How to remove the URL:Mal virus
Hello,
I have a Windows 7 OS that's been infected with 'URL:Mal'. I've tried the malware removal protocol that I found on this site that has worked in the past for every other issue I've had, but it has failed this time. I've pasted the relevant steps here:
"Proper repair of this malware is a 3-step process, using automated tools that are readily downloadable from the Internet.
1. Fix the registry.
2. Kill the rogue processes spawned by the malware.
3. Run the scanner to find/repair/delete the infection.
Links to the tools are:
1. FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
2. RogueKiller (http://www.sur-la-toile.com/RogueKiller/)
3. Malwarebytes (http://www.malwarebytes.org/) and
TDSSKILLER (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)"
I've done this regimen three time, but today I was not able to complete it because my current version of Malware bytes won't run and I'm not allowed to install a new version--it stalls at the choose a language dialog box and will not proceed further.
My computer function is diminishing so I need to fix this. I found a link to do it manually here:
http://blog.mightyuninstal
but wanted to get advice from you pros before I started, on the best way to get rid of this.
Thanks
Ana
I have a Windows 7 OS that's been infected with 'URL:Mal'. I've tried the malware removal protocol that I found on this site that has worked in the past for every other issue I've had, but it has failed this time. I've pasted the relevant steps here:
"Proper repair of this malware is a 3-step process, using automated tools that are readily downloadable from the Internet.
1. Fix the registry.
2. Kill the rogue processes spawned by the malware.
3. Run the scanner to find/repair/delete the infection.
Links to the tools are:
1. FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
2. RogueKiller (http://www.sur-la-toile.com/RogueKiller/)
3. Malwarebytes (http://www.malwarebytes.org/) and
TDSSKILLER (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)"
I've done this regimen three time, but today I was not able to complete it because my current version of Malware bytes won't run and I'm not allowed to install a new version--it stalls at the choose a language dialog box and will not proceed further.
My computer function is diminishing so I need to fix this. I found a link to do it manually here:
http://blog.mightyuninstal
but wanted to get advice from you pros before I started, on the best way to get rid of this.
Thanks
Ana
ASKER
Hello n2fc,
Thanks for the tips.
I'm using Avast, the free version. Up till now I've never had a problem with just running it once a week, or when I suspect an infection.
I was able to re-install a fresh version of Malwarebytes after following your MBAM-CLEAN link--much appreciated. I ran it, found 9 problems and deleted them. I also ran TDSSKller and RKill, but the virus is still here. I ran stinger and it found no threats.
So now I'm wondering if I should try to remove it following the manual instructions that I linked to in my post...
Any thoughts?
Ana
Thanks for the tips.
I'm using Avast, the free version. Up till now I've never had a problem with just running it once a week, or when I suspect an infection.
I was able to re-install a fresh version of Malwarebytes after following your MBAM-CLEAN link--much appreciated. I ran it, found 9 problems and deleted them. I also ran TDSSKller and RKill, but the virus is still here. I ran stinger and it found no threats.
So now I'm wondering if I should try to remove it following the manual instructions that I linked to in my post...
Any thoughts?
Ana
1) I am not comfortable with the instructions listed in that article... They are vague & in many cases inaccurate. I think following them could potentially do more harm than good.
2) I find it suspicious that the graphic in that article shows Avast... I am wondering if the errors you are encountering are based on Avast being over aggressive on certain web sites...
3) Are you experiencing redirects to other web sites for no reason? How about your browser's default search engine? Has it been changed? How about proxy settings?
Recommendation:
1) Remove all proxy settings (if not done already)
2) Reset default search engine to Google and remove others like Conduit, ask, etc.
3) Uninstall all toolbars
Also, what were the 9 issues MBAM found? Anything related to your symptoms?
You MIGHT want to consider uninstalling AVAST and installing Microsoft Security Essentials instead... I have used this AV since it was first offered and it has performed admirably for me...
You can download it here:
http://windows.microsoft.com/en-us/windows/security-essentials-download
==========================
Also, read the article here:
http://forum.avast.com/index.php?topic=132417.0
According to the Avast support site (as I suspected from my initial note (2) above...
The indicator "URL:Mal" from Avast is a complaint FOR THE WEBSITE YOU ARE GOING TO and NOT an infection on your PC!!
2) I find it suspicious that the graphic in that article shows Avast... I am wondering if the errors you are encountering are based on Avast being over aggressive on certain web sites...
3) Are you experiencing redirects to other web sites for no reason? How about your browser's default search engine? Has it been changed? How about proxy settings?
Recommendation:
1) Remove all proxy settings (if not done already)
2) Reset default search engine to Google and remove others like Conduit, ask, etc.
3) Uninstall all toolbars
Also, what were the 9 issues MBAM found? Anything related to your symptoms?
You MIGHT want to consider uninstalling AVAST and installing Microsoft Security Essentials instead... I have used this AV since it was first offered and it has performed admirably for me...
You can download it here:
http://windows.microsoft.com/en-us/windows/security-essentials-download
==========================
Also, read the article here:
http://forum.avast.com/index.php?topic=132417.0
According to the Avast support site (as I suspected from my initial note (2) above...
The indicator "URL:Mal" from Avast is a complaint FOR THE WEBSITE YOU ARE GOING TO and NOT an infection on your PC!!
Here is another (related post):
http://www.bleepingcomputer.com/forums/t/405253/google-redirects-and-avast-reports-url-mal-infection/
See item #4...
You can try following the instructions for the ESET online scan, after making certain that you have the latest JAVA version installed...
The latest version (at this time) is 1.7 U25... If you have older versions, go to the Control Panel and UNINSTALL THEM ALL... Then install the latest by downloading from here:
http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
http://www.bleepingcomputer.com/forums/t/405253/google-redirects-and-avast-reports-url-mal-infection/
See item #4...
You can try following the instructions for the ESET online scan, after making certain that you have the latest JAVA version installed...
The latest version (at this time) is 1.7 U25... If you have older versions, go to the Control Panel and UNINSTALL THEM ALL... Then install the latest by downloading from here:
http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
ASKER
I wasn't sure either, that is why I asked about those instructions here.
I am no kind of expert, but I try to fix the issues that come up so I can learn more.
My default search engine did not change and I already have removed all others ages ago. I'm going to go through the list of your latest tips, follow the steps and let you know the results.
The 9 issues that MBAM found were unrelated as far as I could tell, but one of the problems that I had with my computer that I thought was associated with the virus was eradicated after I did the scan.
Thanks and I'll be in touch shortly.
Ana
I am no kind of expert, but I try to fix the issues that come up so I can learn more.
My default search engine did not change and I already have removed all others ages ago. I'm going to go through the list of your latest tips, follow the steps and let you know the results.
The 9 issues that MBAM found were unrelated as far as I could tell, but one of the problems that I had with my computer that I thought was associated with the virus was eradicated after I did the scan.
Thanks and I'll be in touch shortly.
Ana
ASKER
Good morning,
OK. I uninstalled all old java and updated from Oracle.
Removed proxy settings
I only have one tool bar that I use a lot (web developer) so I haven't uninstalled it yet.
I did find a Gorilla Price Helper extension, which is related to my issue and I remove that. The only other extension I have is firebug.
I did the ESET scan and it found two items that I removed.
I did a CKScanner and it found no malicious files.
Avast is still telling me that it has saved me disaster each time I turn on my computer and almost every time I open a browser. The process it refers to is Gorilla Price in my users/apdata/roaming folder on my C drive.
I tried to uninstall it but it takes me to this page: http://uninstaller.gorilla
Ana
OK. I uninstalled all old java and updated from Oracle.
Removed proxy settings
I only have one tool bar that I use a lot (web developer) so I haven't uninstalled it yet.
I did find a Gorilla Price Helper extension, which is related to my issue and I remove that. The only other extension I have is firebug.
I did the ESET scan and it found two items that I removed.
I did a CKScanner and it found no malicious files.
Avast is still telling me that it has saved me disaster each time I turn on my computer and almost every time I open a browser. The process it refers to is Gorilla Price in my users/apdata/roaming folder on my C drive.
I tried to uninstall it but it takes me to this page: http://uninstaller.gorilla
Ana
I would be leary of that uninstaller as well... Gorilla Price is known malware...
I am surprised that MBAM did not remove it, though!
Do you use multiple browsers? You should disable it each of the browsers individually.
You will not be able to delete that folder if GP is running... You may need to either do it immediately after a reboot, or after a reboot in safe-mode.
Another utility you might try is HijackThis(2.04)... It can show all potential registry errors, but takes a little bit of analysis to take the proper corrective actions. If you wish, you can run it and save the log; attach it on a reply & I will look at it for you...
Download & run instructions:
http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/
I am surprised that MBAM did not remove it, though!
Do you use multiple browsers? You should disable it each of the browsers individually.
You will not be able to delete that folder if GP is running... You may need to either do it immediately after a reboot, or after a reboot in safe-mode.
Another utility you might try is HijackThis(2.04)... It can show all potential registry errors, but takes a little bit of analysis to take the proper corrective actions. If you wish, you can run it and save the log; attach it on a reply & I will look at it for you...
Download & run instructions:
http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/
ASKER
Thank you so much for your help. I've attached the log file from Hijackthis. There were at least 2 instances of gorilla price in the results.
I also found a Malwarebytes forum thread on this subject. Someone else with this problem was not able to remove it with Malwarebytes either.
http://forums.malwarebytes
I look forward to advice.
Ana
hijackthis.log
I also found a Malwarebytes forum thread on this subject. Someone else with this problem was not able to remove it with Malwarebytes either.
http://forums.malwarebytes
I look forward to advice.
Ana
hijackthis.log
ASKER
...also...when I ran Hijackthis, halfway through the list creation/scan it gave me this message.
Let's get the 2nd item first... This is easily fixed by running HJT "as administrator"...
You can either right-click & select "run as admin" each time or right-click, select "properties" and on the "compatibility" tab, check "run as admin" & save that as a permanent setting...
As to the log:
Issues are:
Running processes:
C:\Users\AngelaReyes\AppDa
O4 - HKLM\..\Run: [GorillaPrice] "C:\Users\AngelaReyes\AppD
O4 - HKCU\..\Run: [GorillaPrice] "C:\Users\AngelaReyes\AppD
O23 - Service: WatGorp - Unknown owner - C:\ProgramData\GorillaPric
Steps to correct:
1) Using taskmgr you need to stop the gopr.exe process (kill it)... You can either use the windows task manager, rkill, and/or the process manager in HJT (found in main menu=>misc tools=> process manger (1st item in system tools) Using any of these tools kill that process, so it can be deleted
2) You also need to disable the service watgorp in the O23 error...
run "services.msc" from a command prompt or the start menu... select "standard" at the bottom to make the list easier to read... scroll down to find "watgorp" (might be under the "w" or "g" list... just scroll until you find it & double-click to get to properties...
Then hit "stop" until the service stops, followed by changing the "startup type" to "disabled"... hit "apply" & OK...
3) finally you can select all the gorilla junk in the HJT log & click "fix checked" to correct the registry entries...
4) You should then be able to delete the associated programs from the listed paths...
GOOD LUCK!
You can either right-click & select "run as admin" each time or right-click, select "properties" and on the "compatibility" tab, check "run as admin" & save that as a permanent setting...
As to the log:
Issues are:
Running processes:
C:\Users\AngelaReyes\AppDa
O4 - HKLM\..\Run: [GorillaPrice] "C:\Users\AngelaReyes\AppD
O4 - HKCU\..\Run: [GorillaPrice] "C:\Users\AngelaReyes\AppD
O23 - Service: WatGorp - Unknown owner - C:\ProgramData\GorillaPric
Steps to correct:
1) Using taskmgr you need to stop the gopr.exe process (kill it)... You can either use the windows task manager, rkill, and/or the process manager in HJT (found in main menu=>misc tools=> process manger (1st item in system tools) Using any of these tools kill that process, so it can be deleted
2) You also need to disable the service watgorp in the O23 error...
run "services.msc" from a command prompt or the start menu... select "standard" at the bottom to make the list easier to read... scroll down to find "watgorp" (might be under the "w" or "g" list... just scroll until you find it & double-click to get to properties...
Then hit "stop" until the service stops, followed by changing the "startup type" to "disabled"... hit "apply" & OK...
3) finally you can select all the gorilla junk in the HJT log & click "fix checked" to correct the registry entries...
4) You should then be able to delete the associated programs from the listed paths...
GOOD LUCK!
ASKER
Thanks, but these steps did not work. The malware returns with each reboot of the system. Any other ideas or should I crash the system and re-install?
Ana
Ana
Need a bit more info than "it didn't work"...
What IS happening??
Are you being prevented from deleting the gorilla stuff by running processes?
There are several more ways to try to delete them:
1) try doing so in safe-mode
2) use a program called "unlocker" to delete them
3) attach the hard drive as a slave to another (good) PC and remove them offline.
What IS happening??
Are you being prevented from deleting the gorilla stuff by running processes?
There are several more ways to try to delete them:
1) try doing so in safe-mode
2) use a program called "unlocker" to delete them
3) attach the hard drive as a slave to another (good) PC and remove them offline.
ASKER
This is what's happening:
Avast is still 'blocking vicious URLs' and gorilla price helper is still on my box.
Using Highjackthis and Windows task manager, I've killed and ended the gorilla process a total of three times.
The WatGorp service thingy did stay disabled, but any uninstall attempts of the program still lead to a web page that I'm not clicking on, so it remains installed.
I will try #1 and #2 above, today. If they fail, I'll not be able to do number three until later in the weekend, when my other computer will be available.
Thanks again!
Ana
Avast is still 'blocking vicious URLs' and gorilla price helper is still on my box.
Using Highjackthis and Windows task manager, I've killed and ended the gorilla process a total of three times.
The WatGorp service thingy did stay disabled, but any uninstall attempts of the program still lead to a web page that I'm not clicking on, so it remains installed.
I will try #1 and #2 above, today. If they fail, I'll not be able to do number three until later in the weekend, when my other computer will be available.
Thanks again!
Ana
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
I ended up having to use ComboFix to get rid of the GorillaPrice malware--YEAH IT'S GONE!!.
It would not delete in safe mode, I did not try Unlocker or hooking the HDD up as a slave as I'm out of time, and must have this system functional before Monday.
I sincerely thank you for all of your timely help and patience--this malware was a bugger!!
I gave the solution a C grade only because it wasn't actually the solution, NOT AT ALL a reflection on you, and there is no radio button for "Not the solution but I appreciate your efforts and time"
Thanks again and all the best,
Ana
I ended up having to use ComboFix to get rid of the GorillaPrice malware--YEAH IT'S GONE!!.
It would not delete in safe mode, I did not try Unlocker or hooking the HDD up as a slave as I'm out of time, and must have this system functional before Monday.
I sincerely thank you for all of your timely help and patience--this malware was a bugger!!
I gave the solution a C grade only because it wasn't actually the solution, NOT AT ALL a reflection on you, and there is no radio button for "Not the solution but I appreciate your efforts and time"
Thanks again and all the best,
Ana
Sorry I did not mention ComboFix earlier, but only because many users find it complicated & scary... Also, there is more potential (not that I have SEEN it happen, but others have told me) that it could screw up a system... They HIGHLY recommend having a good backup before using & making sure the Windows Recovery Console is installed before using it...
That said, it would have been my final recommendation had all else recommended above had failed!
Glad you finally got rid of the bugger!
That said, it would have been my final recommendation had all else recommended above had failed!
Glad you finally got rid of the bugger!
ASKER
No worries! Its gone now and that's what matters.
I read all the warnings and two sets of instructions for ComboFix and was girding myself for a long, drawn out, scary and complicated task. It was nothing of the sort. It went smoothly and to the letter of the instructions that I found here: http://www.bleepingcompute
Thanks again and have a wonderful day!
Ana
I read all the warnings and two sets of instructions for ComboFix and was girding myself for a long, drawn out, scary and complicated task. It was nothing of the sort. It went smoothly and to the letter of the instructions that I found here: http://www.bleepingcompute
Thanks again and have a wonderful day!
Ana
What AV program do you have monitoring your system?
That said, to reinstall MBAM properly, you should download MBAM-CLEAN:
http://downloads.malwarebytes.org/file/mbam_clean
to clean your registry & files and allow for a fresh install.
You might also want to do a quick scan with "stinger" as another virus check:
http://www.mcafee.com/us/downloads/free-tools/stinger.aspx
Also, I believe your link for TDSSKiller may be dated...
Try downloading from here instead:
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe
Another hint:
Try using RKill instead of RogueKiller...
Download here:
http://www.bleepingcomputer.com/download/rkill/