Looks like this is the place to get some help… using avast free on this pc (paid for it on 3 others but not this one)

Avast found a couple of viruses and moved them to the vault, now getting notice that its blocking attempts to access malicious urls. Ran avast full system and boot scans (again) and it doesn’t find anything else.

Avast virus database and versions are all current.

INFO

• What WIN do you have ? Running Windows Vista - updates are current

• What name does avast give the virus ? Getting “Malicious URL Blocked” in pop up windows
  - popping up multiple times to various urls
  - viruses that were found and moved to the vault are
  Win32: Crypt-NBS [Trj]
  Java: Agent-Bayz [Trj]

• Where exactly was the infected File found ? all pop ups refer to same location
  c:\Windows\System32\rundll32.exe)

thanks
skhpa

follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done a malware specialist will be notified…

Ok, downloaded Malware Bytes, updated it, ran the scan, checked everything it found and clicked “remove selected.”
Then said yes to restarting the computer.

Log attached.

thanks
skhpa

Could you now do the OTL/aswMBR steps please

Ok, did the OTL/aswMBR steps - checked all users, pasted info in custom box and selected “Quick Scan.” Two files attached

thanks
skhpa

On completion of this can you let me know if the alerts have ceased

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.) IE - HKU\S-1-5-21-584581661-2503294947-527722608-1000\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.) IE - HKU\S-1-5-21-584581661-2503294947-527722608-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=AGBZA6FK2441O7y7kygTj5Rbs5c?q={searchTerms} O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-584581661-2503294947-527722608-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O3 - HKU\S-1-5-21-584581661-2503294947-527722608-1000\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.) O4 - HKU\S-1-5-21-584581661-2503294947-527722608-1000..\Run: [Deployment] C:\Users\georgia\AppData\Local\MediaMonkey\Deployment\xzxnjf.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-584581661-2503294947-527722608-1000..\Run: [ocnet] C:\Users\georgia\AppData\Local\Temp\ocnet.dll ()

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Ok, ran quick scan and log file is attached as OTL-2.txt

Thanks,
skhpa

OK that did not want to go…Time for a bigger hammer

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

eh… combo fix didn’t finish installing… someone closed the box…

it says don’t download/run install again if that happens

what do i do ?

sorry

Did you close it or did it close itself ?

Re-run combofix, from safe mode if necessary

he closed it in middle of installing (grrr) - so download again and run ?

Yes please - but this time rename it to Gotcha before you run

Done. Log attached, named Gotcha-Log.txt (program named it log.txt).

Also, said something about errors so I’m rebooting as soon as I post this.

thanks
skhpa

p.s. after rebooting… the pc has a reg.exe file trying to connect to the internet (it was doing that before all this attempt to fix started)

How is the computer behaving now ? Have the alerts ceased

Yes ! Thanks so much !

skhpa

Just noticed the edit … What is the name of the file trying to access the net ?