It seems this one is spreading like crazy the past few days. Installed some random things over the past week getting my new windows install up and running. Avast now pops up every few minutes with the warning:
URL:Mal hxxp://getusaaall.info/?e=svon&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=…
in svchost.exe.
Yep 'tis the new kid on the block. Let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CHR Extension: (Speed Dial) - C:\Users\Josh\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi [2014-05-31] C:\Users\Josh\AppData\Local\Temp\raptrpatch.exe C:\Users\Josh\AppData\Local\Temp\raptr_stub.exe C:\Users\Josh\AppData\Local\Temp\SearchProtectionSetup.exe C:\Users\Josh\AppData\Local\Temp\ubiCDC9.tmp.exe C:\Users\Josh\AppData\Local\Temp\xmlUpdater.exe C:\Users\Josh\db.dat C:\Users\Josh\db_backup.dat CMD: ipconfig /release CMD: netsh int ip reset CMD: ipconfig /renew CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Still getting the warning popup. See attached logs.
OK time to see if we can locate the miscreant… We have not had much luck so far though
Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.
See attached log. Again thanks for the help.
Could you open silent runners and select File > Save as … and in the encoding box at the bottom ensure that ANSI is selected . Save it and then re-attach
saved as ansi
Nothing there, do you have a windows cd as I would like to work whilst windows is inactive. If not I can give you a link to create a recovery console on USB
No I dont. Let me know how do do it through USB.
Download the following three programmes to your desktop :
For 64bit systems
2. Windows 8.1 64bit RC I will PM this link
3. Farbar Recovery Scan Tool x64
Insert the USB stick Then run Rufus
https://dl.dropbox.com/u/73555776/rufus.JPG
Select the ISO file on the desktop via the ISO icon.
Press Start Burn
https://dl.dropbox.com/u/73555776/RufusISO.JPG
Then copy FRST to the same USB
http://dl.dropbox.com/u/73555776/frstwintoboot.JPG
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here
Windows 8 screen shots
When you reboot you will see this.
Select the language on this screen and keyboard on the next
https://dl.dropbox.com/u/73555776/select%20language8.JPG
Select the Trouble shoot option
https://dl.dropbox.com/u/73555776/Select%20option8.JPG
Select Advanced option
https://dl.dropbox.com/u/73555776/advanced8.JPG
Select Command prompt
https://dl.dropbox.com/u/73555776/command%208.JPG
At the command prompt type the following :
https://dl.dropbox.com/u/73555776/notepad.JPG
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
I have not been able to get my PC to boot from a USB stick. I have tried multiple USB sticks, and the BIOS is set to boot CD/USB/HD. It seems to not be picking up the USBs during post.
I will keep trying tomorrow.
OK as you may gather we are having problems with this on 8.1 only the rest are fairly easily cleared
Could you empty your Java cache please https://www.java.com/en/download/help/plugin_cache.xml
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Ran TFC and rebooted. Still infected :-\
I am using Win 8.1
I have someone else running another programme which may reveal the location of the miscreant
Do you have a system restore point from about a week ago ?
No. I do not typically use system restore.
Shame about that as it may be the quickest way… Still awaiting results
Any progress on this guy yet?
Ooops sorry I lost notification on this. This should clear it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
see attached log
Could you confirm that the alerts have ceased