URL:Mal in Windows Explorer.exe & iexplore.exe - Help!!

hi,

i keep getting this pop-up coming up in Avast, referring to a URL:Mal & HTML:Iframe-inf viruses. I can usually get rid of viruses no problem, but this is a stubborn little bugger. I tried adw cleaner, JRT, Malwarebytes & Hitman Pro, but this wouldn’t shift it, so I need some help please.

Shall I install Combofix and then post the log below?

Thanks

Paul

Hello,

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Hi Twinheaded eagle, please find links to the logs as instructed. How do you attach a txt file to the post please?

Thanks for your help :slight_smile:

FRST.txt
http://1drv.ms/1OS2z35

Addition.txt
http://1drv.ms/1OS2OuX

Please upload all reports here, I cannot access these.

How do you attach a txt file to the post please?
Below the box you write in ... [b]Attachments and other options[/b]

Hi,

Please find attached.

Thanks

Can I please get some help with this, it keeps popping up every few seconds and is seriously annoying. The virus is in explorer.exe and everytime i do something on the comp, it tries to connect to a URL. Please help, thanks :slight_smile:

Be patient … TwinHeadedEagle is not online 24/7 and he is using his free time helping here

No worries :slight_smile:

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
bitsadmin /reset /allusers;b
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Ok thanks, will do it now

Hi, please see results of zoek scan below:

Zoek.exe v5.0.0.0 Updated 05-March-2015
Tool run by PAULC_DJ on 04/05/2015 at 20:11:24.83.
Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\PAULC_DJ\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

04/05/2015 20:13:57 Zoek.exe System Restore Point Created Succesfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Citrix deleted successfully
C:\Program Files\Google deleted successfully
C:\PROGRA~3\Freemake deleted successfully
C:\PROGRA~3\Malwarebytes’ Anti-Malware (portable) deleted successfully
C:\PROGRA~3{BAF091CA-86C4-4627-ADA1-897E2621C1B0} deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Citrix not found
C:\PROGRA~3\Malwarebytes’ Anti-Malware (portable) not found
C:\PROGRA~3{BAF091CA-86C4-4627-ADA1-897E2621C1B0} not found
C:\PROGRA~2\GUTE524.tmp deleted
C:\PROGRA~2\GUME523.tmp deleted
C:\Users\PAULC_DJ\AppData\Roaming\ProductData deleted
C:\PROGRA~3\ProductData deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\Tasks\avast! Emergency Update deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-2523403953-2462464224-901579875-1000 deleted
C:\Users\PAULC_DJ\AppData\LocalLow\ADSRemoval deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
“C:\Users\PAULC_DJ\AppData\Roaming\LAEZOLJ” deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [04/05/2015 00:13]

==== Chromium Look ======================

Google Chrome Version: 42.0.2311.135 (Could not determine latest Stable Version)

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[15/04/2015 02:39]
hdokiejnpimakedhajhdlcegeplioahd - No path found
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[14/07/2014 18:22]

Bookmark Manager - PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Avast Online Security - PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
LastPass - PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd
Save as PDF - PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpdjmbiefanbdgnkcikhllpmjnnllbbc
Chrome Hotword Shared Module - PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Skype Click to Call - PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

==== Chromium Fix ======================

C:\Users\PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_jumboenergysaver.en.alibaba.com_0.localstorage deleted successfully
C:\Users\PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_jumboenergysaver.en.alibaba.com_0.localstorage-journal deleted successfully
C:\Users\PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savemesanfrancisco.com_0.localstorage deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157
“Search Bar”=“http://www.google.com
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
“Search Bar”=“http://www.google.com
“Start Page Redirect Cache”=“http://www.google.com
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
“Search Bar”=“http://www.google.com
“Start Page Redirect Cache”=“http://www.google.com

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Bar”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
“Search Bar”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page Redirect Cache”=“http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
“Search Bar”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page Redirect Cache”=“http://go.microsoft.com/fwlink/?LinkId=69157

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{6A1806CD-94D4-4689-BA73-E35EA1EA9990}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url=“http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7AVND_enGB610

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Policies\Chromium deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\PAULC_DJ\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\PAULC_DJ\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0U664K2N will be deleted at reboot

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\PAULC_DJ\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=92 folders=12 76492471 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\PAULC_DJ\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\PAULC_DJ\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\MpCmdRun.log” not found
“C:\Users\PAULC_DJ\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0U664K2N” not found
“C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low” not deleted

==== EOF on 04/05/2015 at 21:35:32.14 ======================

How is your PC behaving now?

Still getting the pop-up, not as much, but generally when I open a new browser window or url, so quite a lot really mate. Infact it just did it while I was typing this, twice.

I tried malwarebytes rootkit remover, but no difference. This is buried deep… :frowning:

Whats the next move then Eagle? :-/

Does it happen in all browsers?

Yes, it does mate

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Hi Eagle,

Please find FARBAR scan results attached.

Thanks