Threat sucured message ictkjkmd.top connection aborted

I’ve been getting this “Threat secured” message over the last couple of days:
Threat name: URL:Mal

URL: http://ctkjkmd.top/techred/?br=chrome&lang=engnew24&n=%2B1-888-694-2167

process: C:\Users\Craig\AppData\Local\vsdgbtk\wirlhpx.exe

Detected by: Web Shield

Status: Connection aborted

I’ve done several searches for the URL listed and the .exe mentioned, but can’t find any info. I’ve tried to delete the folder and exe mentioned but only get a message saying I don’t have permissions even when I am an administrator on the system. OS is Windows 7 Pro with all updates installed. Any help would be appreciated. Thanks!

URL:Mal mean Blacklisted URL or IP

URL is down http://downforeveryoneorjustme.com/ctkjkmd.top

Since it seems to contain what looks like a phone number at the end, my guess it is related to Fake Alert and call xxxxx number to get support

C:\Users\Craig\AppData\Local\vsdgbtk\wirlhpx.exe
upload and scan the file wirlhpx.exe here >> www.virustotal.com Post link to scan result here

You may have some malware that need to be removed.
If you want help, follow instructions here >> https://forum.avast.com/index.php?topic=194892.0

When I tried to upload the file to www.virustotal.com, I get an access denied message. I’ve scanned the drive and the specific folder already with both Malwarebytes and Avast and neither reports any problems. So it seems like the problem has to do with using my web browser. I’ll probably try doing a system restore from a couple of days ago and see whether that gets rid of the folder.

Follow step 2 in the instructions i gave link to
attach the two diagnostic logs from FRST and a expert will have a look

I’m in the process of running a Malwarebytes scan with the root kits option enables as suggested; however, I got another Avast message saying that wirlhpx.exe had been quarantined. It may be that the problem is solved. Is it reasonable to assume the threat is neutralized? I’ve also noticed that I am unable to run system restore, even from a newly created system repair disc. When I tried to I got a message saying that there were no restore points. Ay Yi Yi.

Is it reasonable to assume the threat is neutralized?
Read my post above again

OK, I’m running FRST64.exe. I’ll post the logs as soon as it is done.

Logs are attached.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
HKU\S-1-5-21-4113727973-3948558827-3579228898-1001\...\Run: [ Maintance] => "C:\Program Files\\net1.exe" windowsStartup
HKU\S-1-5-21-4113727973-3948558827-3579228898-1001\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4113727973-3948558827-3579228898-1001\...\MountPoints2: {34a40282-5427-11e6-9ffe-f82fa8e6e870} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4113727973-3948558827-3579228898-1001\...\MountPoints2: {a4cabf1d-55b8-11e6-b568-f82fa8e6e870} - I:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4113727973-3948558827-3579228898-1001\...\MountPoints2: {a69de2c5-50d5-11e6-8efe-806e6f6e6963} - Q:\LenovoQDrive.exe
cmd: type "C:\Users\Craig\Documents\sub_drvs.bat"
GroupPolicy: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
VirusTotal: C:\Program Files\net1.exe;C:\Users\Craig\AppData\Local\vsdgbtk\wirlhpx.exe;C:\Windows\system32\Drivers\sbsvzcfi.sys
C:\Program Files\net1.exe
C:\Users\Craig\AppData\Roaming\et
C:\Users\Craig\AppData\Local\PCBooster
C:\Windows\system32\atozxdh
C:\Windows\SysWOW64\atozxdh
C:\Users\Craig\AppData\Local\pwdxlbk
C:\Users\Craig\AppData\Local\vsdgbtk
C:\Windows\system32\Drivers\sbsvzcfi.sys
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Done! Fixlog.txt attached.

What is system status now?

I haven’t seen the original message for awhile. System Restore will still not launch either from the Windows menu, Run command or from command prompt.

Do you get any error message?

No, nothing happens at all. I even tried creating a new restore point earlier. It said it created successfully, but still no dice.

You may want to look at the following:
https://forum.avast.com/index.php?topic=164936.msg1284599#msg1284599

I downloaded and installed and it shows the restore point I created before. I assume that there should be others. Is it possible that the malware deleted them? Can you tell whether the original problem has been removed?

It is quite possible but Sass Drake would be the expert to confirm that.

OK, I’ll assume so for now. Thanks very much for all of your help!

You’re welcome. :slight_smile:

Malware you had should not be reason why System Restore Apllication won’t open. Follow these instructions and tell us results.
https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system