URL:Mal alert every time i change pages, open tabs, open chrome

Viruses and worms
1

Hi,

Get the URL:Mal alert every time i change pages, open a new tab or open chrome.

I went through the ‘Logs to assist in cleaning malware’ topic and below are the various logs produced.

Any help would be great.

Thanks

Hels

2

Could you confirm it is just chrome

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR StartupUrls: Default -> "hxxp://www.google.com", "hxxp://start.mysearchdial.com/?f=1&a=coolmsd&cd=2XzuyEtN2Y1L1Qzu0EzztDtAzy0AtDzz0C0A0ByDtBtD0CtCtN0D0Tzu0CyDzytBtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1R1F1F1I1H1B1Q&cr=279350637&ir=" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

3

Hi,

Thanks for the reply.

Just checked firefox, it only happens when i initially open the browser, not when i change pages or open new tabs. Checked IE and doesnt happen at all on that.

Should i still do what you say above or does the above info make any difference?

Also, just noticed that when i have ZENMate active it doesnt happen but when its off, it happens as i described above. MIght be useful info.

Thanks

4

Yes run the fix and then try bot FF and chrome

5

Have done both things but still getting the alert on both firefox and chrome.

Should i run them again in case i messed up?

Have attached both logs.

Thanks

Hels

6

Could you attach a screenshot of the avast popup please

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

7

That seems to have done the trick, no pop ups on chrome or when i open firefox.

So thats great, thanks for all your help.

I’ve attached the the screen shot and the log of the ComboFix.

Thanks again, computer seems to be running normally.

Hels

Been trying to move some files from my video library to an external hard drive, normally just moves over no problem, now taking forever, preparing to move it and no names in the moving to and from lists in the info box, same when deleting, see the attached screen shots. Should i reboot and see if that cures it?

Thanks

8

I rebooted to sort out the moving and deleting issues i mentioned above and as soon as i opened chrome i got the avast pop up back and back when opened firefox.

I’ve attached the screen shot for firefox avast pop up.

I thought it had worked before.

What now? Do it go through all the procedure again?

Thanks for your help. Is it significant that it doesnt happen so much when Zenmate is on?

9

Hi,

Unfortunately this is still happening as described in the beginning, what else can i do to make it stop?

When Zenmate is turned on it doesnt happen, when i turn it off its as before, every page, every tab, when i open chrome and when i initially open firefox. Anything else i need to do, or should i do it all again?

Thanks for all your help.

Hels

10

Zenmate is a VPN is that correct ?

If so your router may be infected, do you know how to reset the router ?

11

Yes, Zenmate disguises your IP address.

Reset router by turning it on and off or something a bit more involved?

I dont think this is happening on the other laptop that uses the same router.

Edit - Had a look on the Sky website and to reset to factory settings i use a pin in the reset button at the back of the router. Is that what you mean or is there something more technical?

12

Hi again,

Have reset the router using the reset button on the back of the Sky hub. This is supposed to take it back to factory settings.

Still getting the alert as before. Any other solutions you can think of? Should i go through the original procedure again?

Many thanks for all your help, it is much appreciated.

Hels

13

OK could I have a fresh FRST scan please

14

I’ve been having a search on google for same problem and came across advice to disable an extension in chrome - AS Magic for Acestream player, have disabled it and now not getting alerts on chrome, at the moment, but still getting them on firefox. But it also said it wouldnt be a permanent solution, so who knows.

Attached log for fresh FRST scan

Edit - just removed the extension in firefox for the same AS Magic player and the avast alert has stopped when i restarted it - could that be it?

Edit 2 - uninstalled acestream player, cleared the registry, downloaded it again but not installed yet and unticked the extensions for browser button, rebooted pc, and on opening chrome got the url:mal alert, but not on firefox and only when opening chrome on start up not on the new pages etc

15

I can see no sign of it in Chrome but this will remove it in FF

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

FF Extension: AS Magic Player - C:\Users\Hels\AppData\Roaming\Mozilla\Firefox\Profiles\6jom8e9f.default\Extensions\magicplayer@acestream.org [2014-08-24] CHR StartupUrls: Default -> "hxxp://www.google.com", "hxxp://start.mysearchdial.com/?f=1&a=coolmsd&cd=2XzuyEtN2Y1L1Qzu0EzztDtAzy0AtDzz0C0A0ByDtBtD0CtCtN0D0Tzu0CyDzytBtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1R1F1F1I1H1B1Q&cr=279350637&ir=" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

16

Hi, have done that, the log is attached.

Seems to have sorted out chrome and firefox, thank you very much for your help, so far so good.

Now to try to install Acestream player without it happening again, but at least i’ll know the cause this time.

17

OK let me know how it goes

18

Will do, thanks again for all your time and info, much appreciated.