trz****.tmp TROJAN HORSE invasion

Hello,

Recently Avast started reporting 51 threats every time I boot my computer called trz****.tmp (**** being a random code). They’re trojan horses according to Avast! and they are blocked every time, but they keep reappearing after every reboot.

So far, my computer seems to behave normally, but I’ve seen threads with the same virus where it would actually prevent the computer from working, so I would like to get rid of this problem!

Here are some answers to maybe help find a solution:

  1. How was it detected? What was scanning, you yourself or the back-ground scanner? Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert ? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?

It was detected a few days ago automatically not long after booting up. Every time I reboot my computer, I get alerts for 51 of these trz****.tmp viruses (always the same, even though they’re blocked, the threats alerts keep reappearing).

  1. What was the source of the file, where did the file come from?.: e.g. address, URL, source.

No idea.

  1. When was it downloaded or received?

No idea, a few days ago.

  1. What is the exact file name with extension.

A bunch of trz****.tmp (like trzC70B.tmp)

  1. What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!

TROJAN HORSE BLOCKED
avast! File System Shield has blocked a threat. No further action is required.
Object: C:\Users\Sébastien\Downloads\trzC70B.tmp
Infection: OLE:ScriptBridge-inf [Trj]
Action:
Process: C:\Windows\System32\SearchProtocolHost.exe
The threat was detected and blocked just before the file was opened.

There are 51 notifications similar to this one, in different locations.

I’m using Windows 7.

Any help is appreciated!

follow instructions and attach logs…not copy and paste http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done removal experts will be notified…

Thank you for the quick response. I’ve ran the tests as asked and I’ve attached the logs in the first post.

However, I couldn’t finish the aswMBR scan, it would always crash at some point with no specified reason.

you may try run it from safe mode

malware removers are notified… it may take hours before one arrive so be patient

I’ve tried running aswMBR on safe mode, still no success. It only says “avast! toolkit has stopped working” and closes (just like on normal mode).

I’d also like to add that in order to get into safe mode, I had to shut down my computer first and it updated because of this. I hope this won’t cause any problem.

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:

[] The fixes are specific to your problem and should only be used for the issues on this machine.
[
] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[
] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[
]Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that…
http://i1224.photobucket.com/albums/ee380/jeffce74/vegeta_zps7f4345cf.gif
Let’s get going!!

http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg
Please download TDSSKiller

[*]Double click TDSSKiller.exe
[*]Press Start Scan but do nothing else as we are just looking for what is there.
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Hi Jeff!

Thank you for your help.

I just wanted to update you on one thing, the virus alerts don’t just reappear after a reboot after all. There are 51 alerts after boot, then the 51 alerts will show up again after every 2 hours or so (extremely unsure about the time, just a very wide estimation).

This detection OLE:ScriptBrdidge-inf is:
http://www.cvedetails.com/cve/CVE-2013-1331/

Ok thanks for letting me know. :slight_smile:

When you get the log from TDSSKiller be sure to attach that so that I can take a look.

Sorry for the delay, I completely missed that part (thought it was a signature ><)

Here’s the TDSSKiller log.

Hi,

Before we continue, are you aware your system is set to run from a proxy server or do you use your system to connect to business/school???

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Hello,

Yes, I set up the proxy for my browsers in order to access my school’s library at home. Is this causing a problem?

I am not able to copy/paste the contents of the CKFiles.txt, because it exceeds the maximum length allowed on these forums. I’ve attached the logs.

Hi,

No the proxy does not cause a problem…I just needed to check.

CKScanner seems to have detected unauthorized software on your system. Besides being unauthorized, it’s the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of unauthorized software except for their removal. If I were to continue helping you with unauthorized software installed, it could be construed in the eyes of the law as aiding and abetting a crime.

If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean. Please let me know if you wish to continue.

I wish to continue, sorry for any problems this might have generated.

Do I need to remove all of them manually or can a program remove all the cracked stuff automatically?

Edit: Alright, I think I’ve deleted all the bad stuff. I’m not sure how to remove the remaining host files. I’ve ran a new scan after rebooting and attached the results.

Hi,

Ok…good job! You didn’t have to remove Aircrack-ng though…that was fine. You can reinstall it when we are done. :slight_smile:

Please run a new Quick Scan with OTL and then attach the new log.

Here I’ve ran another OTL scan (full) as mentioned in the earlier guide, since I wasn’t sure if a quick scan also needed the custom stuff.

If you need me to run a quick scan, just ask! (and also tell me if it needs the custom lines)

Hi,

P2P - I see you have P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.

Please note: Even if you are using a “safe” P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.

http://i1224.photobucket.com/albums/ee380/jeffce74/RegistryIcon_zps289d6da1.png
Tweaking.com Registry Backup

[]Download the tool found here to your Desktop so it is easy to find.
[
]Double click on the file you just downloaded to install it to your system.

[*]Once the tool is installed, double-click on the Tweaking.com Registry Backup icon
Note The tool should automatically open to the Backup Registry tab.

http://i1224.photobucket.com/albums/ee380/jeffce74/TweakingcomRegBackup_zpsd4be1488.jpg

[*]Press Backup Now
[*]When the back up is complete, the tool will tell you that Successful / Files Backed Up
[*]You have now successfully backed up your Registry.


Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{670DC43F-A766-4E23-9773-D6F9BEC065B8}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\SearchScopes\{670DC43F-A766-4E23-9773-D6F9BEC065B8}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKU\S-1-5-21-1791810842-1693449940-2674181568-1000\..\SearchScopes\{670DC43F-A766-4E23-9773-D6F9BEC065B8}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
O1 - Hosts: 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
O1 - Hosts: 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net
O3 - HKU\S-1-5-21-1791810842-1693449940-2674181568-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - Startup: C:\Users\Agnès\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk =  File not found
O33 - MountPoints2\{78e3b864-482e-11e0-99a5-d48564a4a5ff}\Shell - "" = AutoRun
O33 - MountPoints2\{78e3b864-482e-11e0-99a5-d48564a4a5ff}\Shell\AutoRun\command - "" = L:\AUTORUN.EXE
O33 - MountPoints2\J\Shell - "" = AutoRun
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\LaunchU3.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011-09-25 11:41:13 | 000,003,584 | ---- | C] () -- C:\Users\Sébastien\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Attach the new OTL log and let me know how your system is running now. :slight_smile:

Wow, the problem seems to be solved, as I haven’t seen any alerts since I rebooted. Thank you so much for your help!!

I got a bit scared after the OTL fix run, because it had frozen my screen before automatically going into the log in screen, but my account appeared to be deleted. Everything was fine after the reboot though :slight_smile:

As for the uTorrent, I doubt it has caused the alerts, because they started to happen only recently and I haven’t used uTorrent for a while (maybe years? unsure). But I will take your recommendation and uninstall uTorrent, since I have no use for it anymore and it might be dangerous for my computer!

As for the source of the virus, I believe it is due to me temporarily disabling my firewalls and my antivirus programs for a few hours earlier this week, because I am having network problems and was trying to solve them on my own, which probably wasn’t a good idea.

Anyways, a million thanks for your amazing help, any way i could show my appreciation? (feedback, donations, etc.?)

Hi,

Glad to hear your system is running better. :slight_smile: Let’s check for anything else hiding in there…

http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg
Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

Hello,

Here are the requested logs.

ESET log:

C:\Users\Sébastien\Downloads\driverrobot_setup.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Sébastien\Downloads\FreeYouTubeDownloaderSetup.exe multiple threats
C:\Users\Sébastien\Downloads\tunesup-for-skype-2-0-0-74-beta-en.exe a variant of Win32/UpToDown.B application
C:\Users\Sébastien\Downloads\YouTubeDownloaderSetup272.exe a variant of Win32/Toolbar.Widgi application