Threat detected/ aborted connection on 172.86.120.188 infected with URL:Mal

Hey All,
Let me start by saying I appreciate any help given! A few days ago I started getting a message saying threat secured/ aborted connection on 172.86.120. 188 infected with URL:MAL.

Threat name: URL:Mal
URL: http:172.86.120.188/current/runtime.exe
Process C:\windows\system32\svchost.exe
Detected by Web Shield
Status Connection aborted

I think I followed the instructions in the sticky post and included my log files. Again, any help will be greatly appreciated!!!

This will restart your PC automatically so save your work before doing this.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
EmptyTemp:
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here it is…thanks again!

What is status now?

Same message from avast popping up every ten minutes or so.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
cmd: bitsadmin /list /allusers /verbose
cmd: bitsadmin /reset /allusers
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Posting now, status is the same just in case you needed that info. Avast warning popping up every ten min or so…Thanks again for helping!

  • Please download PowerRun from here.
  • Extract it and run PowerRun_x64.exe
  • Right click on first entry in list (%SystemRoot%\System32\cmd.exe) and click on Run
  • Command Prompt window with SYSTEM privilegies should appear. Type this command and press Enter:
bitsadmin /reset /allusers
  • Make screenshot of Command Prompt window and attach it here please.

Here it is. Ive said before but I really appreciate the help!

sorry posted the wrong one…here is the right one …

Hmm. What is system status now? If same, please read carefully and follow again instructions I wrote.

This is what I’m seeing after slowly going step by step…

Are you still getting Avast notifications for blocked URL?

Yes I’m still getting them ,thanks!

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
cmd: bitsadmin /list /allusers /verbose
cmd: bitsadmin /reset /allusers
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here you go…I also included a screenshot of what malwarebytes shows as the problem. I quarantine and also tried deleting them but it keeps coming back, not sure if this helps but thank you!

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
CloseProcesses:
Task: {DA31CBB2-1E99-40C8-8509-F108596E3358} - System32\Tasks\Windows Cryptography Service Installer => C:\Program Files (x86)\Common Files\Cryptography\Hasher\Installer.bat [2018-01-28] () <==== ATTENTION
C:\Program Files (x86)\Common Files\system
C:\Program Files (x86)\Common Files\CRYPTOGRAPHY
EmptyTemp:

  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here it is…still getting avast warnings in case you need to know. Thanks!

Please post new FRST.txt and Addition.txt logs.

Here you go, sorry I didn’t include them in my previous post.