TR/agent.72967 please help

linni

Avira found this yesterday and I 'performed the selection action' but it is still coming up again, when I ran Avira again this morning. Would a techie please tell me how to get rid of it?

I've removed the Hijackthis log:

dogmaryxx

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_ma..._anti_malware/ Click


Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds

fiddiwebb

linni

Is TR/agent.72967 the correct name as it doesn't seem to be in Avira's definition files?

linni

I updated and ran Malwarebytes and it doesn't find anything. It only appears on Avira:

This is the description that Avira gives:

DETECTION: Is the TR/Agent.72967 Trojan


Virus:
Worm/Zimuse.A
Date discovered:
25/01/2010
Type:
Worm
In the wild:
Yes
Reported Infections:
Medium
Distribution Potential:
Low to medium
Damage Potential:
Medium to high
Static file:
No
IVDF version:
7.10.03.65 - Mon, 25 Jan 2010 12:29 (GMT+1)

General Method of propagation:
• Autorun feature


Aliases:
• Symantec: W32.Zimuse
• Kaspersky: Virus.Win32.Mseus.a
• F-Secure: Dropped:Worm.Zimus.A
• Sophos: W32/Mseus-A
• VirusBuster: Worm.Mseus.A
• Eset: Win32/Zimuse.B
• Bitdefender: Worm.Zimuse.A


Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003


Side effects:
• Drops malicious files
• Registry modification


Right after execution it runs a windows application which will display the following window:
[IMG]file:///C:/DOCUME~1/mum/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.png[/IMG]

Files It copies itself to the following location:
• %SYSDIR%\tokset.dll



It deletes the following files:
• C:\NTDETECT.COM
• C:\NTLDR
• C:\BOOTMGR
• C:\HYBERFILE.SYS
• C:\BOOT.INI



The following files are created:

– Non malicious file:
• c:\IQTEST\Iqtest.exe

– c:\IQTEST\Readme.txt This is a non malicious text file with the following content:
• Iqtest is configured. To start of IQ test, run IQTEST.EXE in this folder.

– %drive%\ainf.inf This is a non malicious text file with the following content:
• [autorun]
shellexecute=zipsetup.exe /H

– %WINDIR%\system32 \DRIVERS\Mstart.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.4

– %SYSDIR%\DRIVERS\Mseu.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.1

– %SYSDIR%\msues.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Zimuse.A.2

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Dump="%PROGRAM FILES%\Dump\Dump.exe"

– [HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\MSTART]
• EventMessageFile=%SystemRoot%\System32\Drivers\MSTART.SYS;%WINDIR%\MSTART.SYS
• TypesSupported=dword:7

File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PE Compact


See a brief description here.

Description inserted by Thomas Wegele on Tue, 26 Jan 2010 14:41 (GMT+1)
Description updated by Thomas Wegele on Tue, 26 Jan 2010 15:23 (GMT+1)

fiddiwebb

Can you post th Avira report file.

dogmaryxx

Try this though never used myself

http://www.zimuse.com/how-to-remove-zimuse.php

aliEnRIK

linni wrote: »

I updated and ran Malwarebytes and it doesn't find anything. It only appears on Avira:

Malwarebytes' Anti-Malware 1.30
Database version: 1428
Windows 5.1.2600 Service Pack 3
11/27/2008 13:25:33
mbam-log-2008-11-27 (13-25-33).txt
Scan type: Full Scan (C:\|)
Objects scanned: 150505
Time elapsed: 1 hour(s), 59 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

It doesnt find anything because its years old
Open malwarebytes and UPDATE it (may need to update it 2 or even 3 times)
Currently on version 1.44 and database version 3640+

Then run another FULL scan

linni

OK:

I've removed the long logs.

linni

OK - I update it regularly, I wonder why it's not updating it properly? I will do it again and again to see what happens. Edited - Malwarebytes says - Current version: 1/27/2010. Database Version: 3645 and Fingerprints: 183032 on the update page when I click on it.

aliEnRIK

Then download it fresh from here ~
(Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/

linni

It says error occurred while trying to replace the existing file and is denying me access. DeleteFile failed. Code 5. Access is denied. When I click retry it still wont do it. Should I uninstall Malwarebytes altogether and start again? Ignore this, It was because I had MB open... Am going to run the scan now.