Expert: Keith Davis - 2/1/2010

Question
QUESTION: Hello,

I have Avira AntiVir Personal free program version 9.0.0.418 with latest version of Mozilla firefox and Windows XP professional, service pack 3. I have the Avira antivirus guard on all the time and it automatically downloads anti-virus updates quite often.

Some weeks ago, my computer became infected and still is infected by the TR.Dropper.gen trojan.

When I booted up my computer, an AntiVir Guard window came up and it said that it had detected a trojan called TR/Dropper.Gen in C\Program Files \zwunzi\zwunzi.dll

It gave me choices as to what to do. I selected the DELETE option and clicked OK.

However when I booted the computer up again the following day, the same window came up. I selected the delete option once again.

I then performed the Avira scan and it listed 9 infected objects and most were named TR.Dropper.gen trojans. I told Avira to delete them but all to no avail. This trojan seems to be able to re-install itself even when deleted which is something I cannot understand.

Unfortunately when I tried booting using the Avira rescueCD which a friend of mine burnt for me from his clean computer, it reported that there was not enough memory.

I am trying to understand HOW the TR.Dropper.gen trojan infected my computer. I would appreciate your help here very much. I will start from the beginning so that you will know what happened.

At around Christmas time, I clicked on a link in a webpage that I was visiting saying that you could have a free forecast for the year ahead by a medium called Tara. I gave my Hotmail email address because I thought Hotmail automatically scans for viruses. The email contained a CLICK HERE if I wanted to read my forecast. It indeed opened up a web page on my Firefox browser. But it is very likely this email was the culprit. For I received repeated similar emails from Tara and still do, even though I have repeatedly marked her emails as PHISHING SCAM in my Hotmail email browser. She is probably using a different email address each time.

When I clicked on the link in Tara’s email, it opened up a new window in Firefox showing Tara’s forecast. But it also could have automatically downloaded the trojan program. But if this happened, Avira Guard should have stopped the program.
So my guess is that just by OPENING Tara’s email, it somehow automatically downloaded the trojan program. Am I right ? If not, can you tell me how the trojan infected my computer with Avira Guard on ?
Thank you.

ANSWER: More than likely you did get the infection from the medium.
The way your software could not remove it is because most anti-virus programs only remove files and do not remove registry keys. You think the infection is removed and when you go back online those registry keys or other system files contact their host server and reload everything. I am familiar with Avira but have never used it. I use AVG, but this is still not the answer for many trojans.
The number 1 best program I have ever used for detecting and removing malware is malwarebytes. You can get it for free at www.malwarebytes.org . Regularly or when you think your computer might be infected, run malwarebytes and it will not only clean infected files but also the registry keys.

---------- FOLLOW-UP ----------

QUESTION: Thank you for your reply. Actually Avira Forum advised me to download the malwarebytes program and scan my computer with it. I did so and got the following log file. The F drive is my external USB hard drive.

LOGFILE CREATED AFTER THE F DRIVE WAS SCANNED
Malwarebytes' Anti-Malware 1.44
Database version: 3568
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

15/01/2010 15:04:28
mbam-log-2010-01-15 (15-03-48).txt

Scan type: Full Scan (F:\)
Objects scanned: 101555
Time elapsed: 17 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Adware.Ecobar) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.Ecobar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.Ecobar) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) -> No action taken.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Adware.Ecobar) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\zwunzi service (Adware.Zwunzi) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\SpeedBit Video Downloader\Toolbar\tbhelper.dll (Adware.Ecobar) -> No action taken.

===

The person in the Avira forum who answered me when I sent in the above log file is that I have nothing to worry about. Well, I think they may be wrong because my computer is still infected because it won’t show the volume control panel when I right click on the loudspeaker icon in systray. Is there a way to delete ALL the registry keys that are listed above, maybe one by one and then if the computer goes haywire, restore that specific registry key. I know how to run regedit and find and delete the keys. Or should I run the malawarebytes program again and let malawarebytes program do this for me ? How do I tell malawarebytes program delete the infected registry keys from my computer ?

Answer
In the malwarebytes program the opening screen is where you do your scans. When infected files are found you will be prompted to click a "show results" button. In the window that opens will be a listing of the infections and the reg keys. You should make sure all these items are checked and then click "remove selected" or "fix selected" and it usually removes the entire problem.
Two things to keep in mind. Until you restart your machine the problems may still persist. Another is you may have to run malwarebytes in safe mode.