We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

TR/agent.72967 please help

Options
linni
linni Posts: 1,480 Forumite
Part of the Furniture 1,000 Posts Photogenic Combo Breaker
edited 28 January 2010 at 5:06PM in Techie Stuff
Avira found this yesterday and I 'performed the selection action' but it is still coming up again, when I ran Avira again this morning. Would a techie please tell me how to get rid of it?

I've removed the Hijackthis log:
«13456

Comments

  • dogmaryxx
    dogmaryxx Posts: 2,446 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    edited 27 January 2010 at 12:07PM
    Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_ma..._anti_malware/ Click down5.png


    Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
    Post the COMPLETE log here AFTER youve deleted everything it finds
  • fiddiwebb
    fiddiwebb Posts: 1,806 Forumite
    linni

    Is TR/agent.72967 the correct name as it doesn't seem to be in Avira's definition files?
  • linni
    linni Posts: 1,480 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    edited 28 January 2010 at 4:06PM
    I updated and ran Malwarebytes and it doesn't find anything. It only appears on Avira:

    This is the description that Avira gives:

    DETECTION: Is the TR/Agent.72967 Trojan


    Virus:
    Worm/Zimuse.A
    Date discovered:
    25/01/2010
    Type:
    Worm
    In the wild:
    Yes
    Reported Infections:
    Medium
    Distribution Potential:
    Low to medium
    Damage Potential:
    Medium to high
    Static file:
    No
    IVDF version:
    7.10.03.65 - Mon, 25 Jan 2010 12:29 (GMT+1)

    General Method of propagation:
    • Autorun feature


    Aliases:
    • Symantec: W32.Zimuse
    • Kaspersky: Virus.Win32.Mseus.a
    • F-Secure: Dropped:Worm.Zimus.A
    • Sophos: W32/Mseus-A
    • VirusBuster: Worm.Mseus.A
    • Eset: Win32/Zimuse.B
    • Bitdefender: Worm.Zimuse.A


    Platforms / OS:
    • Windows 2000
    • Windows XP
    • Windows 2003


    Side effects:
    • Drops malicious files
    • Registry modification


    Right after execution it runs a windows application which will display the following window:
    [IMG]file:///C:/DOCUME~1/mum/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.png[/IMG]

    Files It copies itself to the following location:
    %SYSDIR%\tokset.dll



    It deletes the following files:
    • C:\NTDETECT.COM
    • C:\NTLDR
    • C:\BOOTMGR
    • C:\HYBERFILE.SYS
    • C:\BOOT.INI



    The following files are created:

    – Non malicious file:
    • c:\IQTEST\Iqtest.exe

    – c:\IQTEST\Readme.txt This is a non malicious text file with the following content:
    • Iqtest is configured. To start of IQ test, run IQTEST.EXE in this folder.

    %drive%\ainf.inf This is a non malicious text file with the following content:
    • [autorun]
    shellexecute=zipsetup.exe /H

    %WINDIR%\system32 \DRIVERS\Mstart.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.4

    %SYSDIR%\DRIVERS\Mseu.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.1

    %SYSDIR%\msues.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.2

    Registry The following registry keys are added in order to run the processes after reboot:

    – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • Dump="%PROGRAM FILES%\Dump\Dump.exe"

    – [HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\MSTART]
    • EventMessageFile=%SystemRoot%\System32\Drivers\MSTART.SYS;%WINDIR%\MSTART.SYS
    • TypesSupported=dword:7

    File details Programming language:
    The malware program was written in MS Visual C++.


    Runtime packer:
    In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
    • PE Compact


    See a brief description here.

    Description inserted by Thomas Wegele on Tue, 26 Jan 2010 14:41 (GMT+1)
    Description updated by Thomas Wegele on Tue, 26 Jan 2010 15:23 (GMT+1)
  • fiddiwebb
    fiddiwebb Posts: 1,806 Forumite
    Can you post th Avira report file.
  • dogmaryxx
    dogmaryxx Posts: 2,446 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    Try this though never used myself

    http://www.zimuse.com/how-to-remove-zimuse.php
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    linni wrote: »
    I updated and ran Malwarebytes and it doesn't find anything. It only appears on Avira:

    Malwarebytes' Anti-Malware 1.30
    Database version: 1428
    Windows 5.1.2600 Service Pack 3
    11/27/2008 13:25:33
    mbam-log-2008-11-27 (13-25-33).txt
    Scan type: Full Scan (C:\|)
    Objects scanned: 150505
    Time elapsed: 1 hour(s), 59 minute(s), 7 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

    It doesnt find anything because its years old
    Open malwarebytes and UPDATE it (may need to update it 2 or even 3 times)
    Currently on version 1.44 and database version 3640+

    Then run another FULL scan
    :idea:
  • linni
    linni Posts: 1,480 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    edited 28 January 2010 at 4:02PM
    OK:

    I've removed the long logs.
  • linni
    linni Posts: 1,480 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    edited 27 January 2010 at 2:33PM
    OK - I update it regularly, I wonder why it's not updating it properly? I will do it again and again to see what happens. Edited - Malwarebytes says - Current version: 1/27/2010. Database Version: 3645 and Fingerprints: 183032 on the update page when I click on it.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Then download it fresh from here ~
    (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_malwarebytes_anti_malware/
    :idea:
  • linni
    linni Posts: 1,480 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    edited 27 January 2010 at 2:41PM
    It says error occurred while trying to replace the existing file and is denying me access. DeleteFile failed. Code 5. Access is denied. When I click retry it still wont do it. Should I uninstall Malwarebytes altogether and start again? Ignore this, It was because I had MB open... Am going to run the scan now.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.9K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.9K Work, Benefits & Business
  • 598.7K Mortgages, Homes & Bills
  • 176.9K Life & Family
  • 257.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.