Malicious URL blocked

Viruses and worms
1

This morning when I switched on my computer, I was met with a black screen - no happy welcoming Windows 7! :stuck_out_tongue: I managed to get everything operating by going through the Windows Task Manager, but a pop up popped up saying a malicious URL was blocked. It seems it’s affecting my winlogon.exe file :o and that’s why I have no desktop or anything. How do I get rid of this??? I ran the Microsoft Malicious Software Removal Tool (Jan 2012) and that detected nothing.

Bearing in mind I have absolutely no idea how computers operate, any advice will have to be in EXTREMELY basic English instructions!! Sorry to all you helpful computer boffins. I only know how to work the computer, not how they work!!! Hope someone can help!!!

2

if you are able to, you should follow this guide, and attach the logs
http://forum.avast.com/index.php?topic=53253.0

and that's why I have no desktop or anything. How do I get rid of this
scroll down to "Rogue Killer" and start with that...
3

Thank you!! Did as you suggested and here are results. Going to restart computer now!! Hopefully all sorted!!!

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Wittig :: WITTIG-PC [administrator]

2/12/2012 12:01:16 PM
mbam-log-2012-02-12 (12-01-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 182334
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Detected: 1
C:\Users\Wittig\winlogon.exe (Trojan.Downloader) → 1664 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winlogon (Trojan.Downloader) → Data: C:\Users\Wittig\winlogon.exe → Quarantined and deleted successfully.
HKCU\Software\Microsoft|adver_id (Malware.Trace) → Data: 0 → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Wittig\AppData\Local\Temp\8050.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Wittig\Local Settings\Temporary Internet Files\Content.IE5\D48Q3R46\ftp[1].exe (Trojan.Winlock) → Quarantined and deleted successfully.
C:\Users\Wittig\Local Settings\Temporary Internet Files\Content.IE5\TFY1LJFP\7_avgui[1].exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Wittig\winlogon.exe (Trojan.Downloader) → Delete on reboot.

(end)

4

Oh dear!! Restarted computer and it came up with “My Documents”. Still a black screen :-\ A stupid question for you (told you I know nothing!!!) but did the winlogon.exe get deleted when I restarted the computer now because of that Trojan downloader thingy?

5

And here are the other docs as well ;D

6

also attach aswMBR log

Essexboy will check them when he arrive here tomorrow :wink:

7

Thanks Pondus!! Ended up doing everything, including the Rogue Killer (which I should have done first but as usual I don’t read instructions properly!!! ::slight_smile: ) and all seems back to normal again after I restarted the computer!!! Thanks again for all your help!!! My nerves are shot!!! I have this love hate relationship with computers. This is our 4th computer in 6 years :cry: so I was freaking out a bit!!! But all good now!! ;D

8

Do you have all your icons and folders back now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O20 - HKCU Winlogon: Shell - ("C:\Users\Wittig\winlogon.exe") - File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptyjava]
[emptyflash]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

9

Good morning Essexboy

Yes, thank you!!! Everything appeared to be ok yesterday and this morning when I switched on the computer all was still good ;D. I am sooooooooo glad you guys were able to help!!! Once again, thank you!!! ;D