Avast WEBforum
Other => Viruses and worms => Topic started by: moonbaby755 on June 14, 2013, 04:55:34 AM
-
this is my first time posting...hope I got this in the right spot. trz.tmp files have taken over my computer and won't allow me to do anything. They just keep opening. i'm using computer in safe mode right now. is that a problem? Help!! pls!
-
Hi and Welcome!!
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
- The fixes are specific to your problem and should only be used for the issues on this machine.
- It's often worth reading through these instructions and printing them for ease of reference.
- If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
- Please reply to this thread. Do not start a new topic.
- If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
- Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
Having said that.... (http://i1224.photobucket.com/albums/ee380/jeffce74/vegeta_zps7f4345cf.gif) Let's get going!!
----------
If you are only able to run these tools in Safe Mode that is just fine. :)
Please download DDS from either of these links
LINK 1 (http://download.bleepingcomputer.com/sUBs/dds.com)
LINK 2 (http://download.bleepingcomputer.com/sUBs/dds.scr)
and save it to your desktop.
- Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html))
- Double click dds to run the tool.
- When done, two DDS.txt's will open.
- Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:
DDS.txt
Attach.txt
----------
(http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbr-1-1.jpg) Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
- Double click the aswMBR icon to run it.
- Click the Scan button to start scan.
- If you are asked to update the Avast Virus database please allow it to do so.
- When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
(http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg) (http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg)
Click the image to enlarge it
----------
-
it won't let me post all the attachments at once, says it's too large, so I will attach them separately. thx
-
here's the next log
-
here's the next one
-
can't attach the dds. says it is too long.
-
oops! my bad! the aswMBR wasn't done. it just keeps going. I will resend when it's done. thx
-
can't attach the dds. says it is too long.
You are being told that the attachment is too large?
-
here u go.
-
yes. when I try to post the dds it says - 413 request entity too large.
-
Ok....if the file is too large I need for you to go to the MediaFire found here >> https://www.mediafire.com/ssl_login.php?type=login
Open an account (it is free) and then upload the DDS.txt to the site. Once uploaded...look to the right of the file and you will see a dropdown arrow. Select that arrow and then select Copy Link and then post that link here so that I can review the file.
-
http://www.mediafire.com/download/79bhaqnru6ud2yp/dds.txt
-
Good job! :)
ComboFix
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
-
combo fix
http://www.mediafire.com/view/smh21srxj7yjah8/log.txt
-
ComboFix
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
DDS::
uStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={942B136B-CEF8-11E2-8BFA-C80AA987641E}
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={942B136B-CEF8-11E2-8BFA-C80AA987641E}
Firefox::
FF - ProfilePath - c:\users\Trish\AppData\Roaming\Mozilla\Firefox\Profiles\1ziu2w9m.default\
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com?src=6&barid={942B136B-CEF8-11E2-8BFA-C80AA987641E}&crg=3.5000006.10042&st=23&q=
FF - ExtSQL: 2013-06-06 15:31; {7D4F1959-3F72-49d5-8E59-F02F8AA6815D}; c:\program files\Updater By SweetPacks\Firefox
File::
c:\windows\system32\dmwu.exe
c:\program files\Updater By SweetPacks\Extension32.dll
c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\336854fbcf359e2983b299e0a624f777.exe
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.Reader.exe
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d105f876dda75aef88398ebc60ebffda.exe
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trz6E8B.tmp
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trz7198.tmp
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trz74E3.tmp
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trzC159.tmp
c:\users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trzC1D7.tmp
c:\windows\SYSNATIVE\dmwu.exe
c:\program files\Updater By SweetPacks\Extension64.dll
Folder::
c:\program files\Updater By SweetPacks
c:\program files (x86)\SweetIM
DirLook::
c:\windows\SysWow64\jmdp
c:\windows\SysWow64\ARFC
c:\windows\SysWow64\WNLT
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"=-
[-HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[-HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[-HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
Driver::
IBUpdaterService
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix may request an update; please allow it.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Attach the new ComboFix log and let me know how your system is running now. :)
-
Here you go, thank you.
-
Please go to: VirusTotal (http://"http://www.techsupportforum.com/forums/redirect-to/?redirect=http%3A%2F%2Fwww.virustotal.com")
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
c:\windows\SysWow64\jmdp\stij.exe
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying [COLOR="Blue"]File has already been analyzed:[/COLOR] click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------
-
my system seems to be running fine now. awesome!! thank you so much for your help!
-
my avast! won't turn on now. says - No valid license found.
-
SHA256: 419967c0703fca52f6a4d1dfa680ee28457301100775e4aa36fc401917dda643
File name: stij.exe
Detection ratio: 1 / 46
Analysis date: 2013-06-16 01:48:25 UTC ( 0 minutes ago )
1
2
More details
Analysis
File detail
Additional information
Comments
Votes
Antivirus
Result
Update
Agnitum 20130615
AhnLab-V3 20130615
AntiVir 20130615
Antiy-AVL 20130615
Avast 20130616
AVG 20130616
BitDefender 20130616
ByteHero 20130613
CAT-QuickHeal 20130615
ClamAV 20130616
Commtouch 20130616
Comodo 20130616
DrWeb Adware.SweetIM.27 20130616
Emsisoft 20130616
eSafe 20130613
ESET-NOD32 20130615
F-Prot 20130615
Fortinet 20130616
GData 20130616
Ikarus 20130615
Jiangmin 20130615
K7AntiVirus 20130614
K7GW 20130614
Kaspersky 20130616
Kingsoft 20130506
Malwarebytes 20130615
McAfee 20130616
McAfee-GW-Edition 20130615
Microsoft 20130616
MicroWorld-eScan 20130616
NANO-Antivirus 20130615
Norman 20130615
nProtect 20130615
Panda 20130615
PCTools 20130521
Rising 20130614
Sophos 20130615
SUPERAntiSpyware 20130615
Symantec 20130616
TheHacker 20130615
TotalDefense 20130614
TrendMicro 20130616
TrendMicro-HouseCall 20130616
VBA32 20130615
VIPRE 20130616
ViRobot 20130615
Blog | Twitter | contact@virustotal.com
-
ComboFix
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
DDS::
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={942B136B-CEF8-11E2-8BFA-C80AA987641E}
Firefox::
FF - ProfilePath - c:\users\Trish\AppData\Roaming\Mozilla\Firefox\Profiles\1ziu2w9m.default\
FF - ExtSQL: 2013-06-06 15:31; {7D4F1959-3F72-49d5-8E59-F02F8AA6815D}; c:\program files\Updater By SweetPacks\Firefox
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix may request an update; please allow it.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
-
Still with me?
-
I have a solution,, hope its work..
i already try,, and its work for me..
first add "take ownership" to your pc...
http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/
second go to file location of trz.tmp file.
Example [C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
right click of file and "Take ownership"
last delete all trz file..
Hope it helpfull..
-
I have a solution,, hope its work..
i already try,, and its work for me..
first add "take ownership" to your pc...
http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/
second go to file location of trz.tmp file.
Example [C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
right click of file and "Take ownership"
last delete all trz file..
Hope it helpfull..
Thanks for your hint: it worked for me (http://emoticon.gregland.net/emoticon/@GregLand/ay.gif) > this bloody "trz*.tmp" installed itself in one of "My Documents" files, on an external hard disk, and used to "eat" all of my ram (http://emoticon.gregland.net/emoticon/@GregLand/aq.gif) . As it was Avast who alerted me, I tried a complete scan with it (with my own deep requirements); then, I used Spybot... did a full scan disk... CCleaner... Glary... with no results but stopping all the alerts > however, it was still where Avast told me (got to know about it by pointing the name in the alert with my mouse (it would be time Avast finds a solution since, on all fora I went, all victims of this malware used this antivirus). (http://emoticon.gregland.net/emoticon/@GregLand/dk.gif)
Following your advise, I downloaded "Take Ownership" and operated as you indicated: I at least could remove the last "trz*.tmp" without it replicating. (http://emoticon.gregland.net/emoticon/@GregLand/em.gif)
Thanks a lot, (http://emoticon.gregland.net/emoticon/@GregLand/ad.gif)
Marco
-
Hi edysuperb and jeffce,
Bad news: trz*.tmp still are there, in my external Hard Drive in "$RECYCLE.BIN", and still memory eating. (http://emoticon.gregland.net/emoticon/Triste/triste_1.gif)
-
Hi edysuperb and jeffce,
Bad news: trz*.tmp still are there, in my external Hard Drive in "$RECYCLE.BIN", and still memory eating. (http://emoticon.gregland.net/emoticon/Triste/triste_1.gif)
In fact, as far as I am concerned, the solution was quite simple: since windows updates last month, there was quite a few of those I could not install... due to only one security program. I had to install those "compatible" updates one by one to find out only one does not work and, now, no more remains of "trz*.tmp" in CCleaner. (http://emoticon.gregland.net/emoticon/@GregLand/ad.gif) (http://emoticon.gregland.net/emoticon/@GregLand/ay.gif)