Hi, since yesterday I get an alert form Avast that a threatening infection was blocked every time I start Firefox:

http://104.27.161.59/wp-content/uploads/2014/10/TWOL-Bowl-Favicon.ico
URL:mal
C:\program files (x86)Mozilla Firefox\firefox.exe

I traced this down to a website “The woks of life” which I had open as a tab (since at least 2 weeks). I closed the tab, deleted all cookies, deleted the TWOL-pages from the history and deleted the saved articles from pocket, but I still get this alert.

A normal AVAST scan does not find a threat (which I guess is no wonder, because the infection was blocked).
Any ideas what I should do?

Thanks in advance! Lupe

Attached are the logfiles from MBAM, FRST and aswMBR

Could you confirm that it is only firefox that is affected

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1397616743-3068313765-1809913445-1000\...\Run: [AdobeBridge] => [X] 2015-10-22 16:08 - 2015-06-12 10:37 - 00000000 ____D C:\ProgramData\boost_interprocess Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Essexboy, I created the fixlist.txt and put it in the same folder as FRST, what do you mean by “press fix” when running FRST, should I see an option for that?

FRST have a fix button on right side

Sorry for the dumb question - I got confused because my version of FRST is in German.

I applied the fix and then ran AdwCleaner (logfile below) - but Avast stills gives me the same alert.

What now? Thanks for your help!

Could you attach the fix log FRST generated please, also is this present in all browsers

Sorry, forgot the attachment.

Yes, the alert also comes up with Chrome and IE, but the alert details specify the complete url http://104.27.160.59/, not only the favicon.

OK so all browsers then

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

After running Combofix everything seems back to normal, I don’t get the alerts any more. Should I try to open the website in question now (they had a lot of useful recipes) or should I simply avoid it - I have no idea whether the alert was a false positive or not and haven’t a clue how to determine this.
Thank you! Lupe

What web site was it… Just the name no www etc

Jamie Olivers site was hacked a month or so ago

Oh, I didn’t know that!

The website is thewoksoflife.com (Asian recipes), the first alert referred only to their favicon:

http://104.27.161.59/wp-content/uploads/2014/10/TWOL-Bowl-Favicon.ico

later on the alerts referred to the IP address http://104.27.161.59 (which seems to be located in San Francisco), not to the url thewoksoflife.com. I traced this down going through all my open tabs. Like I said, I closed the tab and deleted cookies and history.

Just went there in a protected browser, it has been hacked

Ah, I see - thanks so much for your help with this!

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Too bad, yesterday everything seemed to be fine, but today when I started my machine and then Firefox the alert came back up:

http://104.27.160.59/wp-content/uploads/2014/10/TWOL-Bowl-Favicon.ico
URL:mal
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

What to do? I suppose you meant that I should follow the above instructions only if everything is ok?

hey lupe2 attach a new frst and addation log essexboy will look at it agian then:)

Here are the new FRST files - thanks for looking!

Did you revisit the website ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

No, I didn’t visit the website again, actually the computer was turned off.

Here’s the new fixlog - the system rebooted after the fix. And when I started Firefox the alert came up again.

Right now I am changing passwords for all sites where I don’t use 2-way-authentification.

OK try Firefox in safe mode and see if the alerts still occur

https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode