Recently looked at a news article and twitter and saw Avast block the threat for “Infekce zablokována” and thought everything was fine but it keeps popping up now from various URL’s at dora-explorer.co.uk

One url example: hxxp://zx3pfiot5qhdzzhacpuytlw.dora-explorer.co.uk/index.php?t=ZWJpcnhkcXc9a3l5a2hkJnRpbWU9MTQwNzE1MTkzMDE5Nzg1MTk

Reason popping up is different each time. Something tells me the trojan is trying to call back to C&C but failing. Unsure though.

I’ve attached relevant logs as asked for in stickied post.

Does this occur in all browsers ?

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hi,

Thank you for your response. I have attached the adwcleaner log.

It is doing it in Chrome.

Are they still appearing in chrome ? If so could you try incognito mode and see if they still appear
https://support.google.com/chrome/answer/95464?hl=en-GB

Yes, this is still appearing every now and then even in incognito.

Could you now reset chrome please https://support.google.com/chrome/answer/3296214?hl=en-GB

Still pops up after resetting. It’s fairly often.

OK bigger hammer time

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi,

Combofix isn’t compatible with windows 8.1 so I cannot run it. Everytime I try and run the exe it says it doesn’t support compatibility mode. I’ve checked google and website for combofix and it says windows 8.1 is not supported at this time.

Correct that was my error sorry

And this only appears in chrome is that correct

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

FF NetworkProxy: "no_proxies_on", "" FF NetworkProxy: "ssl", "127.0.0.1" FF NetworkProxy: "ssl_port", 1413 FF NetworkProxy: "type", 4 CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Hi, please find attached the log.

Is it still appearing in chrome only

It’s appearing less now but still there

Could you fully uninstall chrome and then re-install
I can see nothing at this stage in chrome

Fully re-installed chrome over this weekend. Since re-installing I’ve had it pop up two times and that’s it. Less than before.

Sorry about delay in reply, been busy over the weekend.

Does this occur on the same website ?

I have been getting the same Avast warnings about Infekce zablokována for the past two days in both Chrome and Firefox. The warning shows:

Object: http://54.213.74.177/?check=2
Infection: URL: Mal

I did a /whois at http://whois.domaintools.com/54.213.74.177 and the 54.213.74.177 IP resolves to Amazon Technologies Inc. in Seattle, Washington. I don’t think Amazon would be sending out malware, but I suppose anything is possible.

Could you start your own thread please and I will pick you up there

Follow these initial instructions https://forum.avast.com/index.php?topic=53253.0

Your infection is slightly different

OK, essexboy, I just created a new thread.

As far as I can tell this is just random and not on any particular website. Appeared earlier when I was on Twitter.

Would hijack this help with this situation?