Url:mal

Viruses and worms
1

Hi all,
I was getting a continuous Url:mal popups from Avast when using google chrome. The error message always varied and nothing was being quarantined. I have used mbam, and avast and just tried combofix (as I read about it elsewhere), to get rid of the problem. Turns out this may have been pretty dumb to do, as now I can’t open any programs - they all say

‘‘Illegal operation attempted on a registry key that has been marked for deletion’’

Would really appreciate any help. I am new to all this stuff, so please bear with me!

Cheers.

2

Ok so turns out I just needed to reboot. But I am still getting the error message from avast, and I have no idea what to do about it.

3

I have no idea of your experience level, so please take this as general information, for others that may also read this. Running some specialist malware detection and correction tools such as combofix, can have serious consequences, some malware if removed in the wrong order can brick a system. So these tools should be used under the guidance of a malware removal specialist.

The ‘‘Illegal operation attempted on a registry key that has been marked for deletion’’ is a known occurrence after having run combofix.

What is the error you are getting from avast ?

4

Hi there, thanks for the reply. I am getting the attached pop-up. In addition to this, I am also getting messages from malwarebytes that it is blocking malware from avast.
I have also run hitmanpro, and roguekiller. Will await any advice before I carry on.
Many thanks.

5

I should also add, malwarebytes cannot find anything, neither can avast, or hitmanpro or roguekiller. I have also run CCleaner.
Thanks again.

6

MBAM log:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.14.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ben :: BEN-PC [administrator]

Protection: Enabled

14/08/2012 14:39:24
mbam-log-2012-08-14 (14-39-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227312
Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

7

Have attached OTL logs. I ran it with incorrect settings the first time, when the ‘extras’ log was produced. When I have subsequently run it again with correct settings, the extras log was not reproduced - hopefully the first one suffices.

8

aswMBR log

9

Rk reports

10

The extras.txt file is only generated once, so if the OTL.txt file you attached is the one with the correct settings set prior to running it again, then that should be fine.

A malware removal specialist has been informed of your topic.

11

I got a blue screen a few minutes ago saying that systems settings have been altered. Now running in safe mode. Do I need to do a system restore? Really not sure what to do. Thanks for the help.

12

Don’t do a system restore (unless specifically requested) it could have unexpected consequences and undo any work already done.

With malware cleaning nowadays you can’t really ad-lib and fight it on your own you need specialist help or you could harm your system. One of the tools you have already used HitmanPro in the experience of one of our malware removal specialists can remove files that shouldn’t be removed.

13

Hi David, I had read that. It only produced a log, and said that it had detected nothing. I didnt delete/quarantine/even have to ignore any of its results as it came up with nothing. Cheers,
Ben

14

OK

There may be some delay due to availability of the volunteer malware removal specialists. Not many on-line at the moment and as you can imagine they are pretty busy.

15

Is this only when you use Chrome ? Could you attach the combofix log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found. O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

16

Hi Essexboy, thank you very much for helping. Have attached combofix and OTL logs (1 that appeared when it restarted, and one that was produced by the quickscan).
Cheers

17

I should also add, I have run the TDSSkiller, that came up with nothing.
Thanks again.

18

Essexboy is in bed now…check back tomorrow :wink:

19

Are you still getting the alerts ?

20

Yes I am, lots of them. Its not just when chrome is running. The ‘process’ is always different in the pop-up.