Url Mal

Viruses and worms
1

avast! Web Shield has blocked a harmful webpage or file.
Object: http://getusaall.info/?e=pcho
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

Only this

2

I’m on it … be right back.

3

DjReplica, tell me will this fix your problem.

This FixList shall tell command prompt to perform fundamental and affirmative cleaning of $Temp and Temp Internet Files, to clean Java Cache and attempt to clean browser cache. It shall clean your DNS cache and IP adress renew. Note that your browser shall be closed upon fix execution.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start CMD: taskkill /F /IM firefox.exe CMD: taskkill /F /IM chrome.exe CMD: ipconfig /flushdns CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ip reset CMD: netsh winsock reset catalog Hosts: CMD: DEL %TEMP%\*.* /F /S /Q CMD: DEL %WINDIR%\TEMP\*.* /F /S /Q CMD: RD /S /Q %TEMP% CMD: RD /S /Q %WINDIR%\TEMP CMD: DEL %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\cache\*.* /F /S /Q CMD: DEL %APPDATA%\Sun\Java\Deployment\cache\*.* /F /S /Q CMD: DEL %LOCALAPPDATA%\Sun\Java\Deployment\cache\*.* /F /S /Q CMD: DEL %LOCALAPPDATA%\Mozilla\Firefox\Profiles\*.* /F /S /Q CMD: DEL %LOCALAPPDATA%\Google\Chrome\User Data\*.* /F /S /Q Reboot: End

2. Save notepad as FixList.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

4

Unfortunately, alerted me again.

I thought it stopped, so this post was more like a thank you but here it goes again.

5

Hi,

I have a fix for you but this is a new thing and we can’t locate the loading point or any peyload. That’s why we need to dig a litle bit in order to learn more abaut this.

Again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type getusaall into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

! ! When you attach that log, then …

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type getusaall* into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

6

Didn’t find anything in the registries.
Didn’t Find anything in the files

I also should mention, this is not the first time I got a hook malware. Though, those were usually blocked by malware bytes and the avast shields.

7

Uh … then I will need different eyes. :frowning:

This shall preform diagnostic from varius and different aspects of view. Please post the log.

If zoek can not find the loading, I will not torment you more and we shall go straight to fix.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

CreateSRPoint;
getusaall;a
getusaall;z
StandardSearch;
SilentRunners;
AutoRuns;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

8

Nasty zoek, can’t be closed.

Anyway here is the log

9

Aye, no it can’t. Zoek shall not allow any forced shutdown 'til he finish his scan.

And log is nasty as well. I shall need some time to analyse this. I’ll be back soon I hope.

10

I probably prematurely closed zoek then.
My bad :frowning:

Here is the updated log.

I’m sorry, I’m tormenting you with my problems.

Never knew ads could be so troublesome.

11

Oh, btw, while i looking the logfile, can you think hard and recall what are you install or do latest before avast! start to give you a warning?

Anything downloading … clicking …? I would like to find the source of problem and malware itself if I am at luck and on my test mashine to try reproduce this.

12

NP, the first posted zoek log was fine. :wink:

13

I’m not sure, it was installing something, and there was no cancel button so i couldn’t stop it.
Then avast started giving these alerts every time.
Well, I was searching for a premium crack for a software, and one of the links was a download url so it immediately started the auto-download and auto-install before i could open task manager and force close it. Then avast gave me a threat block alert so the setup reached 48% and i closed it. I opened malware bytes and it found th ezdownloader setup and some regestries for it. I deleted all traces from it but the alerts never stopped.

Here is the dumb link that caused all of this.
I suggest if you want to replicate this on your machine to press the download button.
-Removed(If you need the link, pm me)

After the fubar fix, the alerts are not that repetitive

These alerts started happening since yesterday.

14

Ok, thanks for the info. Remove the link, I have the link, again thanks. This might help a lot. Let’s first try something and see wil this fix the problem.

Try to disable DropBox entirely and reboot the mashine. The dropbox mustn’t load. Then pay attention and tell me is the problem fixed?

I shall check the link but now it is time for the tenk. It is time to solve this thig …

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

15

Should I try to dropbox exclusion solution or both (with your tank :slight_smile: )

For a while now, after zoek, avast didn’t alerted me yet
Restarting machine to check the dropbox only exclusion. Be right back.

16

You may skip the dropbox issue, he is not couse of the problem. Run ComboFix and he will shut down the alearts.

Btw, thanks again, I have a droper of the malware. You helped a lot. I’ll paste the link to my collegue Essexboy and we will investigate it thoroughly.

17

I conform that the alerts stopped without the combofix.
I just downloaded the combofix but didn’t run it.
Should i continue with the combofix procedure?

18

Yes, run ComboFix and post me the log.

19

Is your avast! resive an update just a few moments ago?

EDIT: We will continue tomorow. Until then post he CF logs.

20

A few hours ago actually
Anyway, I don’t have much time as I’m on vacation tomorrow.

Edit: seeing you offline means we will have to finish this when i comeback. (on 17th)
Until then I suggest you help the other fellas :smiley: