trz****.tmp TROJAN HORSE invasion

[LenfaL]

Here I've ran another OTL scan (full) as mentioned in the earlier guide, since I wasn't sure if a quick scan also needed the custom stuff.

If you need me to run a quick scan, just ask! (and also tell me if it needs the custom lines)

[jeffce]

Hi,

P2P - I see you have P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.  This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.
----------

Tweaking.com Registry Backup

• Download the tool found here to your Desktop so it is easy to find.
  
• Double click on the file you just downloaded to install it to your system.
• Once the tool is installed, double-click on the Tweaking.com Registry Backup icon
  **Note** The tool should automatically open to the Backup Registry tab.
  
  
  
  
• Press Backup Now
  
• When the back up is complete, the tool will tell you that Successful */* Files Backed Up
  
• You have now successfully backed up your Registry.

-------------------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{670DC43F-A766-4E23-9773-D6F9BEC065B8}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\SearchScopes\{670DC43F-A766-4E23-9773-D6F9BEC065B8}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKU\S-1-5-21-1791810842-1693449940-2674181568-1000\..\SearchScopes\{670DC43F-A766-4E23-9773-D6F9BEC065B8}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
O1 - Hosts: 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
O1 - Hosts: 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net
O3 - HKU\S-1-5-21-1791810842-1693449940-2674181568-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - Startup: C:\Users\Agnès\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk =  File not found
O33 - MountPoints2\{78e3b864-482e-11e0-99a5-d48564a4a5ff}\Shell - "" = AutoRun
O33 - MountPoints2\{78e3b864-482e-11e0-99a5-d48564a4a5ff}\Shell\AutoRun\command - "" = L:\AUTORUN.EXE
O33 - MountPoints2\J\Shell - "" = AutoRun
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\LaunchU3.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011-09-25 11:41:13 | 000,003,584 | ---- | C] () -- C:\Users\Sébastien\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

Attach the new OTL log and let me know how your system is running now.  :)

[LenfaL]

Wow, the problem seems to be solved, as I haven't seen any alerts since I rebooted. Thank you so much for your help!!

I got a bit scared after the OTL fix run, because it had frozen my screen before automatically going into the log in screen, but my account appeared to be deleted. Everything was fine after the reboot though

As for the uTorrent, I doubt it has caused the alerts, because they started to happen only recently and I haven't used uTorrent for a while (maybe years? unsure). But I will take your recommendation and uninstall uTorrent, since I have no use for it anymore and it might be dangerous for my computer!

As for the source of the virus, I believe it is due to me temporarily disabling my firewalls and my antivirus programs for a few hours earlier this week, because I am having network problems and was trying to solve them on my own, which probably wasn't a good idea.

Anyways, a million thanks for your amazing help, any way i could show my appreciation? (feedback, donations, etc.?)

[jeffce]

Hi,

Glad to hear your system is running better.    Let's check for anything else hiding in there...

Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
• Close the ESET online scan, and let me know how things are now.

----------

[LenfaL]

Hello,

Here are the requested logs.

ESET log:

C:\Users\Sébastien\Downloads\driverrobot_setup.exe   a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Sébastien\Downloads\FreeYouTubeDownloaderSetup.exe   multiple threats
C:\Users\Sébastien\Downloads\tunesup-for-skype-2-0-0-74-beta-en.exe   a variant of Win32/UpToDown.B application
C:\Users\Sébastien\Downloads\YouTubeDownloaderSetup272.exe   a variant of Win32/Toolbar.Widgi application

[jeffce]

Hi,

Much better....

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL

:Files
C:\Users\Sébastien\Downloads\driverrobot_setup.exe   
C:\Users\Sébastien\Downloads\FreeYouTubeDownloaderSetup.exe   
C:\Users\Sébastien\Downloads\tunesup-for-skype-2-0-0-74-beta-en.exe   
C:\Users\Sébastien\Downloads\YouTubeDownloaderSetup272.exe
ipconfig /flushdns /c

:Commands
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

Attach the new OTL log and let me know what remaining malware problems you are having now.  :)

[LenfaL]

Here's my latest OTL log.

I haven't noticed any malware problems since the first fix.

I have a question though, would it be safe for me to disable Windows Firewall and Windows Defender in order to potentially solve some unrelated network problems?

Edit: Actually, the same 51 alerts came back randomly while I was watching a stream on twitch.tv. I didn't open any file or did any action when the alerts happened. I had disabled Windows Firewall and Windows Defender under the request of another technician, but haven't downloaded anything or visited any questionable website either (adblock and Avast! are on). I don't know yet if they are recurrent.

Edit2: they are reccurent. Should I repeat all the steps done in this thread?

[jeffce]

Hi,

Ok...whatever is detecting it, can you let me know what program it is and also if you can give me a few examples of the complete files that would be great! 

[LenfaL]

Hello,

The threats are detected by Avast! (free version), and now I'm not sure anymore that there are only 51 alerts. I'm suspecting that 51 is the maximum number of alerts Avast! can show in 1 pop up (when i close the pop up with 51/51 alerts, another one pop up immediately with 51 alerts, not sure if they are the same or different, and I need to close them 4-5 times before nothing shows up again). The wave of alerts return every 1h30 or so.

I've attached a screenshot example of the alerts.

(This is exactly the same problem described at the beginning of this thread).

[jeffce]

Ok thanks....run a new Quick Scan with OTL and post the new log please. 

[LenfaL]

Here's a quick scan log (I've checked All users, 64 bit scan, Lop and Purity - no custom code).

[jeffce]

Hi,

SystemLook

Please use either of the following links:
Download Mirror 1
Download Mirror 2

• Right-click and Run as Administrator SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
*SearchProtocolHost.exe


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
----------

ComboFix

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[LenfaL]

Hello,

Here are the requested logs.

[jeffce]

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.

C:\Windows\System32\SearchProtocolHost.exe

Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------

[LenfaL]

https://www.virustotal.com/en/file/32be52836f2a011d46957ad60aba48986b87026fd50ed09d8495460c7f1ab23e/analysis/1374450986/