Found this whilst scanning using TDS, im trying to remove a worm on my system agobot or something like that....

Anyclues?


Scan Control Dumped @ 17:27:21 27-04-04
(Deleted) RegVal Trace: RAT.Jeemp: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [System Service=C:\WINDOWS\System32\msrexe.exe]

Hi,

A little bit difficult to say when you don't give a bit more info on this "worm on my system agobot or something like that....".

I would send that file msrexe.exe (zipped) to support@diamondcs.com.au
(if you still have that file).

Then :
in TDS-3: right-click and choose Delete file, TDS will kill the program if it is running.

Then run HijackThis and post the log here.

BTW:

I see in your posting: RAT.Jeemp

After today having updated my Radius-file, I see three RAT.Jeemp's in the Primary-list of TDS-3:

RAT.Jeemp.a
RAT.Jeemp.b
RAT.Jeemp.c

I don't know whether they were just added by Gavin.
Nor do I not know whether TDS-3 should have shown one of those variants in your scan-dump.
I hope that one of the DCS-guys could tell us a bit more about this ;)

msrexe.exe Also sounds like an older subseven filename...interesting

WinTasks Process Library:
msrexe - msrexe.exe - Process Information
Process File: msrexe or msrexe.exe
Process Name: Remote Access / Hacking tool / ICQ trojan
Description: Added to the system as a result of an ICQ Trojan that alters Win.ini and System.ini files and generates several. .exe-files with randomly chosen names.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A


nice guy but not really. Cleansed out already?

Regarding agobot this is the description in AVG's virus encylopedia

-{ Quote: "Worm/Agobot

The exact description is not available.

This type of virus spreads across local networks or through internet via shares disks. The virus searches for computers in its "neighborhood" with shared network drives and then copies itself on them.

For prevention as far as possible do not share whole disks, but only selected folders. It is also advisable to use passwords on shared folders.

We recommend you remove binding to "File and printer sharing" in Bindings Tab under TCP/IP Properties for all TCP/IP protocols (the TCP/IP protocol is usually defined for every LAN or Dial-Up adapter).


Peer-to-peer networks

Next most common method of spreading is by "peer-to-peer" networks (like KaZaA), the virus creates a few copies of itself in folders within the P2P shared system. If these files have got alluring names then there is a good chance somebody will download these files and execute them." }-

Hello Prime,

You can find removal instuctions here (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jeem.html). TDS-3 will kill the process however you will need to edit the registry I do believe. Follow the directions in the link.

best regards,
hardyhar

-{ Quote: "Hello Prime,

TDS-3 will kill the process however you will need to edit the registry I do believe. " }-

Hi,

If you need to edit your registry, then TDS-3 isn't doing its job well...

Just my 2 cents ;)

Jan, i never had warnings to edit the registry, but remember TDS doesn't do anything automatically for you, it keeps you in the driver's seat and you decide what to delete or edit from the alarms you got.
This is why it is very important to know which infection we're dealing with and to check all steps if they are all done and checking the registry when no registry keys are indicated could be part of the process.

-{ Quote: "Jan, i never had warnings to edit the registry, but remember TDS doesn't do anything automatically for you, it keeps you in the driver's seat and you decide what to delete or edit from the alarms you got.
This is why it is very important to know which infection we're dealing with and to check all steps if they are all done and checking the registry when no registry keys are indicated could be part of the process." }-

Oops, sorry, Jooske !!!

You're so definitely right: "TDS doesn't do anything automatically for you, it keeps you in the driver's seat and you decide what to delete or edit from the alarms you got" !

Where are those karma cookies? I would have give you one right now !


Edit
Wait, here is one ;)

yummieeeeeeeeeee! thanks! that was a big one to share with all this thread posters!

Thanks for all teh help, I have all but eliminated this sucker, doin it as we speak.

Thanks all.

Prime, are you sure it's gone, system restore closed, reboot scan again and no tracces left?

Yeah well TDS doesnt show anything anymore so I assume its gone, I also Downloaded free Symantec trial found some viruses that it got rid of also, so im hoping alls clean at the present time.

With that clean situation it's a good moment to enable system restore again and create a new system restore point manually so that's where you can go back to in future when needed.