URL:Mal explorer.exe

i am also having a very hard time removing some malware that avast is blocking with the Web Shield, identified as URL:Mal being accessed by explorer.exe. the hosts accessed are all random, some just IP addresses, some just garbage domains like cvbksajdfhkl.com for example, and the files accessed seem random too, i have seen ads.php, and also something about blog_settings.php i think… not sure since Avast doesn’t seem to have a log of this activity.

i have run several tools including Spybot, AdwCleaner, HitMan Pro, and MBAM which have all removed some things. i also tried running Process Explorer but there aren’t any additional things popping up under the explorer.exe process when the avast popups happen.

other tools i’ve run are ComboFix and FRST but i’m not sure how to use those tools, think they are only informational?

when i tried to run aswMBR (with virtualization) for the first time, it got hung up on C:\Users\MEnriquez\AppData\LocalLow\Sun\Java\jre1.8.0_45\LZMA_EXE and after a few minutes the system itself froze and i had to do a hard reboot, but the second try it worked…

anyway i’ve attached some log files and i hope we could resolve this promptly as i am trying to clean up the computer for a friend.

If this does not stop the alerts could you attach a screen shot of the Avast popup as that does contain more information

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-18\...\RunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H HKU\S-1-5-18\...\RunOnce: [{90140000-001A-0409-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3227577970-3258621487-2268282932-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION ProxyServer: [S-1-5-21-3227577970-3258621487-2268282932-1000] => localhost:21320 2015-06-24 12:20 - 2015-06-24 12:20 - 00000000 __SHD C:\Users\MEnriquez\AppData\Local\EmieUserList 2015-06-24 12:20 - 2015-06-24 12:20 - 00000000 __SHD C:\Users\MEnriquez\AppData\Local\EmieSiteList 2015-06-24 12:20 - 2015-06-24 12:20 - 00000000 __SHD C:\Users\MEnriquez\AppData\Local\EmieBrowserModeList Task: {1B9A847B-C893-4E0A-B266-117524448012} - System32\Tasks\4816 => Wscript.exe C:\Users\MENRIQ~1\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION Task: {62830906-E220-4A4B-8EAC-5AF561669F10} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

thank you essexboy… i hadn’t noticed the popups yesterday after running MBAM, so maybe it removed the root of the problem? i ran FRST like you asked and attached is the log file… note that i currently have system restore disabled and that was the only error i noticed

I am glad you said that about system restore as it saves me asking

Any further problems ?