http://getusaaall.info avast popup. How to remove it?

[REDACTED]

Hello,

Like many users I am having the same problem. From 10 to 10 minutes my avast shows a popup with the blocked http://gteusaaall.info object

URL:MAL

Process: C: \ \ Windows \ System32 \ svchost.exe

I'm using Windows 7 64bit and already ran the Recovery Farbar scan tool.

Attached I send the FRST and the Addition logs generated by Farbar.

Does Anyone know how to remove this thing?

Thanks in advance

[REDACTED]

Anybody? :/

Thank you

[Asyn]

Please be patient, there are many requests atm.

[essexboy]

This should stop it

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[REDACTED]

Attached I send the log generated by Combofix.

To uninstall Combofix I just delete the .exe file located on my desktop?

After you analyse the log can I delete it?

I'll wait and then i'll tell you if it worked.

Thanks

[essexboy]

I will uninstall the programmes safely when we are completed

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 

FCopy::
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll|c:\windows\system32\user32.dll

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[REDACTED]

I no longer have the Combofix .exe file on my desktop

Can I do that by downloading again Combofix (but not running it)?

But anyway, I think that the http:\\getusaaall.info popup was removed. It no longer pops up since I used Combofix.

Do we need to do that step anyway?

Thank you once again.

[essexboy]

Well your user32.dll is not showing a legitimate MD5 so it may be infected.  But the choice is yours

[REDACTED]

Ok, but my only doubt is:

"3. Open notepad and copy/paste the text in the quotebox below into it:
 
Quote


    FCopy::
    c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll|c:\windows\system32\user32.dll"

For doing this step and drag the text file to Combofix, do I need to run Combofix all over again? Or can I just download Combofix and drag the notepad with the text you post without running combofix again?

Thank you once again

[essexboy]

Do you still have FRST ?  If so then use that

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Replace: c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll c:\windows\system32\user32.dll
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

I don't have Farbar anymore

But can I download it again and make the last step you wrote?

Replace: c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll c:\windows\system32\user32.dll
REBOOT:

But what will this do to my computer exactly?

[essexboy]

It will replace the suspect file with a good known copy

[REDACTED]

But won't it do anything wrong to my Windows?

I don't have Farbar anymore

But can I download it again and make the last step you wrote?

    Replace: c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll c:\windows\system32\user32.dll
    REBOOT:


 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[essexboy]

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

This should not affect windows at all

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Replace: c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll c:\windows\system32\user32.dll
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

But before I open notepad and copy paste this:

    Replace: c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll c:\windows\system32\user32.dll
    REBOOT:


Should I ran FRST first? Or can put the fixlist.txt into FRST folder without running FRST again?

Thanks