Infected... I think

I got about 9 “blocked site” messages when I started using my computer today. I read on these forums and downloaded the Malwarebytes program and the OTL posted here as well. I ran both of these and got logs for both. My desktop is blank and all icons are gone as of now, and still, when starting to use my computer I get the blocked site warning.

What to do next?

Logs:
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.15.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
admin :: COMPUTER [administrator]

Protection: Enabled

1/15/2012 9:46:35 PM
mbam-log-2012-01-15 (21-46-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 178153
Time elapsed: 12 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Local AppWizard-Generated Applications (Trojan.CryptPro.Gen) → Data: C:\Users\admin\AppData\Roaming\D19CBC.exe → Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Users\admin\AppData\Roaming\D19CBC.exe (Trojan.CryptPro.Gen) → Delete on reboot.
C:\Users\admin\AppData\Local\Temp\wuauclt.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\4FCD.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\AD18.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\Temp1_Post_Label_N3682US.zip\Post_Label.exe (Trojan.CryptPro.Gen) → Quarantined and deleted successfully.

(end)

I know the log says successfully deleted, but it is not. I still get the avast warnings and several windows popping up. Running microsoft’s malware removal tool now…

Let me know if you need more information.

Here is a guide for you to follow>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

Apart from that, just wait for Essexboy to give the resulting logs a look and tell you what to do next.

here is the Rogue Killer report:

We are awaiting your OTL log…please attach it to your next post. Thank you. After posting, please make no further changes to your machine until Essexboy assists you; I have alerted him and he comes on the forum late UK time.

Can’t find the OTL log… or the download itself… sorry.

However, the Rogue Killer was the ticket! Not only found the culprit, but thoroughly deleted it and reset settings, etc.

Great help on this forum!
THANKS!

There are possibly still remnants there

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Here are the OTL logs. Let me know what you think, Essexboy. Am I in the clear? Seems to be just fine.

Thank you for posting your OTL logs. Essexboy will work with you on them. After everthing is in the clear and you have run your machine for a while, you should upgrade Avast to the current version of 6.0.1367. For now, wait for Essexboy’s instructions.

Just a few to kill, this removal will stop a respawn. Are you still having any problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-3509108652-4060853336-2958595084-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. [2012/01/15 15:37:50 | 000,000,448 | ---- | M] () -- C:\ProgramData\0gqLol6jtAdx37 [2012/01/15 15:37:19 | 000,000,280 | -H-- | M] () -- C:\ProgramData\~0gqLol6jtAdx37 [2012/01/15 15:37:18 | 000,000,176 | -H-- | M] () -- C:\ProgramData\~0gqLol6jtAdx37r

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I had not been having any more problems, but went ahead and ran OTL again as Essexboy recommended. How do things look?

Here are the logs:

Looks good - when you are happy let me know and I will remove my tools

Looks good from my end too. No problems. Thank you very much!

Run OTL and hit the cleanup button to remove the tools ;D