trz***.tmp and .ecr virus/malware in a windows 7 64 laptop

Hi good morning; I’ve been trying unsuccesfully to get rid of some malware on my computer, and I found this fórum which has people with a lot of knowledge in it.

The last month I caught a .ecr virus in my laptop from my usb stick infected from the computers of the company I’m working in.

As I’m working at sea and my internet is slow, I waited till yesterday at home to try to clean the virus. I ran eset, avast free and antispyware finding some things but unsuccesfully to get rid of the problem. Meanwhile, another malware got activated and when i restarted my user account in Windows, it kept starting a lot of trz***.tmp files, making imposible to use the computer on user mode so I started on administrator mode which seems to work fine.

Since then I’ve been following your instructions on here https://forum.avast.com/index.php?topic=53253.0 and I´ve done a few scans with the programs suggested. I will post the logs, to see if they are helpful.

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Note: Unplug your USB stick first…!!

Attached logs

The USB sticks and the rest of external hard drives are all unplugged; I’ll try to get clean my laptop and when it’s clean, start cleaning the rest.

Good job, now you’ve to wait a bit…

This should get it all

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [] => [X] 
HKU\S-1-5-21-1033975984-105713569-1329887271-1000\...\Run: [] => [X]
HKU\S-1-5-21-1033975984-105713569-1329887271-1000\...\Run: [Google Update] => C:\Users\Cesc\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-10-15] (Google Inc.)
URLSearchHook: HKCU - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =  
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {FFA92C38-E406-4341-B143-28F459D9558B} URL = 
BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL No File
BHO-x32: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\progra~1\mcafee\msk\mskapbho.dll No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
Toolbar: HKCU - No Name - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Cesc\bGfjJOOC¤PP½Ëbdkbttjj.exe
C:\Users\Cesc\pGbQRxwyÀêtµËbdkbttjj.exe
C:\Users\Cesc\QcnBmAMnÇES½Ëbdkbttjj.exe
C:\Users\Cesc\WQhFAMxHØ26¼Ëbdkbttjj.exe
C:\Users\Cesc\yGpEhlZX¾²óµËbdkbttjj.exe
Task: {0B51E06D-23CA-46FF-A918-F82D9271312C} - System32\Tasks\4c4422c0 => C:\Users\Cesc\AppData\Local\Temp\\setup361720224.exe <==== ATTENTION
Task: {10FEB810-B65C-415E-BCCD-9FC6EAF3EB0F} - System32\Tasks\4f4a09e4 => C:\Users\Cesc\AppData\Local\Temp\\setup716296448.exe <==== ATTENTION
Task: {11659771-E395-40B5-9908-7421D2279532} - System32\Tasks\2c1c899c => C:\Users\Cesc\AppData\Local\Temp\\setup606420544.exe <==== ATTENTION
Task: {1671080C-94D2-4C24-B1EC-F97AA6980B4B} - System32\Tasks\20ba7494 => C:\Users\Cesc\AppData\Local\Temp\\setup325879292.exe <==== ATTENTION
Task: {22EDCF9F-BA6E-4DBD-BE7C-7810A373EA1D} - System32\Tasks\eb221888 => C:\Users\Cesc\AppData\Local\Temp\\setup3481535316.exe <==== ATTENTION
Task: {24A5D601-52A6-4E6E-9C28-6506F75966A5} - System32\Tasks\498f2980 => C:\Users\Cesc\AppData\Local\Temp\\setup438119040.exe <==== ATTENTION
Task: {25FABC54-34E0-4C8E-A2F0-8416F416071C} - System32\Tasks\ca343e80 => C:\Users\Cesc\AppData\Local\Temp\\setup2510454016.exe <==== ATTENTION
Task: {2755AD3B-C8A1-46BA-98F6-E7BE6DC62044} - System32\Tasks\e3e97e8c => C:\Users\Cesc\AppData\Local\Temp\\setup2925641332.exe <==== ATTENTION
Task: {314DB2AA-6096-4EF6-A0F1-887B9BCCC947} - System32\Tasks\b2b27cbc => C:\Users\Cesc\AppData\Local\Temp\\setup1209706416.exe <==== ATTENTION
Task: {468A6C0F-596F-41CF-BC96-404461A6CFBE} - System32\Tasks\52e29228 => C:\Users\Cesc\AppData\Local\Temp\\setup3663188064.exe <==== ATTENTION
Task: {59473208-1DA9-4E81-A704-AF2DBCA85073} - System32\Tasks\f7a01490 => C:\Users\Cesc\AppData\Local\Temp\\setup3451221184.exe <==== ATTENTION
Task: {5D4AD20D-FA53-493E-B6F2-A5B4387E9963} - System32\Tasks\bd823570 => C:\Users\Cesc\AppData\Local\Temp\\setup2826848200.exe <==== ATTENTION
Task: {69FD4FEF-C9F1-4F0C-85F6-B222EEBF75E0} - System32\Tasks\7ab94e90 => C:\Users\Cesc\AppData\Local\Temp\\setup33411560.exe <==== ATTENTION
Task: {6DE042D9-51CB-4CF9-B980-AD782B7E338A} - System32\Tasks\b0455fe0 => C:\Users\Cesc\AppData\Local\Temp\\setup1954714848.exe <==== ATTENTION
Task: {72728695-41BB-461B-BC54-3167133AE458} - System32\Tasks\e6680a80 => C:\Users\Cesc\AppData\Local\Temp\\setup3573578112.exe <==== ATTENTION
Task: {746B1142-2868-4E9B-B8B9-BCB7CE2D467E} - System32\Tasks\cb142828 => C:\Users\Cesc\AppData\Local\Temp\\setup2520484132.exe <==== ATTENTION
Task: {7AFD6B1E-8ABB-4F60-A754-588BB6A0CC15} - System32\Tasks\73268cec => C:\Users\Cesc\AppData\Local\Temp\\setup959973952.exe <==== ATTENTION
Task: {852F2607-E4A1-4E88-9F4B-3CE9A6B7EDE4} - System32\Tasks\3b57b8fc => C:\Users\Cesc\AppData\Local\Temp\\setup4012645304.exe <==== ATTENTION
Task: {8882AE3E-E44C-4816-B0F2-7CF9B0AE0933} - System32\Tasks\510ab094 => C:\Users\Cesc\AppData\Local\Temp\\setup1310301372.exe <==== ATTENTION
Task: {8BF703D4-977E-4A80-807F-DE57283C30BA} - System32\Tasks\cf18fa2c => C:\Users\Cesc\AppData\Local\Temp\\setup2719720620.exe <==== ATTENTION
Task: {A4312447-CA8C-466B-99F8-CF98E8674043} - System32\Tasks\3268da70 => C:\Users\Cesc\AppData\Local\Temp\\setup4112076464.exe <==== ATTENTION
Task: {A62F793B-E03C-40C7-B88E-9E50D1A09A2C} - System32\Tasks\d7547c80 => C:\Users\Cesc\AppData\Local\Temp\\setup2954998880.exe <==== ATTENTION
Task: {A991EDE6-BC21-4F5F-AC83-BA15CF39E9A2} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1033975984-105713569-1329887271-1002UA => C:\Users\Cesc\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-15] (Google Inc.)
Task: {AE88FAAA-F28F-4DE5-8CE7-A7841C2803D2} - System32\Tasks\5397d2c4 => C:\Users\Cesc\AppData\Local\Temp\\setup3928525884.exe <==== ATTENTION
Task: {B3389688-D26C-4720-A2D1-C6494C516047} - System32\Tasks\56464b88 => C:\Users\Cesc\AppData\Local\Temp\\setup471831080.exe <==== ATTENTION
Task: {C6AE44E4-9ABD-41FA-9BBD-031E00963374} - System32\Tasks\39210a28 => C:\Users\Cesc\AppData\Local\Temp\\setup4127769576.exe <==== ATTENTION
Task: {CE3C0635-9B8B-46B0-877D-B4C45286CC64} - System32\Tasks\3c7532f8 => C:\Users\Cesc\AppData\Local\Temp\\setup76339008.exe <==== ATTENTION
Task: {D332A307-FA0F-41E5-9B79-D44569A9AE30} - System32\Tasks\d4c0eda8 => C:\Users\Cesc\AppData\Local\Temp\\setup2864571256.exe <==== ATTENTION
Task: {D7207BF5-9D2A-4553-B06C-5E52878DAD3B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1033975984-105713569-1329887271-1002Core => C:\Users\Cesc\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-15] (Google Inc.)
Task: {DC0EDF14-B775-44E4-A62E-276185D9FFD2} - System32\Tasks\783a7c0 => C:\Users\Cesc\AppData\Local\Temp\\setup3417298896.exe <==== ATTENTION
Task: {E053F471-6714-4C51-B087-7480EFDB8029} - System32\Tasks\718daaac => C:\Users\Cesc\AppData\Local\Temp\\setup3324797440.exe <==== ATTENTION
Task: {ECF051A6-F728-4230-8CFD-82B21E0E46B0} - System32\Tasks\b418b5e8 => C:\Users\Cesc\AppData\Local\Temp\\setup2634615744.exe <==== ATTENTION
Task: {F2230D2A-5E32-420E-A0CA-6D20A89DD708} - System32\Tasks\d3973400 => C:\Users\Cesc\AppData\Local\Temp\\setup2231501824.exe <==== ATTENTION
Task: {F5F530DD-7817-418C-9A61-3C67515952A6} - System32\Tasks\2894a6e0 => C:\Users\Cesc\AppData\Local\Temp\\setup4034943104.exe <==== ATTENTION
Task: {F87284C4-39C1-4790-9672-4D9E438C182C} - System32\Tasks\ed2be3d4 => C:\Users\Cesc\AppData\Local\Temp\\setup3849876564.exe <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1033975984-105713569-1329887271-1002Core.job => C:\Users\Cesc\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1033975984-105713569-1329887271-1002UA.job => C:\Users\Cesc\AppData\Local\Google\Update\GoogleUpdate.exe
EmptyTemp: 
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Good evening, many thanks for your time and your help.

I´ve followed your advise and instructions with slightly different results.

I used the FRST without problems, but the computer it shutdown by itself when I ran the combofix. When I restarted, the combofix it started by itself producing the log, It took a while and generated a log, but called log.txt instead of combofix.txt, I have attached it.

The computer seems to work fine both on admin and user. without the trz***.tmp opening up and the .ecr files have disappeared. By the way I have been following all the instructions and clean ups from the administrator, not from the user I was having the main problems. I hope it´s ok. Do I need to install the MCShield to clean up the memory sticks and external hard drives?

Many thanks

Could you login to the affected user now and see if it works OK

MCShield is a good programme to keep

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

I had a few memory sticks, mp3 players and external hard drivers infected; here are the logs.

There was still a .ecr file in one of the subfolders of the user account partition drive. And ther are a a few …lnl.vir and TRZ…tmp files remaining in the external memories after the MCShield clean up.

ity seems you save the logs in Unicode … they will then look strange
save log as ANSI, and we only need the all scan log … as it will contain it all :wink:

Is ok?

Yes, much better now.

OK we can see now where the infection came from. How is the other user any problems