URL:Mal warning exactly every 10 minutes

Hi, a couple of day’s ago I began receiving warnings from Avast that a connection to 172.86.120.188 was closed because of an infection with URL:Mal. These messages pop-up every 10 minutes. I ran HitmanPro, Eset online and MalwareBytes, I also used WireShark to pinpoint the software that triggers the connection. Without success. Any idea?

Thkx in advance.

URL:Mal = Blacklisted URL or IP

what does the avast message say … all info on it or post a screenshot

Blacklisting
https://www.virustotal.com/#/url/4479e448a2e8dcf5bb8025caa488fdc0c531d0a3d578be7307579f0b9f7cbb9f/detection

IP History >> https://www.virustotal.com/#/ip-address/172.86.120.188

seems you may have a coinminer infection

Follow instructions here and attach requested logs >> https://forum.avast.com/index.php?topic=194892.0

Hi Pondus, thkx for your help. The coinminer theory was exactly what I thought.
I have the files, Malewarebytes did not find anything.
Please delete these files after usage.

Malware expert @Sass Drake is notified

Please delete these files after usage.
You can do that your selfe when he is done .. just edit your post
  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
cmd: bitsadmin.exe /reset /allusers
cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SearchList /d "" /f
Reboot:
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Hi, and thkx for ur help. I ran FRST again and it restarted my PC.
Fixlog was generated, see below.

What is systems status now?

Sorry, had to wait for 10 min…
The warnings are still generated (see below).

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1586008 2018-05-15] (Google Inc.)
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05182018180823846\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Please temporary uninstall TeamViewer until we resolve this.

Okay, TeamViewer is gone. Fixlog below, the system did not start again.
During my typing the warning came again.

Did you personally install Lansweeper?

Yes, I did.

Please post new FRST logs.

Here they are, I used the last script you gave me…

HKU\S-1-5-21-2073904822-2605993377-2851215077-1000\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1586008 2018-05-15] (Google Inc.)
HKU\S-1-5-21-2073904822-2605993377-2851215077-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05182018180823846\...\Run: [351E84CD53708C838D64008E83D3E6A16997A927._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Either I am blind either FRST doesn’t show what starts svchost process.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
cmd: type C:\Users\Tristan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.scf
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here is the fixlog.
In FRST.txt I found 4 svchost listings.

FRST lists svchost.exe but it doesn’t list which one runs problematic one.

Let’s try this.

  • Download KVRT
  • Run KVRT, click on I accept
  • Click on Start scan
  • When scan finishes, click on Continue
  • Close KVRT, and attach files found in C:\KVRT_Data\Reports

As far as I can see, it found a Trojan.Multi.GenAutorunBits.a in the System Memory. The Report file seems to be encrypted but you wanted it, so I assume you can read it :wink: I changed the extension of the file from .enc1 to .txt because I was not allowed to upload the .enc1.
It seems that the warnings from Avast stopped today around 15:00 hours CET. I had Avast in Quiet mode so I didn’t realise that tonight until now. That’s strange…

Do you have any other PC in your local network? Reboot and Scan again with KVRT and see will detection be reproduced.