Hi, a couple of day’s ago I began receiving warnings from Avast that a connection to 172.86.120.188 was closed because of an infection with URL:Mal. These messages pop-up every 10 minutes. I ran HitmanPro, Eset online and MalwareBytes, I also used WireShark to pinpoint the software that triggers the connection. Without success. Any idea?
Thkx in advance.
seems you may have a coinminer infection
Follow instructions here and attach requested logs >> https://forum.avast.com/index.php?topic=194892.0
Hi Pondus, thkx for your help. The coinminer theory was exactly what I thought.
I have the files, Malewarebytes did not find anything.
Please delete these files after usage.
Malware expert @Sass Drake is notified
Please delete these files after usage.
You can do that your selfe when he is done .. just edit your post
Open Notepad (click Start button → type notepad.exe → press Enter )
Copy text from code block below and paste it into Notepad
cmd: bitsadmin.exe /reset /allusers
cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SearchList /d "" /f
Reboot:
Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Hi, and thkx for ur help. I ran FRST again and it restarted my PC.
Fixlog was generated, see below.
What is systems status now?
Sorry, had to wait for 10 min…
The warnings are still generated (see below).
Open Notepad (click Start button → type notepad.exe → press Enter )
Copy text from code block below and paste it into Notepad
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1586008 2018-05-15] (Google Inc.)
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05182018180823846\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Please temporary uninstall TeamViewer until we resolve this.
system
May 18, 2018, 7:40pm
11
Okay, TeamViewer is gone. Fixlog below, the system did not start again.
During my typing the warning came again.
Did you personally install Lansweeper?
Please post new FRST logs.
system
May 20, 2018, 10:48am
15
Here they are, I used the last script you gave me…
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1586008 2018-05-15] (Google Inc.)
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05182018180823846\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Either I am blind either FRST doesn’t show what starts svchost process.
Open Notepad (click Start button → type notepad.exe → press Enter )
Copy text from code block below and paste it into Notepad
cmd: type C:\Users\Tristan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.scf
Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
system
May 20, 2018, 4:50pm
17
Here is the fixlog.
In FRST.txt I found 4 svchost listings.
FRST lists svchost.exe but it doesn’t list which one runs problematic one.
Let’s try this.
Download KVRT
Run KVRT , click on I accept
Click on Start scan
When scan finishes, click on Continue
Close KVRT , and attach files found in C:\KVRT_Data\Reports
system
May 20, 2018, 8:11pm
19
As far as I can see, it found a Trojan.Multi.GenAutorunBits.a in the System Memory. The Report file seems to be encrypted but you wanted it, so I assume you can read it I changed the extension of the file from .enc1 to .txt because I was not allowed to upload the .enc1.
It seems that the warnings from Avast stopped today around 15:00 hours CET. I had Avast in Quiet mode so I didn’t realise that tonight until now. That’s strange…
Do you have any other PC in your local network? Reboot and Scan again with KVRT and see will detection be reproduced.