Infection URL:Mal

Viruses and worms
1

Avast is showing this warnings:

avast! Web Shield has blocked a harmful webpage or file.
Object: http://getusaall.info/?e=pcho
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

and also this one, from time to tome:

avast! Web Shield has blocked a harmful webpage or file.
Object: http://getmuzicas.info/?e=pcho
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I have attached the logs from FRST64, MalwareBytes and aswmbr.

2

OK lets use this programme for you

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

3

Unfortunately ComboFix is not working in Windows 8.1 :(.
I receive the error in the attachment.

4

OOps my apologies

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

5

Run TFC, cleaned about 700MB and then I rebooted manually.
What can I do next in order to remove the popups…
Is there any other tool similar to ComboFix for windows 8.1?

6

No that is the problem I have been unable to determine what combofix is doing

Do you have a system restore point from say last week ?

7

Unfortunately I have no system restore point that I can use to revert the system changes.
I am still trying to understand how the infection started.

8

Could you reset chrome please https://support.google.com/chrome/answer/3296214?hl=en-GB

9

I have reseted Google Chrome, even if it did not misbehave, and waiting to see the warning popups… and they are back :frowning:

10

Could you re-run FRST and this time please put a tick in shortcut.txt this will produce a standard scan and a shortcut scan

Could you attach both please

11

The files created by FRST64 in attachment.

12

OK lets try this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKCU - {F3B00178-57E6-445F-AC06-7F77E3CC5A17} URL = Task: {AA7A34CE-9CAF-4EBB-B15B-F01C805FBF38} - System32\Tasks\Dexpot\1 => C:\Program Files (x86)\Dexpot\autodex.exe [2014-01-03] (Dexpot GbR) <==== ATTENTION Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\cURL\cURL Folder.lnk -> C:\Program Files\cURL () Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\cURL\cURL Manual.lnk -> C:\Program Files\cURL\Manual\index.html () Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\cURL\SSL Cert Script Manual.lnk -> C:\Program Files\cURL\Manual\mk-ca-bundle.html () C:\Program Files\cURL CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

13

The fixlist log in attachment.

14

The popup warnings still appear.

15

OK lets do a registry search with FRST

Run FRST and in the box type :

getusaall

Then press the search registry button
Once done a log will appear please post that

16

No luck, the search did not find anything (as I can see from the 2 attached files, for both types of popups).

17

OK been discussing this with Magna …

Disconnect from the internet

To open an Administrator Cmd prompt from the Desktop use Win + X and choose Command Prompt (Admin) from the list.

In the black box type in/copy the following commands, each one followed by enter :

ipconfig /flushdns
netsh winsock reset catalog
netsh int ip reset c:\resetlog.txt
ipconfig /release
ipconfig /renew

Then reboot the computer

18

Disconnected, run the commands with the attached output (please note that I connect wirelessly to a home router).
Restarted and waited for some minutes with no network connection and nothing happened.
As soon as I connect to the router and start the internet connection I receive 28 notices from Avast (as in the attached screenshot).

19
C:\WINDOWS\system32>netsh int ip reset c:\resetlog.txt Resetting Interface, OK! Resetting Neighbor, OK! Resetting Path, OK! [b]Resetting , failed.[/b] Access is denied.
OK I need to check this out
20

Yes, I noticed that also, and the file c:\resetlog.txt was not created on the disk.