URL:Mal warning exactly every 10 minutes

[Sass Drake]

Either I am blind either FRST doesn't show what starts svchost process.

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: type C:\Users\Tristan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.scf

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

Here is the fixlog.
In FRST.txt I found 4 svchost listings.

[Sass Drake]

FRST lists svchost.exe but it doesn't list which one runs problematic one.

Let's try this.

• Download KVRT
• Run KVRT, click on I accept
• Click on Start scan
• When scan finishes, click on Continue
• Close KVRT, and attach files found in C:\KVRT_Data\Reports

[REDACTED]

As far as I can see, it found a Trojan.Multi.GenAutorunBits.a in the System Memory. The Report file seems to be encrypted but you wanted it, so I assume you can read it I changed the extension of the file from .enc1 to .txt because I was not allowed to upload the .enc1.
It seems that the warnings from Avast stopped today around 15:00 hours CET. I had Avast in Quiet mode so I didn't realise that tonight until now. That's strange...

[Sass Drake]

Do you have any other PC in your local network? Reboot and Scan again with KVRT and see will detection be reproduced.

[REDACTED]

Indeed, my son has according to KVRT several threats, see below. That's bad...

[Sass Drake]

You can delete those files on yours son PC but I recommend opening separate topic and posting FRST logs for it.

Does KVRT still detects something in system memory after restart?

[REDACTED]

I deleted the files and my son's PC is clean now. I did several scan's on my PC, but I still have a Trojan.Multi.GenAutorunBITS.a trojan in memory. After deleting and rebooting it comes back. My son's PC is powered off.
Tomorrow I will post a new fixlog...

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: bitsadmin /list /allusers /verbose
cmd: bitsadmin /reset /allusers

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

Below the newest fixlog file. I suddenly got an Avast warning again (also below).

[Sass Drake]

• Please download PowerRun from here.
• Extract it and run PowerRun_x64.exe
• Right click on first entry in list (%SystemRoot%\System32\cmd.exe) and click on Run
• Command Prompt window with SYSTEM privilegies should appear. Type this command and press Enter:

Code: [Select]

bitsadmin /reset /allusers

• Make screenshot of Command Prompt window and attach it here please.

[REDACTED]

Allright, here it is.

[Sass Drake]

Restart your PC and report if Avast notification still occurs.

[REDACTED]

No Avast notification popped up. Also after scanning with KVRT there are no threats found. Maybe you can explain what happend here, because I don´t have a clue.

[Sass Drake]

Malware dropper executable created BITS job and after that probably deleted itself. BITS job tried to download and run payload but fortunely Avast blocked it. 

More about BITS (Background Intelligent Transfer Service) you can find here: https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx



Rename FRST64.exe to uninstall.exe and run it. That should remove FRST and its files.