Threath URL:mal but mbam says no threat.

I am confused. Today AVAST told me a threat was blocked. URL:mal with this IP address: 195.38.137.100. Tried to google, but i am not that much of a geek. Will attached the logs as the information post said, hope i did it right. The threat warning pops up now and again from AVAST saying that google chrome is the problem.

I scan my computer with AVAST and it says everything is good, as does Malwarebytes. Hope someone can help :slight_smile: Thank you!

Anni

URL:mal mean blacklisted URL or IP

IP > 195.38.137.100 check

https://virustotal.com/nb/url/53c4d865a386dcd8197933f148412db6825bca1d11a34310b0f06baf02647e76/analysis/1485611507/

https://www.metadefender.com/#!/results/ip/MTk1LjM4LjEzNy4xMDA=

IP history > https://virustotal.com/nb/ip-address/195.38.137.100/information/

https://www.threatcrowd.org/ip.php?ip=195.38.137.100
https://cymon.io/195.38.137.100

Avast has been notifying me about this IP since yesterday every half hour. How can I fix this / prevent from happening?

Is this happening because my computer is infected?

http://i.imgur.com/viOjKII.png

https://forum.avast.com/index.php?topic=194892.0

annfor,

Please run the following and tell us if the warnings are still happening:

Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop (if you do not have the file on your desktop from before).

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box and right click on it and select copy (or you can just click on the (select) next to Code Box). Paste this into the open notepad. Save it to your desktop as fixlist.txt


Start
CreateRestorePoint:
EmptyTemp:
CMD: bitsadmin /reset /allusers
End

NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.

Thank you so much for your help! The log is attached, again, hope i did it right. Seems as the warning is gone and everything is running smoothly. No pop up about a threat on the reboots like it has been the last couple of days, nor during use. I suppose then that there is no threat, and still I get no threats identified with Malwarebytes. Will report in a few days if everything still is running smoothly.

Again, thank you!

annfor,

You did everything correctly. Please let us know if the system stays clean.

FYI, this type of infection starts a background job that runs until the job is deleted. No malware is found because a BITS job is part of Windows and is usually normal background tasks.

Hi,
The reason the popups stopped could also be (apart from cleaning up an infection in your pc) because I unblocked the IP (195.38.137[.]100) yesterday evening (18:35 CET)… As of now, the only domains that point to this are blocked, but there has been a spike of direct calls to this IP (as opposed to calls to domains on this IP). We are investigating :wink:
Honza

Thank you for the information. Please let us know the outcome of your investigation.

Hi,
this IP is called by adware programs (mysafeproxymonitor.exe, myadguardianmonitor.exe) signed with expired signs by nonexistent companies XTRM GROUP LTD and DotAds International Ltd respectively. We don’t block it anymore in order not to annoy our users with so many popups.
Jirka