system
November 29, 2014, 11:57pm
21
Okay further problems. I went out to eat and when I returned the above virus scan had turned off I’m seeing file 5154984.exe running under processes but it looks like that’s the virus scan. Not sure why it crashed the first time.
RESULTS
EDIT: Second time through it scanned through without crashing. Here is the results:
I had three medium threat “adware not-a-virus:adware.win32.finix.a” detections. There are located at:
C:\ProgramData\comcastModemRelease\shortcuts\taskbar\XfinityTv.com\dtuser.xml
Starting the Analysis scan now.
Second EDIT: I finished the Analysis scan and here is the files requested. Let me know if you have any trouble downloading them.
https://www.dropbox.com/s/h5k21uj55x24cgr/avptool_sysinfo.zip?dl=0
OK lets get at it and this theoretically should stop it
[*]Re-run AVPToolManual Disinfection tab and press Script execution
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.gif
[*]Where it states Insert text script in the following box copy the below script and press Run script Begin until End
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpscript.gif
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DeleteService('38140468');
StopService('38140468');
DeleteFile('C:\Windows\system32\DRIVERS\38140468.sys');
BC_DeleteFile('C:\Windows\system32\DRIVERS\38140468.sys');
BC_DeleteSvc('38140468');
BC_DeleteFile('38140468.sys');
DeleteFile('38140468.sys');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[]Your system will reboot on completion, if it does not please do so yourself ]On completion please run another analysis scan and attach the zip file
system
November 30, 2014, 6:36pm
23
system
November 30, 2014, 6:54pm
24
Regretfully I just got two new alerts:
Object: http// topgames4u.net
Object: http:// xmlka.com/click?app=app22&click=41087061-feef-4b76-8fa6-34223chc0288&search= …
Could you run FRST again please but this time tick the shortcuts.txt box as well and then attach the logs
system
November 30, 2014, 8:11pm
26
okay, done. Attachments here
OK lets see how this runs
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1387187215-3128509822-1391820188-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
S1 vde3otkw; C:\Windows\SysWOW64\Drivers\vde3otkw.sys [13312 2014-11-30] () [File not signed]
2014-11-30 12:14 - 2014-11-30 12:14 - 00013312 _____ () C:\Windows\SysWOW64\Drivers\vde3otkw.sys
C:\Users\Michael\AppData\Local\Temp\RarSFX0
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
system
November 30, 2014, 9:56pm
28
Completed. Here is the fixlog.
Thanks again
EDIT:
Within a 10 minutes of rebooting I received another alert. Another one trying to direct to xmlka similar to the others.
Could I have another FRST scan to see if it has regenerated please
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
Startup: C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_38140468.lnk
ShortcutTarget: _uninst_38140468.lnk -> C:\Users\Michael\AppData\Local\Temp\_uninst_38140468.bat (No File)
Startup: C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_52614389.lnk
ShortcutTarget: _uninst_52614389.lnk -> C:\Users\Michael\AppData\Local\Temp\_uninst_52614389.bat (No File)
2014-11-11 21:29 - 2013-09-20 12:43 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
THEN
Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
system
December 1, 2014, 5:19pm
32
Okay, Done. Files attached.
Thanks again,
Mike
OK it appears to be using a programme data file which is unusual
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KFJ8Z602
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
system
December 1, 2014, 7:37pm
34
That doesn’t sound good. Here is the log.
Did FRST reboot as the main one I was after was resistant
system
December 1, 2014, 7:55pm
36
FRST rebooted the machine. Did you need me to run a FRST scan again?
Could you run the fix again please as I want to see if the app data has gone
OK they went, now dare I ask … Are the alerts still present
system
December 1, 2014, 9:13pm
40
I am happy to report that I have not had an alert since the last fix.
My fingers are crossed.