system
1
Recently looked at a news article and twitter and saw Avast block the threat for “Infekce zablokována” and thought everything was fine but it keeps popping up now from various URL’s at dora-explorer.co.uk
One url example: hxxp://zx3pfiot5qhdzzhacpuytlw.dora-explorer.co.uk/index.php?t=ZWJpcnhkcXc9a3l5a2hkJnRpbWU9MTQwNzE1MTkzMDE5Nzg1MTk
Reason popping up is different each time. Something tells me the trojan is trying to call back to C&C but failing. Unsure though.
I’ve attached relevant logs as asked for in stickied post.
Does this occur in all browsers ?
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
3
Hi,
Thank you for your response. I have attached the adwcleaner log.
It is doing it in Chrome.
Are they still appearing in chrome ? If so could you try incognito mode and see if they still appear
https://support.google.com/chrome/answer/95464?hl=en-GB
system
5
Yes, this is still appearing every now and then even in incognito.
system
7
Still pops up after resetting. It’s fairly often.
OK bigger hammer time
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
system
9
Hi,
Combofix isn’t compatible with windows 8.1 so I cannot run it. Everytime I try and run the exe it says it doesn’t support compatibility mode. I’ve checked google and website for combofix and it says windows 8.1 is not supported at this time.
Correct that was my error sorry
And this only appears in chrome is that correct
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "ssl", "127.0.0.1"
FF NetworkProxy: "ssl_port", 1413
FF NetworkProxy: "type", 4
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
system
11
Hi, please find attached the log.
Is it still appearing in chrome only
system
13
It’s appearing less now but still there 
Could you fully uninstall chrome and then re-install
I can see nothing at this stage in chrome
system
15
Fully re-installed chrome over this weekend. Since re-installing I’ve had it pop up two times and that’s it. Less than before.
Sorry about delay in reply, been busy over the weekend.
Does this occur on the same website ?
system
17
I have been getting the same Avast warnings about Infekce zablokována for the past two days in both Chrome and Firefox. The warning shows:
Object: http://54.213.74.177/?check=2
Infection: URL: Mal
I did a /whois at http://whois.domaintools.com/54.213.74.177 and the 54.213.74.177 IP resolves to Amazon Technologies Inc. in Seattle, Washington. I don’t think Amazon would be sending out malware, but I suppose anything is possible.
Could you start your own thread please and I will pick you up there
Follow these initial instructions https://forum.avast.com/index.php?topic=53253.0
Your infection is slightly different
system
19
OK, essexboy, I just created a new thread.
system
20
As far as I can tell this is just random and not on any particular website. Appeared earlier when I was on Twitter.
Would hijack this help with this situation?