avast is blocking xmlka url malware

As the title states I’ve been having problems with Avast constantly blocking a url pointing towards xmlka most of the time. Occasionally it’ll try to various other websites as well. But mostly the xmlka one. It also seems to cause elevated spike in CPU and physical memory usage too. Any help would certainly appreciated!

aswMBR seems to lock up around …\appData\local\google\chrome\user Data\widevinecdm\1.4… I saved the completed log as far as it would go. Not sure what else to do there.

Thanks again for any help.

Mike

Do you get the same alert when you use chrome in the incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR HKU\S-1-5-21-1387187215-3128509822-1391820188-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1387187215-3128509822-1391820188-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKU\S-1-5-21-1387187215-3128509822-1391820188-1002 -> DefaultScope {B8A130F7-667F-482e-BE09-BE23D1C07FC4} URL = Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File C:\Users\Michael\jucheck.exe C:\Users\Michael\msconfig.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

I uninstalled chrome a few weeks ago when the problem first started becoming an issue. However, there does not seem to be a rhyme or reason why the alert pops up. Often it pops up with no browsers open and the computer idling.

I will follow your instructions and post the logs as soon as completed.

Thank you very much for your help.

Here are the requested logs.

Thanks again,

Mike

Are the alerts still present ?

Just got a series of alerts. All a variation of:

Object: https/54.201.107.94
Infection: URL:Mal
Process: C:\Windows\explorer.exe

EDIT: I have not received the Xmlka alert since. And there is definitely some performance improvements as well.

OK next step

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the requested log. It did not prompt me to restart, should I?

Yes please

Rebooted

Is it still alerting ?

None so far and performance seems to be good.

Could you monitor it and when you are happy let me know and I will tidy up

Absolutely,

Just got another one unfortunately.

URL: http:// go.wvydeo.com/resultsa/?x=0&qs= ihwlAhVYFZAKBNRNaDQ8XExZiClxGXl1Gcg9WV… (DON’T CLICK)

Infection: URL:Mal

Process: C:\Windows\explorer.exe

Thanks again for all your help. It is very much appreciated.

And xmlka makes a return.

URL: http:// xmlka.com/click?app=app33&click=2dd2a81f-d7a6-4504-824c-6a34fbd91739&search

Infection: URL:Mal

Process: C:\windows\explorer.exe

Both came while the computer was sitting idle with only this thread window open.

OK lets check the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Report exceeded the max allowed length so I saved it as a notepad file and attached.

Those are indications of a poweliks infection url but there is no sign of it so I will have to go hunting as it has obviously changed

At the end of this there will be an analysis zip file created. Could you upload it to a file sharing site for me to collect

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
Select the cog to access scan areas

https://dl.dropboxusercontent.com/u/73555776/Kas%20front.JPG

On the first tab select all elements down to OS C and then select start scan

https://dl.dropboxusercontent.com/u/73555776/Kas%20Scan%20area.JPG

Once it has finished select reports and post the detected threats
.

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button

https://dl.dropboxusercontent.com/u/73555776/kas%20manual.JPG

Once it has completed then click Step 2 Report sending

https://dl.dropboxusercontent.com/u/73555776/avp%20report.JPG

Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached

Okay scan has started. Expected completion time is 13 hours. I will post with desired information when completed.

I should also note looking at my browser history there is a TON of websites that I have never visited listed for today. That’s a little disconcerting.