We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
TR/agent.72967 please help
Options

linni
Posts: 1,480 Forumite


Avira found this yesterday and I 'performed the selection action' but it is still coming up again, when I ran Avira again this morning. Would a techie please tell me how to get rid of it?
I've removed the Hijackthis log:
I've removed the Hijackthis log:
0
Comments
-
Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_ma..._anti_malware/ Click
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds0 -
linni
Is TR/agent.72967 the correct name as it doesn't seem to be in Avira's definition files?0 -
I updated and ran Malwarebytes and it doesn't find anything. It only appears on Avira:
This is the description that Avira gives:
DETECTION: Is the TR/Agent.72967 Trojan
Virus:
Worm/Zimuse.A
Date discovered:
25/01/2010
Type:
Worm
In the wild:
Yes
Reported Infections:
Medium
Distribution Potential:
Low to medium
Damage Potential:
Medium to high
Static file:
No
IVDF version:
7.10.03.65 - Mon, 25 Jan 2010 12:29 (GMT+1)
General Method of propagation:
• Autorun feature
Aliases:
• Symantec: W32.Zimuse
• Kaspersky: Virus.Win32.Mseus.a
• F-Secure: Dropped:Worm.Zimus.A
• Sophos: W32/Mseus-A
• VirusBuster: Worm.Mseus.A
• Eset: Win32/Zimuse.B
• Bitdefender: Worm.Zimuse.A
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops malicious files
• Registry modification
Right after execution it runs a windows application which will display the following window:
[IMG]file:///C:/DOCUME~1/mum/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.png[/IMG]
Files It copies itself to the following location:
• %SYSDIR%\tokset.dll
It deletes the following files:
• C:\NTDETECT.COM
• C:\NTLDR
• C:\BOOTMGR
• C:\HYBERFILE.SYS
• C:\BOOT.INI
The following files are created:
– Non malicious file:
• c:\IQTEST\Iqtest.exe
– c:\IQTEST\Readme.txt This is a non malicious text file with the following content:
• Iqtest is configured. To start of IQ test, run IQTEST.EXE in this folder.
– %drive%\ainf.inf This is a non malicious text file with the following content:
• [autorun]
shellexecute=zipsetup.exe /H
– %WINDIR%\system32 \DRIVERS\Mstart.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.4
– %SYSDIR%\DRIVERS\Mseu.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.1
– %SYSDIR%\msues.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.2
Registry The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Dump="%PROGRAM FILES%\Dump\Dump.exe"
– [HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\MSTART]
• EventMessageFile=%SystemRoot%\System32\Drivers\MSTART.SYS;%WINDIR%\MSTART.SYS
• TypesSupported=dword:7
File details Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PE Compact
See a brief description here.
Description inserted by Thomas Wegele on Tue, 26 Jan 2010 14:41 (GMT+1)
Description updated by Thomas Wegele on Tue, 26 Jan 2010 15:23 (GMT+1)0 -
Can you post th Avira report file.0
-
0
-
I updated and ran Malwarebytes and it doesn't find anything. It only appears on Avira:
Malwarebytes' Anti-Malware 1.30
Database version: 1428
Windows 5.1.2600 Service Pack 3
11/27/2008 13:25:33
mbam-log-2008-11-27 (13-25-33).txt
Scan type: Full Scan (C:\|)
Objects scanned: 150505
Time elapsed: 1 hour(s), 59 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
It doesnt find anything because its years old
Open malwarebytes and UPDATE it (may need to update it 2 or even 3 times)
Currently on version 1.44 and database version 3640+
Then run another FULL scan:idea:0 -
OK:
I've removed the long logs.0 -
OK - I update it regularly, I wonder why it's not updating it properly? I will do it again and again to see what happens. Edited - Malwarebytes says - Current version: 1/27/2010. Database Version: 3645 and Fingerprints: 183032 on the update page when I click on it.0
-
Then download it fresh from here ~
(Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/:idea:0 -
It says error occurred while trying to replace the existing file and is denying me access. DeleteFile failed. Code 5. Access is denied. When I click retry it still wont do it. Should I uninstall Malwarebytes altogether and start again? Ignore this, It was because I had MB open... Am going to run the scan now.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards