Recently Avast started reporting 51 threats every time I boot my computer called trz****.tmp (**** being a random code). They’re trojan horses according to Avast! and they are blocked every time, but they keep reappearing after every reboot.
So far, my computer seems to behave normally, but I’ve seen threads with the same virus where it would actually prevent the computer from working, so I would like to get rid of this problem!
Here are some answers to maybe help find a solution:
How was it detected? What was scanning, you yourself or the back-ground scanner? Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert ? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
It was detected a few days ago automatically not long after booting up. Every time I reboot my computer, I get alerts for 51 of these trz****.tmp viruses (always the same, even though they’re blocked, the threats alerts keep reappearing).
What was the source of the file, where did the file come from?.: e.g. address, URL, source.
No idea.
When was it downloaded or received?
No idea, a few days ago.
What is the exact file name with extension.
A bunch of trz****.tmp (like trzC70B.tmp)
What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!
TROJAN HORSE BLOCKED
avast! File System Shield has blocked a threat. No further action is required.
Object: C:\Users\Sébastien\Downloads\trzC70B.tmp
Infection: OLE:ScriptBridge-inf [Trj]
Action:
Process: C:\Windows\System32\SearchProtocolHost.exe
The threat was detected and blocked just before the file was opened.
There are 51 notifications similar to this one, in different locations.
I’ve tried running aswMBR on safe mode, still no success. It only says “avast! toolkit has stopped working” and closes (just like on normal mode).
I’d also like to add that in order to get into safe mode, I had to shut down my computer first and it updated because of this. I hope this won’t cause any problem.
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:
[] The fixes are specific to your problem and should only be used for the issues on this machine.
[] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[]Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so. DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
[*]Double click TDSSKiller.exe
[*]Press Start Scan but do nothing else as we are just looking for what is there.
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[*]Attach the log in your next reply
[*]A copy of the log will be saved automatically to the root of the drive (typically C:)
I just wanted to update you on one thing, the virus alerts don’t just reappear after a reboot after all. There are 51 alerts after boot, then the 51 alerts will show up again after every 2 hours or so (extremely unsure about the time, just a very wide estimation).
Before we continue, are you aware your system is set to run from a proxy server or do you use your system to connect to business/school???
Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
No the proxy does not cause a problem…I just needed to check.
CKScanner seems to have detected unauthorized software on your system. Besides being unauthorized, it’s the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of unauthorized software except for their removal. If I were to continue helping you with unauthorized software installed, it could be construed in the eyes of the law as aiding and abetting a crime.
If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean. Please let me know if you wish to continue.
I wish to continue, sorry for any problems this might have generated.
Do I need to remove all of them manually or can a program remove all the cracked stuff automatically?
Edit: Alright, I think I’ve deleted all the bad stuff. I’m not sure how to remove the remaining host files. I’ve ran a new scan after rebooting and attached the results.
P2P - I see you have P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a “safe” P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.
[]Download the tool found here to your Desktop so it is easy to find.
[]Double click on the file you just downloaded to install it to your system.
[*]Once the tool is installed, double-click on the Tweaking.com Registry Backup icon Note The tool should automatically open to the Backup Registry tab.
[*]Press Backup Now
[*]When the back up is complete, the tool will tell you that Successful / Files Backed Up
[*]You have now successfully backed up your Registry.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Attach the new OTL log and let me know how your system is running now.
Wow, the problem seems to be solved, as I haven’t seen any alerts since I rebooted. Thank you so much for your help!!
I got a bit scared after the OTL fix run, because it had frozen my screen before automatically going into the log in screen, but my account appeared to be deleted. Everything was fine after the reboot though
As for the uTorrent, I doubt it has caused the alerts, because they started to happen only recently and I haven’t used uTorrent for a while (maybe years? unsure). But I will take your recommendation and uninstall uTorrent, since I have no use for it anymore and it might be dangerous for my computer!
As for the source of the virus, I believe it is due to me temporarily disabling my firewalls and my antivirus programs for a few hours earlier this week, because I am having network problems and was trying to solve them on my own, which probably wasn’t a good idea.
Anyways, a million thanks for your amazing help, any way i could show my appreciation? (feedback, donations, etc.?)
Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
ESET Online Scanner
Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.
C:\Users\Sébastien\Downloads\driverrobot_setup.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Sébastien\Downloads\FreeYouTubeDownloaderSetup.exe multiple threats
C:\Users\Sébastien\Downloads\tunesup-for-skype-2-0-0-74-beta-en.exe a variant of Win32/UpToDown.B application
C:\Users\Sébastien\Downloads\YouTubeDownloaderSetup272.exe a variant of Win32/Toolbar.Widgi application