Hi. I have a problem with a trz virus. I seem to be having a lot of .tmp files with trz in their name. I tried to put an aswMBR.exe but I had a BSOD crash. I’m currently in safe mode. Thanks in advance for help

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
O33 - MountPoints2\{0a441f33-6a84-11e2-935c-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{0a441f33-6a84-11e2-935c-b888e30a1938}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{19578a45-0a1e-11e2-9b37-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{19578a45-0a1e-11e2-9b37-b888e30a1938}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{19578a68-0a1e-11e2-9b37-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{19578a68-0a1e-11e2-9b37-b888e30a1938}\Shell\AutoRun\command - "" = F:\Setup.exe
O33 - MountPoints2\{46c86de2-0d63-11e2-89b7-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{46c86de2-0d63-11e2-89b7-b888e30a1938}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{50d7168b-6803-11e2-8add-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{50d7168b-6803-11e2-8add-b888e30a1938}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{6dbad5b5-0965-11e2-941f-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{6dbad5b5-0965-11e2-941f-806e6f6e6963}\Shell\AutoRun\command - "" = E:\DistinguishOS.exe
O33 - MountPoints2\{82612a86-0cc6-11e2-8137-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{82612a86-0cc6-11e2-8137-b888e30a1938}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{8ecb8186-0bf9-11e2-8997-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{8ecb8186-0bf9-11e2-8997-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{9d6d224f-6800-11e2-81b3-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{9d6d224f-6800-11e2-81b3-806e6f6e6963}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{9d6d2262-6800-11e2-81b3-08edb9ede829}\Shell - "" = AutoRun
O33 - MountPoints2\{9d6d2262-6800-11e2-81b3-08edb9ede829}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{9d6d22a9-6800-11e2-81b3-08edb9ede829}\Shell - "" = AutoRun
O33 - MountPoints2\{9d6d22a9-6800-11e2-81b3-08edb9ede829}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{ac82aefe-67c5-11e2-81ba-001e101f79c9}\Shell - "" = AutoRun
O33 - MountPoints2\{ac82aefe-67c5-11e2-81ba-001e101f79c9}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{ac82af0a-67c5-11e2-81ba-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{ac82af0a-67c5-11e2-81ba-b888e30a1938}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{ac82af15-67c5-11e2-81ba-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{ac82af15-67c5-11e2-81ba-b888e30a1938}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{ac82af23-67c5-11e2-81ba-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{ac82af23-67c5-11e2-81ba-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{d3cb905c-094d-11e2-ac19-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{d3cb905c-094d-11e2-ac19-b888e30a1938}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f40cbb7d-18f7-11e2-89a4-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{f40cbb7d-18f7-11e2-89a4-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f40cbb85-18f7-11e2-89a4-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{f40cbb85-18f7-11e2-89a4-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f40cbbad-18f7-11e2-89a4-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{f40cbbad-18f7-11e2-89a4-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f40cbd85-18f7-11e2-89a4-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{f40cbd85-18f7-11e2-89a4-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{fc2db6ae-0a33-11e2-b016-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{fc2db6ae-0a33-11e2-b016-b888e30a1938}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{fc2db6d7-0a33-11e2-b016-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{fc2db6d7-0a33-11e2-b016-b888e30a1938}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{fc2db6e4-0a33-11e2-b016-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{fc2db6e4-0a33-11e2-b016-b888e30a1938}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{fc2db7e5-0a33-11e2-b016-b888e30a1938}\Shell - "" = AutoRun
O33 - MountPoints2\{fc2db7e5-0a33-11e2-b016-b888e30a1938}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{fee03c17-2350-11e2-8135-001e101f3315}\Shell - "" = AutoRun
O33 - MountPoints2\{fee03c17-2350-11e2-8135-001e101f3315}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{fee03c23-2350-11e2-8135-001e101f3315}\Shell - "" = AutoRun
O33 - MountPoints2\{fee03c23-2350-11e2-8135-001e101f3315}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
.

Please download zoek.zip (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[list]
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
uninstall-list;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”

Added logs. Been doing operations in safe mode.

Can you run a normal mode?

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Ran them in normal mode.

Scan with Combofix:

[*] Please download ComboFix and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

Took about 30 mins.

How’s your computer behaving now?

It’s acting pretty ok, but i still see a lot of trz files. The thing is that they are occupying my memory.

It is located on the D partition

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

[]Double click Dr Web
[]IMGBurn will open
[*]Burn the ISO to a cd

[]Reboot the infected computer with the CD in the drive
[]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows

I made a bootable usb stick, but when i click the graphic mode ( the menu looks a bit different ) it takes 20 minutes to load and then my screen goes black. Should i try a different version of web… ?

Create bootable usb stick this tool

http://wintoflash.com/home/en/

I downloaded the special web live file for usb the second time. The same thing happend. I can go into a comand promt like menu when i press alt+ f1 but I’m not sure if it’s of any help. Should I retry doing the bootable usb?
edit: Also, I can’t find an option to burn drweb live to the usb since it’s not a windows os.
Can’t I activate the scan without the graphic interface, only using the console like thing?
edit2: Message is: ''preparing the live cd environment… press alt+f1 for verbose mode ‘’

Download the .exe file, install and run it in safe mode

ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

I let my pc scan for over 40 hours striaght (cca 600 000 files were infected) so I decided it would be better if I’d back up some of my files and install a fresh copy of windows and maybe ubuntu. Thanks for all your help. Should I keep using avast free edition?