Trojan horse Delf.ZRS

I opened a picture which I mistakenly thought was from my friend however turned out to be a trojan. I have AVG which detected and "removed" it however another trojan threat came up several minutes later. I proceeded to come onto this website to remove it and the instructions said to download AdwCleaner.exe and I did. However when I opened up my downloads folder, another trojan threat appeared. I noticed that right underneath the AdwCleaner.exe was the file which I had mistakenly downloaded, which hadn't actually been removed by AVG. I tried to remove it myself however a banner came up saying "The action can't be completed because the file is open in another program."

I'm not sure what to do now since any virus removal software will go into my downloads folder and then appear to activate the trojan. I'd really appreciate if someone could help.

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
Please download AdwCleaner by Xplode onto your Desktop.

• Please close all open programs and internet browsers.
  
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

********************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

I have transferred the programs to my computer via memory stick however my computer is not letting me open any files. Not sure how to continue from here.

abigail.4 wrote:

I have transferred the programs to my computer via memory stick however my computer is not letting me open any files. Not sure how to continue from here.

Ok, the first thing to try is to boot in Safe Mode and run MBAM. If it runs, try running it in Normal Mode.

I ran MBAM in Safe Mode and and that worked fine so I opened it in Normal Mode

rebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.28.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Abigail :: ROBERT-VAIO [administrator]

29/05/2013 10:07:12
mbam-log-2013-05-29 (10-07-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 259218
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

So nothing was detected. I assumed the programs on my computer were working fine now so went to complete the instructions from your first post however adwcleaner still isn't opening.

Should I try to open adwcleaner in safe mode?

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 7 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator


You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* WiNlOgOn.exe
* uSeRiNiT.exe
* iExplore.exe
* eXplorer.exe
Once you've gotten one of them to run then try to immediately run the following.

Now try to run adwCleaner and the Junkware Removal Tool.

I've been running Rkill for about an hour and the program is still Checking for processes to terminate. I have tried using all the links and I restarted my computer and tried again however it still seems to be stuck on that process. Not sure whether to leave it running or try something else?

UPDATE: Rkill has been running for nearly two hours and still appears to be "stuck" on the same process, tempted to close it because my laptop is starting to overheat

You can abort using Rkill. Please try this instead.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
  
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• Accept the License agreement and click on next.
  
• It will, by default, install it to your desktop folder. Click Next.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked.
  
  
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Finally got something to work! I left the program running and it successfully deleted one trojan and two other potential threats since it couldn't neutralize them. I think I accidentally saved the entire log so I'm not quite sure which part to post here.

EDIT: Yes I did stupidly save the entire log. I've had a quick scan through and these are the parts of the log I found that the search picked up on:

29/05/2013 23:57:11 Detected: Trojan.Win32.Agent.tzoc C:\Documents and Settings\Abigail\AppData\Local\Temp\FreeDownloadManager.exe/data0116

29/05/2013 23:53:20 Detected: HEUR:Backdoor.Win64.Generic C:\Documents and Settings\Abigail\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0015c7/data0000.res Information

29/05/2013 23:57:05 Detected: not-a-virus:AdWare.Win32.Agent.adln C:\Documents and Settings\Abigail\AppData\Local\Temp\pricepeep_1.exe/pricepeep.dll


Last edited by abigail.4 on 30th May 2013, 10:33 am; edited 2 times in total (Reason for editing : new information)

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

I looked into it however reformatting and reinstalling my laptop seemed a bit extreme since I mainly use it for word documents, music, photos and only use a few web functions, and I don't have any personal information stored on there apart from various passwords (which I have now changed).

So what measures could I take to ensure that my laptop is as clean and secure as it can be, without reinstalling the OS?

Ok, let's try running AdwCleaner and Junkware Removal tool that I post in my first post.