Hello, i notice 3 (so far) similar topic so i open new one as i have same problem.
So today i download installation package for some program. I open it and he started to downloading some stuff from internet. When it came on 50% avast block this site:
I thought it was some virus and avast block it, but avast started to blocking that site every 10min when im online.
Here is WebShield log (startin when avast block it for first time):
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 20, 2014 9:23:59 AM
*
20.7.2014. 9:51:35 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 10:01:35 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 10:11:35 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 10:21:36 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
*
* Shield stopped: Sunday, July 20, 2014 10:27:33 AM
* Run-time was 1 hour(s), 3 minute(s), 3 second(s)
*
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 20, 2014 10:28:56 AM
*
20.7.2014. 10:31:24 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 10:32:40 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 10:32:40 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 10:32:40 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
*
* Shield stopped: 20. srpanj 2014. 10:35:51
* Run-time was 6 minute(s), 6 second(s)
*
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 20, 2014 11:55:37 AM
*
20.7.2014. 12:15:59 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
*
* Shield stopped: 20. srpanj 2014. 12:38:41
* Run-time was 43 minute(s), 43 second(s)
*
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: 20. srpanj 2014. 14:06:08
*
20.7.2014. 14:06:29 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 14:16:29 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 14:26:29 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 14:36:30 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 14:46:30 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 14:56:34 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 15:06:31 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 15:16:31 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
20.7.2014. 15:26:31 http://54.187.243.98/?e=pcho&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDyxECyFPg7x9Ae0KBfUKAe4MBG0VWznLDe4PBNq9geFI&publisher=377&dd=4&country=HR&ind=4895159338839730436&exid=0&ssd=15612736309535192031&hid=14447342630781547395&osid=601&channel=0&sfx=1&jc=1&category_name=PriceChop&install_date=20130720 [L] URL:Mal (0)
In attachment are all needed logs.
I am waiting for your replay what to do next so i can fix it. Thanks
[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
The first program is targeted for lot of Malware Removal tools. And personaly I don’t know why to risk some ads and legitimacy when you have a lot free cloud (online) based downloader/converter eg:
Garena+ shouldn’t be targeted. This is generic FP. I shall take a peek into zoek Quarantine folder to see what is contains. Then I can contact the Zoek developer to create whitelist for Garena.
Btw, you can re-install these programs with no problems.
Please re-run Zoek one more time as you did before with this script and when it finish post me the fresh created zoek logfiles.
zoekbackups;
Btw, just to get your attention, we do not support the hack/crack tool. You have one installed and running …
Im using those programs for a long time and have no problem with them. They are both clean so i am going to reinstall them.
I will investigate for that program thats running. If its hack/crack tool i will remove it. Thanks for pointing me on it
I like to thanks you for help. After i run script i dont have any pop-ups from avast so it must fix the problem.
Do you known what was my problem and how this scrip fix it (im curious guy )?
Just a BITSjob that are trying to call every 10 minutes the hosts server with 54.187.243.98 IP adress for some future malware downloading …
I was tell zoek to cancel these jobs.
Thank you. Smeenk has whitelisted the Garena+ (Garena was not targeted, it was generic detection for Garena folder content) and it will considers for YTD as well.
So this BITSjob (based on what zoek remove) were located in one of these three files:
No, what you listed is related to zoek’s junk-cleaning routine, it clears the default temp & cache.
BITS job are recorded in qmgr0 and qmgr1 dat files. This act is legit and original it serves for M$ Windows Update. You can google it BITS services and how it works for more info.
So, you say you do not have problems? If so I can give you the post-cleaning procedure for removing the used tool here.
Hi juuki,
Just for info, Smeenk has whitelist the YTD as well. It shall not be targeted anymore.
There is no need for any additional BITSjob action. All jobs has been canseled and removed from data, and legit software shall re-write these data again. And as there is no active malware on your board … there is no need for any additional action.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Ok, i uderstand but i wont to have some software that can delite that files from time to time (periodic system clean) just like Ccleaner cleans temp files, because malware can get in those files (like in my case) and no antivirus/malware cant detect them.
2.You gave me DelFix as tool for “cleaning procedure for removing the used tool here”, but DelFix delite not just tool we use here (Zoek and FRST) but also programs that im using on my own and having them installed on my computer (adwcleaner, GetSystemInfo, HiJackThis) as you can see from DelFix log:
The detection is FP. I recently wrote an explanation here on forum why is it so.
That is the purpose of DelFix. AdwCleaner (and GetSystemInfo) you can download again as it is advisable to use the latest version. HiJackThis is outdated software, only M$ XP OS compatible and not valid for a long time…
