Is this confirmation of an infected site?

[zhandax]

I went to this site to check the menu before I left work, and got a lot of replicating popups.  I finally got pissed and used task manager to close Firefox.  At this point, I got a ransomeware notice so I re-booted.  The ransomware notice persisted after I logged on.  I re-booted and logged on as another user (same domain) and had no problems.  I had been at work for 10 hours, I was hungry, and decided it could wait until tomorrow.  Here is the report: http://urlquery.net/report.php?id=887943

The damnedest thing about this is I got it at work and they use that joke McAfee.  I just want to make sure you guys know about it so I don't get it at home.  I suspect my easiest remedy at work is to re-image.  If anyone has any alternative thoughts, let me know.

As a postscript, I did report this to Google so they can blacklist it.

[Pondus]

I suspect my easiest remedy at work is to re-image.  If anyone has any alternative thoughts, let me know.

we have a very smart man here that can fix this....

follow the guide and attach the requeste logs   http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done he will be notified...

[essexboy]

You could run either RogueKiller or MBAM from the alternate account.  If they fail I should be able to kill it manually with OTL

[zhandax]

Today wasn't my day for extra-curricular projects.  Apparently lightning hit the building around 7am and set off the fire alarm and they evacuated all 300+ people to the parking lot across the street in a driving thunderstorm.  Things had gone downhill between then and the time I got there.  I will try this again tomorrow.

[zhandax]

Things were still not quite back to routine today, and I had to change plans.  I downloaded a live ISO, blew that onto a USB key, and let it percolate a couple of hours.  Looks like I rang the bell.  Here is what it found:

EXP/CVE-2013-0422
JS/iFrame.ADI.1
JS/LoadSpam.G
JS/Expack.BW
JS/iFrame.ADI.1
Java/Dldr.Lamar.IX
TR/Rogue.kdz.5639.2

Just as it appeared to be, it was the Java exploit.  That returned control to my login and I rebooted into safe mode to run MBAM.  I had forgotten to change 're-name anything that can't be fixed' to 'delete', so it found the two which were renamed as well as two registry keys and identified all as Trojan.ransom.df, which pretty well describes the infestation.  After that, I ran OTL. Thanks for the tip; this looks pretty thorough.  I got an "exceeds the maximum allowed length" when I pasted it here, though.  Since I don't see any way to attach a text file, do you have a preferred filehost I could link?

[essexboy]

To attach a file click Attachments and other options
Browse to the OTL log and select it
Then Post

[zhandax]

Here is the (anonymized) log.  You will notice the first thing I did after MBAM is replace Java 7.10 with 7.11.  I then added the MVP HOST file.

[essexboy]

There is only one remnant left of the ransomeware.  You will need to enter the proper username to delete this file

What are your current problems 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
[2013/01/29 18:54:27 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\ThisUser\Application Data\skype.ini

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[zhandax]

I wore that system out yesterday trying to catch up and was surprised there were no residual effects observed.  I will take care of the skype.ini Monday, rescan, and save the log before I copy over the MVPS HOSTS file.

[zhandax]

Here is the latest log.  Thank you!

[essexboy]

I would also recommend that you update to IE8

Any apparent problems ?

[zhandax]

I keep expecting to walk in to a smoking pile of chips, but so far not a hiccup.  Upgrade to IE8 from a security standpoint?

[Asyn]

Upgrade to IE8 from a security standpoint?

Yes.

[essexboy]

Even if you do not use IE then updating it will also update some windows files to enhance security

[zhandax]

Done and, once again, thank you.