What’s with the rash of getusaaall Malware virus’s? I’m infected too.
Attached is my FARBAR FRST.txt and addition.txt
Thanks in advance for any help,
st101
What’s with the rash of getusaaall Malware virus’s? I’m infected too.
Attached is my FARBAR FRST.txt and addition.txt
Thanks in advance for any help,
st101
Let me attach a couple other log files.
I have windows 8.1. It appears 8.1 is not as easy to fix??
Hi st101,
Welcome to the forums. Thank you for attaching the logs.
A certified malware expert has been notified and will be assisting you shortly. Please be patient.
Hi, I’ll try to help you.
I need to assess your logs, give me some time and I will be back with a fix shortly.
Hi.
Yes, 8.1 is the most difficult to fix, but we have made some live tests with this infection and looks like we’ve got the possible solution.
Please do also this one for me:
https://sites.google.com/site/cannedfixes/batch-script/Bat_file_icon.png
Batch Script
Please download getusaaall script and save it to your desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
[*]Right-click on
https://sites.google.com/site/cannedfixes/batch-script/Bat_file_icon.png
icon named getusaaall and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the script.
[*]A black window will blink shortly.
[*]After that two files will be located on your desktop: scanning1 and scanning2.
Please include them both in your next reply.
Thanks for the help! Attached are the 2 scanning files
st101
Could you let me know how’s the situation after these steps?
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png
[*]Copy the entire content of the codebox below and paste into the Notepad document:
start
start
c:\windows\prefetch\8AE23A68-CC86-4488-86A3-EFE4F-AFAF90E4.pf
SearchScopes: HKCU - URL http://search.conduit.com/Results.aspx?ctid=CT3321459&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SP31A61B2D-582D-4138-AE3C-D02512862059&q={searchTerms}&SSPV=
SearchScopes: HKCU - SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
BHO-x32: No Name -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> No File
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM-x32 - No Name - {553891B7-A0D5-4526-BE18-D3CE461D6310} - No File
AlternateDataStreams: C:\ProgramData\TEMP:6108D5DF
CMD: ipconfig /release
CMD: netsh int ip reset
CMD: ipconfig /renew
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
reboot:
end
end
[*]Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please include it in your reply.
https://sites.google.com/site/cannedfixes/tfc/5204fb054866c-TFC_nieuw_25x25.png
Clean Temporary Files with TFC
Please download TFC by OldTimer and save it to your desktop.
[*]Right-click on
https://sites.google.com/site/cannedfixes/tfc/5204fb054866c-TFC_nieuw_25x25.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Close any open programs and save your current work.
[*]Click the Start button to begin. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a couple of minutes.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
This tool doesn’t generate any report. Instead I recommend to keep it for good maintenance of your machine.
I created the fitit.txt file and ran the FRST64 application and clicked fix.
It said it was successful. See attached fixlog
FRST forced a reboot. after the PC booted I could not get access to the internet
The IPV4 interface setting were changed.
Obtain IP automatically was disabled
USE following IP was selected, but no IP address
Obtain DNS Server automatically was disabled
Use the following DNS servers wer set to:
Preferred 8.8.8.8
Alternate 8.8.4.4
I changed both of these settings back to Obtain automatically and my PC network was dhcp served properly from my router and not I have network access again.
As soon as the network configured up, I received an avast popup with 12/12 notifications of the same Blocked getusaaall.info URL:Mal virus.
Unfortunately, the fixit.txt file did not resolved my issue.
st101
Sorry, I forgot to attach the fixlog (attached)
Thanks for the log. Let’s try something another.
Could you download and run Kaspersky pure trial from here http://www.kaspersky.co.uk/free-trials/pure
This is similar to AVP but is win 8.1 compatible
It will offer to remove Avast skip that and set the Avast shields to off for one hour
Once Kaspersky has installed you will see this screen
https://dl.dropboxusercontent.com/u/73555776/kas1.JPG
Select scan and allow it to update
https://dl.dropboxusercontent.com/u/73555776/report.JPG
Once the scan has completed and it has removed any threats select report on the top right
Click detailed report and post that here.
It appears that this may well kill it, but I will need the report to determine what it is so that I can then remove it manually
I can try that, but I am nervous to disable the Avast shield. It’s appears to be the only think blocking this malware virus from calling home. Is there any way to run the Kapersky tool without disabling the Avast shield?
Link to watch install procedure: http://support.kaspersky.com/pure3/ecourse Begin with the “How To Install” box and move down through all four in order.
avast! must be disabled to allow Kaspersky to run properly and you need to be connected for a short time to get the latest virii definitions for it. You can disconnect after for the duration of the run. Select full scan. Cloud scanning is not a feature, so no internet connection is required during the scan.
Otherwise, active avast! shields will interfere with proper operation of Kaspersky when it runs and a log may not be produced.
Select trial install only.
After the run is completed, you can remove Kaspersky, reboot, re-enable avast! sheilds, and attach the resulting Kaspersky log in your next reply.
Hi
Maybe you will be without avast for an hour, but you will have Kaspersky protection. Don’t worry!
Sorry for the delay. I finally had a chance to run Kapersky Pure 3.0.
I followed your instructions to the letter.
The Full scan produced no threats. ~760,000 files scanned - Log file is empty. It won;t let me save an empty file.
Unfortunately, Avast is still blocking the getusaall.infi URL:Mal attempts. The process associated is svchost.exe
Avast will trap this about every 10-15 minutes.
What is interesting is, if I disable my network, immediately after enabling the ethernet port, Avast will pop up every time with the same getusaaall.info URL:Mal call home. The process associated is avp.exe. The URL:Mall call home attempts approximately 11 calls in a row. Avast beeps 11 times showing a 11/11 before the voice “Threat has been detected” comes over the speakers…
Now it appears that instead of the svchost.ece process being associated with this getusaaall.info URL:Mal call home, The process associated now is: avp.exe
Naathim, I hope I’m not jumping the gun. I don’t like trying too many things on my own, while you are trying to formulate a plan of attack. But I decided to try a system restore. I have a restore point of 7/6/2014. 9 days prior to this issue starting.
However, the system restored failed. See the attached picture of the screensnap.
This may be a totally normal situation with Avast running. But I’m documenting here anyways.
Thanks,st101
I was finally able to do a system restore.
I had to boot win 8.1 to safe mode to manually delete some files restore failed to remove on its own. All of these files were from the …\Program Files"Avast Software" folder. I tried restore 3 times. Each time a different file in the “Avast Software” folder would fail to delete during the restore… one of the files is in the attachment above. I’m sorry, I didn’t keep track of the other two, and I suspect there were others, but I wasn’t patient enough to keep retrying restores to find them all
So while I was in safe mode. I uninstalled Avast, then I manually deleted the …\Program Files\Avast Software folder (and all it contents).
I tried system restore again (still in safe mode), and that worked. So I’m back on my 7/6/2014 system image.
Avast was back after the restore. But obviously it had to be updated.
So far so good. No more Avast alarm popups for http:getusaaall.info URL:Mal Process svchost.exe and avp.exe. It’s been 45 minutes. I also tried to force the condition by disabling the network Ethernet device and re-enabling. No problems, no avast popup warnings…
I’m not sure we are out of the woods yet. Time will tell of course, but restore seems to have helped, if not resolved the issue.
I thank you for your efforts Naathim!!
I wish Windows 8.1 was easier to fix. There are popular utilities like combofix, roguekiller and others that are not yet compatible with windows8.1. So troubleshooting this issue becomes a bigger challenge. Hopefully an easier fix is uncovered soon.
May want to leave this open for a few days, I’ll report back
Thanks again,
st101
Thanks for letting me know
Cheers,
Naat
It’s been 11 days since I restored my computer. There have been no more “getusaaall” URL:MAL issues.
Avast, malwarebytes, kapersky all scan clean.
This thread can be closed.
Thanks,
st101