My avast keeps poping up URL:MAL. I’ve attached the logs here. Please help me!
Here’s the scan log from Malwarebytes Anti-Malware and aswmbr.
Download zoek.exe from here: Zoek.exe at Bleepingcomputer
- Close/disable all anti virus and anti malware programs so they do not interfere with the download or running of Zoek.exe
(Here or here you can read a manual on how to disable your security applications.)
- Doubleclick zoek.exe to start the program.
- Copy and paste the following script in the code box:
- Note: This script is written for usage on this users computer, do not use it on another computer even if the problems are similar :!:
createsrpoint;
autoclean;
chrdefaults;
FFdefaults;
bitsadmin /reset /allusers >>"%temp%\log.txt";b
emptyalltemp;
resetIEproxy;
ipconfig /flushdns >>"%temp%\log.txt";b
- Close any open browsers.
- Click the [b]Run script[/b] button and wait patiently.
- When finished the logfile will be opened in notepad.
- If a reboot is needed the logfile will be opened after reboot.
- The [b]zoek-results.log[/b] can also be found on your system drive.
- Please post the logfile for further review in your next comment.
Also, please tell me how your machine is running now.
Thank you! My laptop restarted twice, and I’ve attached the zoek here. But I still get this URL:Mal pop-up.
This time the URL is: http://8.37.231.21/cgtile/v1/zh-CN/HealthAndFitness/Home.xml?cgversion=v6
and is on the task: C:\Windows\explorer.exe
I still have Avast alerts saying:
URL: http://XXX.XXX.XXX.XXX/cgtile/v1/zh-CN/XXXXXX
Infection: URL:Mal
Process: C:\Windows\explorer.exe
I got 4 pop-ups like the above during the past 6 hours. Please help!!!
We need to get a fresh scan from FRST.
- If you still have the Addition.txt file on your desktop, please delete it now.
- Right click the FRST file on your desktop and select “Run as Administrator…” (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- If an update is available, the program will inform you and download the update. Allow it do this please. Otherwise, just wait for the “The tool is ready to use.” message.
- Please check the Addition.txt in the Option Scan section of FRST.
- Press the Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Latest logs are here.
FIRST >>>
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box and right click on it and select copy (or you can just click on the (select) next to Code Box). Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-898206778-2942140730-4155687692-1003\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
HKU\S-1-5-21-898206778-2942140730-4155687692-1003\...\RunOnce: [Application Restart #4] => C:\Users\zxupr_000\AppData\Local\Pokki\Engine\HostAppService.exe --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable (the data entry has 557 more characters).
HKU\S-1-5-21-898206778-2942140730-4155687692-1003\...\RunOnce: [Application Restart #2] => C:\Users\zxupr_000\AppData\Local\Pokki\Engine\HostAppService.exe --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable (the data entry has 557 more characters).
C:\Users\zxupr_000\AppData\Local\Pokki
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> DefaultScope {0E7B197B-A3DE-4FD4-A19A-1EECF791D16F} URL = http://www.baidu.com/s?tn=mswin_oem_dg&ie=utf-8&word={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0E7B197B-A3DE-4FD4-A19A-1EECF791D16F} URL = http://www.baidu.com/s?tn=mswin_oem_dg&ie=utf-8&word={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-898206778-2942140730-4155687692-1003 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = https://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-898206778-2942140730-4155687692-1003 -> {0E7B197B-A3DE-4FD4-A19A-1EECF791D16F} URL = http://www.baidu.com/s?tn=mswin_oem_dg&ie=utf-8&word={searchTerms}
SearchScopes: HKU\S-1-5-21-898206778-2942140730-4155687692-1003 -> {44177982-996D-4b79-B29F-5B60E13A5169} URL = http://www.baidu.com/s?wd={searchTerms}&tn=98012088_dg&ch=5&ie=utf-8
BHO-x32: No Name -> {0C3ED74B-8703-4003-A1F4-2B2A0C450DD2} -> No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Tcpip\..\Interfaces\{8622F9CE-E65B-44DF-9DCC-44BB5A0DB9FB}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
FF Plugin-x32: @alipay.com/NPComBrg701,version=1.0.2011.701 -> C:\windows\system32\itruscert\NPComBrg701.dll No File
FF Plugin-x32: @baidu.com/BaiduExpert-npplugin -> C:\Program Files (x86)\Common Files\Baidu\BDWebAdapter\2.0.175.0\npBDExNP.dll No File
FF Plugin-x32: @kingsfot.com/npkws -> c:\program files (x86)\kingsoft\kingsoft antivirus\npkws.dll No File
c:\program files (x86)\kingsoft
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
C:\Program Files (x86)\Pando Networks
S2 dg597; C:\windows\SysWOW64\dg597\dg597.dll [125296 2015-05-17] ()
S2 DGPNPSEV; E:\DriverGenius2013\DgService.exe [330064 2015-05-17] (MyDrivers.com)
C:\windows\SysWOW64\dg597
E:\DriverGenius2013
R2 DgSafe; C:\windows\system32\drivers\DgSafe.sys [399600 2015-05-17] (MyDrivers.com)
C:\windows\system32\drivers\DgSafe.sys
S2 ksapi64; \??\C:\windows\system32\drivers\ksapi64.sys [X]
S1 NetworkX; \SystemRoot\System32\ckldrv.sys [X]
C:\windows\system32\drivers\ksapi64.sys
C:\Windows\System32\ckldrv.sys
NETSVCx32: dg597 -> C:\windows\SysWOW64\dg597\dg597.dll ()
C:\Users\zxupr_000\.mongorc.js
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: bitsadmin /reset /allusers
Reboot:
end
NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Also, tell me how your system is running now.
SECOND >>>
AdwCleaner by Xplode
Download AdwCleaner from here or from here. Save the file to the desktop.
NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.
Close all open windows and browsers.
[LIST=1]
- Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:
- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it will ask to reboot, allow this
- On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.
Here is the fix log. And I did run AdwCleaner and delete all those items in the result list after the scan. But just now I still get the same pop up:
URL: http://8.37.231.21/cgtile/v1/zh-CN/HealthAndFitness/Home.xml?cgversion=v6
Infection: URL:Mal
Process: C:\Windows\explorer.exe
Please help!
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista or later, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Seems it doesn’t work. Still have this pop-up…
URL:MAL 8.37.231.21/cgtile/v1/zh-cn/Sports/Today.xml?cgversion=v6
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box and right click on it and select copy (or you can just click on the (select) next to Code Box). Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-898206778-2942140730-4155687692-1003_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\localserver32 -> C:\Program Files (x86)\Internet Explorer\IExplore.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-898206778-2942140730-4155687692-1003_Classes\CLSID\{08D512D2-7D97-4E22-B7DB-82791106C086}\InprocServer32 -> C:\Users\zxupr_000\AppData\Roaming\alipay\cf\alicdo_x64.dll (Alipay)
CustomCLSID: HKU\S-1-5-21-898206778-2942140730-4155687692-1003_Classes\CLSID\{b5eedee0-c06e-11cf-8c56-444553540000}\InprocServer32 -> E:\IDM Computer Solutions\UltraEdit\ue64ctmn.dll ()
C:\Users\zxupr_000\AppData\Roaming\alipay\cf\alicdo_x64.dll
E:\IDM Computer Solutions\UltraEdit\ue64ctmn.dll
EmptyTemp:
Reboot:
end
NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Also, tell me how your system is running now.