Click here to get back home

got this trojan in a file called mscmsr.dll - don't know where it came from...
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.security.virus    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
got this trojan in a file called mscmsr.dll - don't know where it came from... David De 03-06-2008
Posted by David De on March 6, 2008, 8:35 pm
Please log in for more thread options
 I am sorry I don't know the name of the trojan, just the file it seems
to have infected. My anti-vir (AVIRA) software has detected it a few
times and I delete it, only to find it reoccuring again and again.

I am dealing with this issue of a trojan that my Anti-Vir software
continues to inform me about when I run any spyware programs like
Lavasoft or Spybot. I delete the file with the Anti-Vir, but it seems
to keep popping up. I think this is a new one because the google
search I did on it says 'March 04, 2008'...lucky me. So what do I do
about it? Right now I am running Anti-Vir full system check in Safe
mode - taking forever 2 hours already and only at 10% of a 80gig hard
drive. The files is located in the Windows/system32 folder.
Anybody else have this trojan? Any suggestions? I can't do a system
restore because I have been instead backing up my hard drive about
once a month (and it has been close to a month since the last backup,
so I would lose a month of work).

Posted by David H. Lipman on March 6, 2008, 8:43 pm
Please log in for more thread options
| I am sorry I don't know the name of the trojan, just the file it seems
| to have infected. My anti-vir (AVIRA) software has detected it a few
| times and I delete it, only to find it reoccuring again and again.
|
| I am dealing with this issue of a trojan that my Anti-Vir software
| continues to inform me about when I run any spyware programs like
| Lavasoft or Spybot. I delete the file with the Anti-Vir, but it seems
| to keep popping up. I think this is a new one because the google
| search I did on it says 'March 04, 2008'...lucky me. So what do I do
| about it? Right now I am running Anti-Vir full system check in Safe
| mode - taking forever 2 hours already and only at 10% of a 80gig hard
| drive. The files is located in the Windows/system32 folder.
| Anybody else have this trojan? Any suggestions? I can't do a system
| restore because I have been instead backing up my hard drive about
| once a month (and it has been close to a month since the last backup,
| so I would lose a month of work).

OK, now that your here, we can discontine the other thread.

Please check your Avira AntiVir logs. The name of the Trojan will be helpful.

Also you noted that you can delete the file but it keeps coming back. It
obviously has a
peer file loaded and keeping the infection going.

However if you can delete the file, c:\Windows\system32\mscmsr.dll, please
submit a sample
to Virus Total. You may have to disable AntiVir temporarily to submit the file.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by David De on March 7, 2008, 7:09 am
Please log in for more thread options
wrote:
>
> | I am sorry I don't know the name of the trojan, just the file it seems
> | to have infected. My anti-vir (AVIRA) software has detected it a few
> | times and I delete it, only to find it reoccuring again and again.
> |
> | I am dealing with this issue of a trojan that my Anti-Vir software
> | continues to inform me about when I run any spyware programs like
> | Lavasoft or Spybot. I delete the file with the Anti-Vir, but it seems
> | to keep popping up. I think this is a new one because the google
> | search I did on it says 'March 04, 2008'...lucky me. So what do I do
> | about it? Right now I am running Anti-Vir full system check in Safe
> | mode - taking forever 2 hours already and only at 10% of a 80gig hard
> | drive. The files is located in the Windows/system32 folder.
> | Anybody else have this trojan? Any suggestions? I can't do a system
> | restore because I have been instead backing up my hard drive about
> | once a month (and it has been close to a month since the last backup,
> | so I would lose a month of work).
>
> OK, now that your here, we can discontine the other thread.
>
> Please check your Avira AntiVir logs. The name of the Trojan will be helpful.
>
> Also you noted that you can delete the file but it keeps coming back. It
obviously has a
> peer file loaded and keeping the infection going.
>
> However if you can delete the file, c:\Windows\system32\mscmsr.dll, please
submit a sample
> to Virus Total. You may have to disable AntiVir temporarily to submit the
file.
Alright, after 7 hours of Avira-Anti Vir, it looks like - TR/
Dldr.Agent.kdt - the anti virus program asked me what to do with this
trojan and I said delete it. I haven't had a chance to turn on the
computer since it found that one.
I am not sure where to get the log though, but I will look today.

>
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it. In addition,
unless told
> otherwise, Virus Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> mailto:s...@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


Posted by David H. Lipman on March 7, 2008, 6:20 pm
Please log in for more thread options


| Alright, after 7 hours of Avira-Anti Vir, it looks like - TR/
| Dldr.Agent.kdt - the anti virus program asked me what to do with this
| trojan and I said delete it. I haven't had a chance to turn on the
| computer since it found that one.
| I am not sure where to get the log though, but I will look today.
|

I could not find; TR/Dldr.Agent.kdt in the Avira library :-(


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by David De on March 8, 2008, 1:30 pm
Please log in for more thread options
Here is the log file :


AntiVir PersonalEdition Classic
Report file date: Thursday, March 06, 2008 19:09

Scanning for 1136109 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: Administrator
Computer name:

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 9/5/2007 19:47:45
AVSCAN.DLL : 7.0.6.0 49192 Bytes 9/5/2007 19:47:45
LUKE.DLL : 7.0.5.3 147496 Bytes 9/5/2007 19:47:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 9/5/2007 19:47:47
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:32:52
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 04:49:39
ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 2/24/2008 04:15:23
ANTIVIR3.VDF : 7.0.2.245 216576 Bytes 3/6/2008 21:20:15
AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 3/1/2008 14:53:51
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 9/5/2007 19:47:45
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 1/15/2008 22:19:46
AVREG.DLL : 7.0.1.6 30760 Bytes 9/5/2007 19:47:45
AVARKT.DLL : 1.0.0.20 278568 Bytes 9/5/2007 19:47:40
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 9/5/2007 19:47:43
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 9/5/2007 19:47:35
RCTEXT.DLL : 7.0.62.0 86056 Bytes 9/5/2007 19:47:36
SQLITE3.DLL : 3.3.17.1 339968 Bytes 9/5/2007 19:47:47

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir
personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: H:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, March 06, 2008 19:09

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
12 processes with 12 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'H:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '34' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\David\Local Settings\Temporary Internet Files
\Content.IE5\SA7E9WEY\appD[1].cab
[0] Archive type: CAB (Microsoft)
--> inapp5.exe
[DETECTION] Is the Trojan horse TR/Agent.AHDK.1
[INFO] The file was deleted!
C:\Documents and Settings\David\Local Settings\Temporary Internet Files
\Content.IE5\XPSAKWO4\appB[1].cab
[0] Archive type: CAB (Microsoft)
--> inapp4.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.Exo.2
[INFO] The file was deleted!
C:\WINDOWS\system32\mscmsr.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.kdt
[INFO] The file was deleted!
Begin scan in 'H:\' <Summers>
H:\backup of all C\Program Files\movie magic screenwriter\netpub.exe
[DETECTION] Contains a detection pattern of the (dangerous)
backdoor program BDS/Hupigon.Gen Backdoor server programs
[INFO] The file was deleted!


End of the scan: Friday, March 07, 2008 01:57
Used time: 6:48:08 min

The scan has been canceled!

13718 Scanning directories
556411 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
4 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
556407 Files not concerned
5195 Archives were scanned
1 Warnings
89 Notes





Similar ThreadsPosted
cannot delete trojan file July 6, 2005, 2:08 pm
Hackern.ini file = virus/trojan ? November 15, 2006, 5:31 pm
avg found a virus called downloader.tibs October 4, 2006, 5:06 pm
New Messenger Virus called:" img0012-www.photostorage " September 13, 2007, 10:04 pm
HOSTS File FAQ - Testing the HOSTS File November 5, 2005, 11:21 am
Zip File Virus *HELP* June 28, 2006, 1:05 pm
File disappeared May 21, 2007, 6:01 pm
unknown file... April 12, 2008, 7:15 pm
Puzzling log file contents November 23, 2005, 12:48 am
hosts file "missing" February 21, 2006, 3:48 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap