Author Topic: Infection URL:Mal (Read 12359 times)

REDACTED · « **on:** July 10, 2014, 09:23:31 PM »

Avast is showing this warnings:

avast! Web Shield has blocked a harmful webpage or file.
Object: http://getusaall.info/?e=pcho....
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

and also this one, from time to tome:

avast! Web Shield has blocked a harmful webpage or file.
Object: http://getmuzicas.info/?e=pcho....
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I have attached the logs from FRST64, MalwareBytes and aswmbr.

essexboy · « **Reply #1 on:** July 10, 2014, 09:37:08 PM »

OK lets use this programme for you

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.[/b]

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

REDACTED · « **Reply #2 on:** July 10, 2014, 09:40:13 PM »

Unfortunately ComboFix is not working in Windows 8.1

.
I receive the error in the attachment.

essexboy · « **Reply #3 on:** July 10, 2014, 10:05:50 PM »

OOps my apologies

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

REDACTED · « **Reply #4 on:** July 10, 2014, 10:12:35 PM »

Run TFC, cleaned about 700MB and then I rebooted manually.
What can I do next in order to remove the popups...
Is there any other tool similar to ComboFix for windows 8.1?

essexboy · « **Reply #5 on:** July 10, 2014, 11:09:24 PM »

No that is the problem I have been unable to determine what combofix is doing

Do you have a system restore point from say last week ?

REDACTED · « **Reply #6 on:** July 11, 2014, 07:58:25 AM »

Unfortunately I have no system restore point that I can use to revert the system changes.
I am still trying to understand how the infection started.

essexboy · « **Reply #7 on:** July 11, 2014, 01:39:28 PM »

Could you reset chrome please https://support.google.com/chrome/answer/3296214?hl=en-GB

REDACTED · « **Reply #8 on:** July 11, 2014, 02:08:02 PM »

I have reseted Google Chrome, even if it did not misbehave, and waiting to see the warning popups... and they are back

essexboy · « **Reply #9 on:** July 11, 2014, 02:56:46 PM »

Could you re-run FRST and this time please put a tick in shortcut.txt this will produce a standard scan and a shortcut scan

Could you attach both please

REDACTED · « **Reply #10 on:** July 11, 2014, 03:46:51 PM »

The files created by FRST64 in attachment.

essexboy · « **Reply #11 on:** July 11, 2014, 04:06:07 PM »

OK lets try this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Quote

SearchScopes: HKCU - {F3B00178-57E6-445F-AC06-7F77E3CC5A17} URL =
Task: {AA7A34CE-9CAF-4EBB-B15B-F01C805FBF38} - System32\Tasks\Dexpot\1 => C:\Program Files (x86)\Dexpot\autodex.exe [2014-01-03] (Dexpot GbR) <==== ATTENTION
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\cURL\cURL Folder.lnk -> C:\Program Files\cURL ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\cURL\cURL Manual.lnk -> C:\Program Files\cURL\Manual\index.html ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\cURL\SSL Cert Script Manual.lnk -> C:\Program Files\cURL\Manual\mk-ca-bundle.html ()
C:\Program Files\cURL
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

REDACTED · « **Reply #12 on:** July 11, 2014, 04:31:56 PM »

The fixlist log in attachment.

REDACTED · « **Reply #13 on:** July 11, 2014, 04:41:52 PM »

The popup warnings still appear.

essexboy · « **Reply #14 on:** July 11, 2014, 05:00:10 PM »

OK lets do a registry search with FRST

Run FRST and in the box type :

getusaall

Then press the search registry button
Once done a log will appear please post that

Author Topic: Infection URL:Mal (Read 12359 times)

REDACTED

Infection URL:Mal

essexboy

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

essexboy

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

essexboy

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

essexboy

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

essexboy

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

essexboy

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

REDACTED

Re: Infection URL:Mal

essexboy

Re: Infection URL:Mal