Expert: Lorry - 1/30/2010

Question
Hello,

I have Avira AntiVir Personal free program version 9.0.0.418 with latest version of Mozilla firefox and Windows XP professional, service pack 3. I have the Avira antivirus guard on all the time and it automatically downloads anti-virus updates quite often.

Some weeks ago, my computer became infected and still is infected by the TR.Dropper.gen trojan.

When I booted up my computer, an AntiVir Guard window came up and it said that it had detected a trojan called TR/Dropper.Gen in C\Program Files \zwunzi\zwunzi.dll

It gave me choices as to what to do. I selected the DELETE option and clicked OK.

However when I booted the computer up again the following day, the same window came up. I selected the delete option once again.

I then performed the Avira scan and it listed 9 infected objects and most were named TR.Dropper.gen trojans. I told Avira to delete them but all to no avail. This trojan seems to be able to re-install itself even when deleted which is something I cannot understand.

Unfortunately when I tried booting using the Avira rescueCD which a friend of mine burnt for me from his clean computer, it reported that there was not enough memory.

I am trying to understand HOW the TR.Dropper.gen trojan infected my computer. I would appreciate your help here very much. I will start from the beginning so that you will know what happened.

At around Christmas time, I clicked on a link in a webpage that I was visiting saying that you could have a free forecast for the year ahead by a medium called Tara. I gave my Hotmail email address because I thought Hotmail automatically scans for viruses. The email contained a CLICK HERE if I wanted to read my forecast. It indeed opened up a web page on my Firefox browser. But it is very likely this email was the culprit. For I received repeated similar emails from Tara and still do, even though I have repeatedly marked her emails as PHISHING SCAM in my Hotmail email browser. She is probably using a different email address each time.

When I clicked on the link in Tara’s email, it opened up a new window in Firefox showing Tara’s forecast. But it also could have automatically downloaded the trojan program. But if this happened, Avira Guard should have stopped the program.
So my guess is that just by OPENING Tara’s email, it somehow automatically downloaded the trojan program. Am I right ? If not, can you tell me how the trojan infected my computer with Avira Guard on ?
Thank you.

Answer
Hi Trigan,

Before removing a virus, disable System Restore, otherwise the threat will be back again when Windows is started. To disable System Restore, go to Start, Programs, Accessories, System Tools, System Restore, click Disable. Don't forget to enable System Restore once you know that the threat has been removed.

Hope this helps!
Lorry