*SOLVED* Malware intrusion (hxxp://getusaaall.info/)

Viruses and worms
1

- Solved by essexboy -

Hey, I see there is many that got the same problem as me.
Tried all the suggested solutions, but neither did the trick for me.

This is the message Avast give me:
URL:
hxxp://getusaaall.info/?e=ytr&dd=19&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=1614&country=NO&prv=Adblocker&ind=7206959528286563583&exid=1405353279320212281&ssd=2470819880494300911&hid=14488796619919435485&osid=601&channel=0&sfx=1&jc=1&utid=3&category_name=YoutubeAdblocker&install_date=20130714

URL:Mal

It looks like avast blocks it from doing whatever it’s supposed to do, I get these notifications (appears in groups of 5) with 5-10min inbetween, including on startup (once I’m connected to internet).

I’m adding the files from MWB, aswMWB and FRST

In advance, thanks :slight_smile:

2

Luckily you have windows 7 so we may be able to fix this

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

3

It made my computer go crazy for a little while, but now it’s up and running.
30min and counting without that annoying pop.
But something new happened, not sure if it’s relevant, but windows update refuses to install new updates, also, I get some weird stuff during startup. I don’t think it’s gone yet, my computer is acting a bit weird (slower, got problems with windows update and that new startup request for dbugging)

Added two files;

  • The log you requested
  • Screen of the new weird dbugger-request
4

did you rebot twice after running combofix?

5

After the logfile was created, my computer have booted 4 or 5 times.

6

ok … Essexboy will be back online tomorrow. :wink:

7

Aight :slight_smile:
Seems like it took care of the major problem, atleast as far as I can see, no more pop-ups, not yet anyway.
This is something i’ve haven’t seen before; I got this junk from a site for free subtitles, I won’t enter that again :slight_smile:

8
I got this junk from a site for free subtitles,
do you have the URL, they may need it to investigate this bug

post it none clickable… meaning dont post the http://www. just what is after

9

Tried to restore my system at first, so I can’t provide the exact adress (Removed all of my history, included all my browsers with all additional files), but I know it were located within this site, and sub:

!!Don’t use the link below!!
DONTCLICKsubscene.com/subtitles/game-of-thrones-fourth.../norwegian/913266DONTCLICK

10

aha… så du er norsk ;D
hvordan er været i brønnøysund?

11

Haha:D
Joda, ikke så ille, Vært grei temp. i dag, begynner å få litt farge på flesket :stuck_out_tongue_winking_eye:
Forresten, update fikk jeg fiksa, lå en liten loop inne, men den dbugg-greia kommer fortsatt, mangler noen “sammenheng-filer” ser det ut som… den vil starte en dll som ikke er der :S sikkert noe som forsvant med all den møkka jeg har skvisa ut av systemet i dag :stuck_out_tongue_winking_eye: håper

12
Jasså, du leste loggen min:) Haha:D
nei.... der er andre metoder. ;)

anyway, it is bedtime and essexboy will continue assist you tomorrow

13

Good night :slight_smile:

14

I think combofix took care of that annoying bugger. The infected computer ran 7 hours without any more of those notifications.

Tho I think it did something weird to my windows update:
An unhandled exception (‘System.IO.FileNotFoundException’) occured in PresentationFrontCache.exe [3756]
An unhandled exception (‘System.IO.FileNotFoundException’) occured in PresentationFrontCache.exe [4264]

But I assume thats not avast related.

Edit
Managed to solve the problems, it was framework 3.0 wich acted banans, MS own update-fix-tool solved this problem. Now my system seems back to normal, no bugs at start, everything respond as quick as they used to

I consider my malware-problem solved, thank you a bunch Essexboy :slight_smile:

15

He is usually online after work hours…when done he will remove the tools used

16

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

17

Great, now it looks normal in C:, perfect :slight_smile: I’ll keep that in mind.
Thanks for all the help, advices and guidance :slight_smile:
Will keep this running for another day.
Have a great day!

18

My pleasure, enjoy :slight_smile:

19

Still running smoothly (19hr);
Also, I’ve checked a few combofix-logs from others with the same problem.
The only common factor I was able to find was a terminated reg-entry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security
This key can’t be altered with regedit, and it remains on my system after it seems clean

I’m quite clueless when it comes to this kind of problems, but I’m always curious and eager to learn; so this consistency appeared suspicious to me :slight_smile:

Again, thank you essexboy :slight_smile:

20

That is a locked registry and should be left :slight_smile: