URL:Mal Infection

I seem to have somehow caught the URL:Mal bug.

Avast is reporting the problem when closing a tab when leaving some, but not all, websites in Chrome.

I have run Malwarebyte, FRST and aswmbr and I have attached the logs.

I have also noticed the file MBR.dat appeared on my Desktop. Not sure if that is related to URL:Mal or from running the scans I just mentioned.

Hopefully someone can help me get rid of the problem.

Thanks for your help,

Phil

Not sure if this will help but I just noticed that I also get the URL:Mal warning when pressing Play on some YouTube videos.

Thanks,

Phil

Hello Phil in Ottawa and welcome to avast!. I will be working on your Malware issues. :slight_smile:

I do not see any loaded malware in posted logs. Nevertheless, we shall preform the check with other point of view.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.


  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Hi magna86,

I have run Combofix and have attached the logs.

Thanks for your help,

Phil

Here’s something that may or may not help resolve the issue.

The website identified by Avast when the URL:Mal is detected always seems to be http://yt.extensionsstats.com

Hope this helps,

Phi

I just saw this:

Since I also have the Open SEO Stats, I disabled it and the URL:Mal warnings seemed to stop.

So I enabled Open SEO Stats again, tried the YouTube videos that gave me problems before and the warnings returned.

I have now disabled Open SEO Stats again and there are no warnings when playing the videos.

I’ll keep monitoring and let you know if the warnings return.

If there’s anything else I should do, let me know.

Thanks for your help magna86 and also thanks to EllieW for the tip about Open SEO Stats.

Phil

Glad we could help. Posted logs appear cleans and show no signs of active infection. You should be good to go …

We’re gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I’ll give you a few tips for reading.

I recommend you to contact avast! support using using the following form, ‘Report a Virus’ sections;
http://www.avast.com/contacts

The following will implement some post-cleanup procedures:


http://www.mcshield.net/pg/images/arrow.png
It is necessary to uninstall ComboFix :

[*]Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.

[*]In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*]then click OK (or press Enter ).

Wait for the uninstall process is complete. This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.


http://www.mcshield.net/pg/images/arrow.png
Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.


Learn how to protect yourself?

=> In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader

=> I recommend that you use one of the fantastic opportunities provided by
http://www.mcshield.net/pg/images/avast5.png
avast! AntiVirus.

For security protection, an active antivirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes’ Anti-Malware and perform ‘Threat Scan’ from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.

Extra text for reading:

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.

The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ ;
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Stay safe.

Best Regards,
magna86

Thanks magna86.

But I’m having some problems.

First, my computer seems sluggish. Second, I used to have iTunes start at boot-up and it no longer starts. Third, my Sidebar doesn’t work anymore.

But the biggest problem is when I do as you instruct to uninstall ComboFix and click om the “ComboFix /Uninstall”, the Start menu disappears but nothing appears to run. Then my Start menu no longer responds. When I click the Windows symbol, the Start menu appears but I can’t select anything or enter anything in the Start Search. I can’t do a Shutdown and have to cycle the power to reboot.

Any help will be greatly appreciated,

Phil

Magna answered.

Hello Phil in Ottawa,

Related to sluggish thing, you may follow tips I’ve posted above how to speed up your PC. Abaut iTunes issue, just check the settings. Or you can always paste the iTunes icon info StartUp folder. Related to the sidebar issue, I do not know why it does not work.

All of this you mentioned hasn’t do anything with additional checks we made. If it had any connections I would seen that.

You may skip ComboFix Uninstall step. DelFix shall as well preform removal of all ComboFix files for you.

I think your computer just stumbled upon some laggy time, it should be resolved.

Thanks again magna86.

I rebooted and iTunes and the Sidebar came back. Not sure what happened there but it all seems good now.

And the system appears to be back to normal speed. Again, that’s good.

I ran DelFix and I got this one error:
Error when deleting (1) : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR
Is that anything to worry about?

I also noticed Malwarebyte is still installed. When I hover over the System Tray icon it says it’s a Trial version. I know you recommend Malwarebyte, so can I continue with the Trial version or should I buy the Premium version?

Thanks for all your help,

Phil

Hi Phil in Ottawa,

I ran DelFix and I got this one error

DelFix for some reason failed to delete the aswMBR’s driver. Nothing to worry about. :wink:

Malwarebytes have active Premium for 14 days. After that, Malwarebytes shall remain in Free version. To keep Malwarebytes is your decision. To purchase Premium is your decision too.

:wink:

Thanks for all the help. Very much appreciated :slight_smile: