URL: MAL

For the past couple of day I have been getting a URL: MAL message. The weird part is that I only get it when clicking on links from google. I can manually enter any url and be taken to the site, but if I try and search something on google and click on it, I receive the message. I have already looked at some of the posts on here and followed several of y’alls advice, but it still is coming up. I did do one scan and it found I had 2 Trojans and one other thing so I did the fix option and it said they were quarantined and removed successfully, but I am still getting the message. HELP!!

Thanks!

Hi there lets have a quick look at your system if I may

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Here is the log from the OTS.

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> BA AF B9 03 8E B1 F0 43 91 8B EA CD AE 56 39 15  [binary data]
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:23012
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> BA AF B9 03 8E B1 F0 43 91 8B EA CD AE 56 39 15  [binary data]
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:23012
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> 
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> BA AF B9 03 8E B1 F0 43 91 8B EA CD AE 56 39 15  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> 
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> BA AF B9 03 8E B1 F0 43 91 8B EA CD AE 56 39 15  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3060979761-3190564407-1779587827-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-3060979761-3190564407-1779587827-1000\: Main\\"XMLHTTP_UUID_Default" -> BA AF B9 03 8E B1 F0 43 91 8B EA CD AE 56 39 15  [binary data]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\ra860ngf.default\extensions\{483d41bc-6bf0-4bdc-9fc1-1f5ae550a753}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {03B9AFBA-B18E-43F0-918B-EACDAE563915} [HKLM] -> C:\Windows\SysWOW64\AuthFWGP32.dll [Reg Error: Value error.]
[Registry - Additional Scans - Safe List]
< 64bit-Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YN -> C:^Users^Sam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Advanced Registry Optimizer.lnk -> 
[Files/Folders - Modified Within 30 Days]
NY ->  579753263 -> C:\Windows\SysWow64\579753263
NY ->  AuthFWGP32.dll -> C:\Windows\SysWow64\AuthFWGP32.dll
[Files - No Company Name]
NY ->  AuthFWGP32.dll -> C:\Windows\SysWow64\AuthFWGP32.dll
[File - Lop Check]
NY ->  .# -> C:\Users\Sam\AppData\Roaming\.#
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

I have not done the final thing that you just posted but the aswMBR scan keeps making my computer restart in the middle of it after it has two things come up in red as “infected.” I’m not sure if that step is vital or you have any other suggestion. I really appreciate all the help!

This is the notepad that came up after the OTS Fix

OK that suggest a bit more than I can see

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2

==================================

http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.exe.jpg

Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.

I’m kinda confused, but I think this is what you wanted.

Yes that is the log he wanted.

It is now 12:25am in the UK now so essexboy will be off-line until later today.

What are your current problems - have the alerts gone ?