trz.tmp files (already saw this other link and am running malware bytes now)

Hello i have exactly the same problem as the guy in this thread
http://forum.avast.com/index.php?topic=127169.msg952428#msg952428
trz***.tmp files keep opening the whole time and keep using and blocking my RAM also this wont let me operate on my Windows 7 anymore since those windows keep popping up about how they cannot find trz***.tmp in my task manager i could also see about 1000+ tasks running and alot and alot rundll32.exe tasks open and kept opening about 5 x per second or so…

I dont want to do anything much alone on this case since i have no idea on how to fix things or what to really do currently i am running MalwareBytes Anti-Malware on all my Drives and am running on windows 7 in safe mode… i will post any log or give additional informations that might be needed

assistance would be appreciated

edit: i recently installed Java which i didnt had on my pc before i think it might maybe came due to that but im not sure at all…

Follow the steps here http://forum.avast.com/index.php?topic=53253.0

i did finish the malwarebyte anti malware step right now and so far it let me boot up normally…
4000+ infected pieces mostly trz***.tmp data…
posting the log with this too (413 Request Entity Too Large nginx) wont let me post the log file here…
its 1.7 mb i uploaded it to Mediafire View Mediafire Download

now should i run OTL too ?? the problem seems solved for now… dunno if it occurs again tho now?

edit: i just realised i uploaded a german log file since i installed it in german uhm i guess i cannot just translate that into english within the program now?

Language is not a problem as the files and locations are universal

If you wish a deeper check then attach an OTL scan :slight_smile:

i decided to wait it out for more occurances and did not run an OTL scan yet… if however anything like it occurs again i proceed from MBAM step 1 and then definaetly go to do an OTL check too but for now i let it be…
… also did generally now backed things up and cleaned everything precisely again…
… thanks for being there to check on the case tho appreciated man even tho it was more simple to remove then expected phew…

No problem :slight_smile:

oh god… today i wanted to use my USB Stick which is now infected it seems… i ran the MC Shield scan on it… and used roque killer… but it wont stop… i will upload all logs so far created from them… hope someone can help it again :frowning:

http://www.mediafire.com/download/26dwt7hkw4u4v76/All+scans.lnk
http://www.mediafire.com/download/5hd3dc0p100sq34/temp_init_scan1.txt
http://www.mediafire.com/download/dclvhcdbubvmoqe/RKreport[0]_D_12192013_110416.txt
http://www.mediafire.com/download/4y4du5p1e11yahz/RKreport[0]_SC_12192013_110804.txt
http://www.mediafire.com/download/cvh2zba3qbaeqa5/RKreport[0]_SC_12192013_110437.txt
http://www.mediafire.com/download/71mgu4bv48aampm/RKreport[0]_S_12192013_110410.txt

however it seems still infected :confused:

edit: uploaded allscans in txt and my MBAM log

http://www.mediafire.com/download/vgm5o1a098egg11/mbam-log-2013-12-19+(11-32-43).txt
http://www.mediafire.com/download/670i708rcskf6v7/AllScans.txt

could you attach the logs here …
see attachments and other options below the box you write in here

and we need these logs

attach Malwarebytes / OTL / aswMBR / MCShield http://forum.avast.com/index.php?topic=53253.0

  1. is not working. It’s garbled and doesn’t make sense. Reattach it in the forums for Essex.

Note: If you’re worried about privacy these tools do not release any info except computer name and Account Name

i can if it lets me now

next logs

edit: will run OTL and aswmbr when i get back from my appointment which i needed the USB stick for :frowning:
allscans is from MCshield i think and mbam and roquekiller logs all attached now … i will be back in about an hour :confused:

I will be working on your Malware issues

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Well thank you and the rest aswell to take a look at this … i thought the worst was over but it seems it didnt get out of the system completely… however i am not running in safe mode anymore and the system is operating quite normally… i ran OTL Aswmbr and FRST now and will attach the logs

next logs

Your system32 was backed up. Did you do that or someone else?

uhr i dont recall doing that to be honest…

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKCU\...\Run: [PICTURE] - C:\Users\Julian\AppData\Local\Temp\PICTURE.vbs [142993 2013-12-15] () <===== ATTENTION
C:\Users\Julian\AppData\Local\Temp\PICTURE.vbs
MountPoints2: {11105340-e0f1-11e1-b74c-806e6f6e6963} - E:\noop.exe
MountPoints2: {418143de-5af2-11e2-b319-6cf0490c14b4} - F:\Startme.exe
MountPoints2: {a18c9dab-f9c8-11e1-aea7-6cf0490c14b4} - G:\setup.exe
Startup: C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PICTURE.vbs ()
CHR DefaultSearchURL: http://mysearch.avg.com/search?cid={14D37FEE-1153-42B8-AA58-507EF519F8E4}&mid=3f74318dda2b47d3895fbdb90fe8fd47-d0d1b7e1571d383897d608c72ccd64d457c3b266&lang=en&ds=es011&coid=avgtbdises&cmpid=&pr=sa&d=2013-12-18 12:34:17&v=17.2.0.38&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
C:\Users\Julian\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Julian\AppData\Local\Temp\oi_{1B90F325-9C85-4A45-9DD2-13F5287A4267}.exe
C:\Users\Julian\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Julian\AppData\Local\Temp\sfareca00001.dll
C:\Users\Julian\AppData\Local\Temp\UNINSTALL.EXE
FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(url.indexOf('play.google.com')%20!%3D%20-1%20%7C%7C%20(url.indexOf('youtube.com%2Fvideoplayback')%20!%3D%20-1%20%26%26%20url.indexOf('%26gcr%3Dus')%20!%3D%20-1%20%26%26%20url.indexOf('%26ptchn')%20!%3D%20-1)%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fsongza.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.rdio.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fsecure.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.daisuki.net*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fhtml5.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Flisten.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.crunchyroll.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fext.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20(url.indexOf('turntable.fm')%20!%3D%20-1%20%26%26%20url.indexOf('static.turntable.fm')%20%3D%3D%20-1%20%26%26%20url.indexOf('s3.amazonaws.com')%20%3D%3D%20-1%20%26%26%20url.indexOf('ping.chartbeat.net')%20%3D%3D%20-1%20%26%26%20url.indexOf('.png')%20%3D%3D%20-1)%20%7C%7C%20host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fdsc.discovery.com%2F*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fpiki.fm*')%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20host%20%3D%3D%20's.hulu.com')%20%7B%20return%20'PROXY%20ab-us11.personalitycores.com%3A8000%3B%20PROXY%20ab-us18.personalitycores.com%3A8000%3B%20PROXY%20ab-us03.personalitycores.com%3A8000%3B%20PROXY%20ab-us17.personalitycores.com%3A8000%3B%20PROXY%20ab-us01.personalitycores.com%3A8000%3B%20PROXY%20ab-us20.personalitycores.com%3A8000%3B%20PROXY%20ab-us13.personalitycores.com%3A8000%3B%20PROXY%20ab-us07.personalitycores.com%3A8000%3B%20PROXY%20ab-us12.personalitycores.com%3A8000%3B%20PROXY%20ab-us16.personalitycores.com%3A8000%3B%20PROXY%20ab-us22.personalitycores.com%3A8000%3B%20PROXY%20ab-us08.personalitycores.com%3A8000%3B%20PROXY%20ab-us10.personalitycores.com%3A8000%3B%20PROXY%20ab-us02.personalitycores.com%3A8000%3B%20PROXY%20ab-us09.personalitycores.com%3A8000%3B%20PROXY%20ab-us15.personalitycores.com%3A8000%3B%20PROXY%20ab-us21.personalitycores.com%3A8000%3B%20PROXY%20ab-us14.personalitycores.com%3A8000'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D"


2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

i did finish both tasks and the mcshield scan showed no activity now after restart towards the USB Stick im attaching the logs for you thanks for the help so far!

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Cheers :wink:

okay that was cool :slight_smile:

1 question tho the data that is left on the USB Stick ? is it save to just delete it now ? or :S