992F-2C5EB14AF4A8} 2015-05-28 11:04 - 2015-05-28 11:04 - 0000000 _____ () C:\Users\JJ\AppData\Local\{408BBB69-B524-41B0-B402-B6A30B4EEDF7} 2015-06-09 12:27 - 2015-06-09 12:27 - 0000000 _____ () C:\Users\JJ\AppData\Local\{AFAE5EA6-9D79-4E5A-9EDA-811637AD2F8C} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

No pop-ups in the past 20 min, so I think this did the trick! Thank you so much, this was driving me crazy.

You’re the man, essexboy! 8)

Log attached.

It looks like I spoke too soon :-\

Just got another warning pop-up, also URL:Mal, but this time instead of explorer.EXE it’s coming from C:\Program Files\Google\Chrome\Application\chrome.exe

I just FRST again and have attached the logs.

OK did you use a USB stick or download a programme at 2015-11-03 10:54 as that was when it was re-installed

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll" 2015-11-03 10:52 - 2015-11-03 11:31 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz 2015-11-03 10:54 - 2015-11-03 10:54 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage 2015-11-02 23:40 - 2015-11-02 23:40 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieUserList 2015-11-02 23:40 - 2015-11-02 23:40 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieSiteList Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I didn’t use a USB stick or download a program. I only got that warning pop-up a couple of times, though, so not nearly as frequently as the one that was really slowing me down before.

Thanks again for all your help. It is sincerely appreciated.

Log attached below.

I’ll let my computer run for a little bit and do a few re-starts over the next hour and let you know if I get any more warning pop-ups.

Aye, if it does come back I will need to look deeper

At the risk of jinxing it, so far so good after the last fix you provided.

THANK YOU!!!

If all is still well tomorrow let me know and I will remove my tools

I jinxed it. After leaving the computer off for a few hours, I just booted it up and got about 20 warning pop-ups in a row. I opened Chrome pretty soon after boot up, so I’m not sure if that set them off. I’ll get a barrage of them that Avast blocks, then nothing for a few minutes, then another barrage.

It’s the same URL:Mal and chrome.exe deal, and they all point to ninthclub(dot)com.

Logs posted below.

Chrome is about the most insecure browser around at the moment and there are multiple ways that it is being infected that are hidden from all my scanners

Re-install Chrome

1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
4. Now we need to uninstall chrome.
   Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

Essexboy,

looks like this wasn’t fixed or has returned:
HKU\S-1-5-21-3056341256-334452140-1155790583-1001.…\Run: [WejIsbe] => regsvr32.exe “C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll”

Yes it is probably coming from Chrome synching I need to reset that first before anything else

Okay, I will do that here in a little bit and report back.

Also, on startup I’m getting some windows that pop-up for a couple of seconds (not from Avast) that say “Injector Loaded” and “BC Loaded”. That’s also something that wasn’t happening before all this started.

Once again, many thanks for your assistance.

Once you have uninstalled Chrome run this quick fix before re-installing

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll" 2015-11-03 12:46 - 2015-11-03 12:46 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieUserList 2015-11-03 12:46 - 2015-11-03 12:46 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieSiteList 2015-11-03 12:45 - 2015-11-03 18:55 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.25.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{47F21A73-EC36-4FA4-9908-DE9C9E8E2AFE}\InprocServer32 -> C:\ProgramData\{EFFC3E07-AED7-4C3C-992F-2C5EB14AF4A8}\secproc.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3056341256-334452140-1155790583-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\JJ\AppData\Local\Google\Update\1.3.28.15\psuser.dll (Google Inc.) Task: {1586B352-007B-470C-9695-9AFA8690B812} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3056341256-334452140-1155790583-1001Core => C:\Users\JJ\AppData\Local\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.) EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Sorry it’s taken me a day to respond - I wanted to give this newest fix a little time to see if it was going to work. Unfortunately, after no trouble yesterday, the warning pop-ups for URL:Mal from chrome.exe directing to ninthclub(dot)com have returned. I followed your directions about uninstalling Chrome, running the fix you provided, then reinstalling Chrome as provided, with a couple of caveats: when I go to Google Sync, I don’t see a “Stop and Clear” button, but instead a button that says “Reset Sync” - I clicked that. Then, when uninstalling Chrome, I don’t see an option about user data or settings, but instead a box that says “Also delete your browsing data” - I clicked that, as well.

Attached is the log after running the fix yesterday (after uninstalling Chrome), as well as my FRST logs from this morning after the problem returned (after reinstalling Chrome yesterday).

Thanks again - this is turning out to be a persistent little sh!t.

OK something is reinstalling the folder and file, this leading me to suspect and installer programme on the system

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3056341256-334452140-1155790583-1001\...\Run: [WejIsbe] => regsvr32.exe "C:\Users\JJ\AppData\Roaming\Gulaz\SotePbanb.dll" 2015-11-04 15:29 - 2015-11-04 15:29 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieUserList 2015-11-04 15:29 - 2015-11-04 15:29 - 00000000 __SHD C:\Users\JJ\AppData\Local\EmieSiteList 2015-11-04 15:28 - 2015-11-05 09:24 - 00000000 ____D C:\Users\JJ\AppData\Roaming\Gulaz RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.

I can’t seem to get Silent Runners to run. When I double-click on it, it just opens up a document in WordPad. The FAQ on their website says that when that happens to use the command prompt to launch it, but after navigating to the directory in which it’s saved, I try cscript.exe “Silent Runners.vbs” and get the response “can not find script file”. When I use the dir command, I see that it’s Silent Runners.vbs.txt - is that the problem? I tried cscript.exe “Silent Runners.vbs.txt” and it didn’t like that, either. I’ve attached a screen shot of my attempt to run Silent Runners via the command prompt.

I’ve also attached the log after running the most recent fix.

Right click the vbs and select run as admin

I don’t have that option when I right-click on it.

I’ve attached a screen shot of the options when I right-click on it.