Banker-EA TRJ problem

Hi everyone , this is my first post.
Recently while doing some bank transaction i noticed that my credit card was failing as soon as it reaches the bank secure payment “https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer?…” . I conducted a boot scan and found one named VBS: Banker-EA[Trj] in the windows folder in some file called software.log1 , I tried to delete this file but could not do it, none of the available option worked. It showed error 0xC0000043 (share access flags are incompatible). The scan could not continue any further, lastly i selected the ignore option and went ahead with the scan.
I have attached the log files, please mention what steps i should take to remove this infection.

Let me know how the computer is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Unlock: hklm\system\controlset001\mfjnyylm Unlock: hklm\system\controlset001\WinDivert1.1 Unlock: %WinDir%\SysWOW64\drivers\wndvrt64.sys Unlock: C:\Windows\System32\drivers\emnbfr.sys DisableService: mfjnyylm DisableService: WinDivert1.1 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.delta-homes.com/?type=hp&ts=1437385677&z=15ebde08ec75da200fcc416gbz2c4m9c2bbwfq6m3m&from=wpm07153&uid=ST500LT012-9WS142_W0VBV3ASXXXXW0VBV3AS HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.delta-homes.com/web/?type=ds&ts=1437385677&z=15ebde08ec75da200fcc416gbz2c4m9c2bbwfq6m3m&from=wpm07153&uid=ST500LT012-9WS142_W0VBV3ASXXXXW0VBV3AS&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.delta-homes.com/?type=hp&ts=1437385677&z=15ebde08ec75da200fcc416gbz2c4m9c2bbwfq6m3m&from=wpm07153&uid=ST500LT012-9WS142_W0VBV3ASXXXXW0VBV3AS SearchScopes: HKU\S-1-5-21-581797270-2439956317-3720866250-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-581797270-2439956317-3720866250-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms} BHO-x32: No Name -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} -> No File BHO-x32: No Name -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> No File IE Session Restore: HKU\S-1-5-21-581797270-2439956317-3720866250-1001 -> is enabled. IE Session Restore: HKU\S-1-5-21-581797270-2439956317-3720866250-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> is enabled. FF Extension: No Name - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-02-03] [not signed] S5 WinDivert1.1; <===== ATTENTION: Locked Service ShortcutWithArgument: C:\Users\Neelesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1437385677&z=15ebde08ec75da200fcc416gbz2c4m9c2bbwfq6m3m&from=wpm07153&uid=ST500LT012-9WS142_W0VBV3ASXXXXW0VBV3AS ShortcutWithArgument: C:\Users\Neelesh\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1437385677&z=15ebde08ec75da200fcc416gbz2c4m9c2bbwfq6m3m&from=wpm07153&uid=ST500LT012-9WS142_W0VBV3ASXXXXW0VBV3AS Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Thanks for the prompt reply…
I executed the operations as instructed.
Please find attached files from both the operations. I couldn’t find the exact file in AdwCleaner[S0] although it had AdwCleaner[C1] and AdwCleaner[S1] and a quarantine log. I have attached the file.

I did a boot scan and it went without any glitch. No infections. Thanks.

Any further problems ?

Thanks essexboy , i don’t have any infection issues but the problem that let me to scan the system still remains.
i don’t know whether its related to system or network. I can’t access one specific website which is crucial for credit/debit card payment as all the payments are authenticated from that website “https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer?…”. It always shows the error “The webpage is not available.” Although when i change my network (use my mobile internet connection) it works fine. Any suggestions?

OK run this small fix and then reboot and try again

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

The problem still remains the same. But now i know the source of the problem. The issue is not with the system rather it is with the network. I switched my network connection to mobile connection and my transaction went through. What i can’t understand is why specific that website?

So you run two ISP’s one mobile and one fixed is that correct ?

Yes , i have two ISPs, one is fixed, the one having the issue, the other is the mobile one which i use via tethering. I tried resetting the my wifi router (fixed network one) hoping that might be the problem but still no luck.

Could you set your router to open DNS and see if that affects it https://support.opendns.com/entries/27350174-Generalized-Router-Configuration-Instructions

I tried it but it also has no effect. I think i should better use my mobile network for financial transaction that’s the only option i see.

I can’t see any reason why that is not connecting unless your bank does not like the ISP that you are coming from