AVIRA's TR/Dldr.Agen.126976

Discussion in 'malware problems & news' started by Osaban, Oct 24, 2007.

Thread Status:
Not open for further replies.
  1. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Hi there,

    I installed Avira on my son's computer, and it detects the trojan TR/Dldr.Agen.126976. An alert comes up with several options (deny access, delete, write to quarantine etc.).

    I've tried every option and the alert keeps coming back. I've tried to scan in safe mode to no avail. It looks like it is unable to clean it or delete it. I've also scanned with Nod32 online scanner, and it reports no infections.

    Anybody with ideas on how to get rid of it?

    Thanks in advance.
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    try Dr. Webs online scanner.
     
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Thanks. I'll let you know if it works.
     
  4. xandros

    xandros Registered Member

    Joined:
    Oct 30, 2006
    Posts:
    411

    turn off system restore and restart ur pc, then go to safe mode and make scan , then delete the virus

    good luck
     
  5. ASpace

    ASpace Guest

    @Osaban


    Send the file to VirusTotal and see what what other vendors have to say about that file
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    He said he tried safe mode.;)
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    May be a rootkit.

    U can download SuperAntispyware and AVG antispyware free, update them and run a scan in safe mode.

    I will suggest to use VT and a couple of Antirootkit tools( RKU and IceSword). If you are not able to copy the malware,s exe, u can use file explorer of IceSword to do it, very handy!
     
    Last edited: Oct 24, 2007
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Avira does real well with rootkits. I have seen several times with Avira, Eset and others that are the so called great detectors, not able to clean. And the is where the Web and Kav excell.
     
  9. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    934
    Keygen
     
  10. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Thanks everybody for your help.
    @C.S.J.
    Unfortunately 'Drwebs Cure It' doesn't download on my computer and my son's computer, an error window comes up (using Opera and IE).

    @ Aigle
    SuperAntiSpyware and AVG antispyware detect nothing (Avira keeps flagging SuperAntiSpyware as spyware, the ignore option allows a proper scan)

    I haven't tried yet IceSword and RKU, what is VT?

    @ HiTech Boy
    I just am unable to isolate the file, and it changes the number of the signature: Today it became TR/Dldr.Agen.192512 (instead of 126976)

    @ Waters

    I don't know what you mean by 'Keygen', googling it sends me to warez sites...

    @ trjam
    Today the whole thing disappeared, and on Avira's quarantine window there's a long list of trojans and malware caught heuristically... I'm beginning to suspect false positives, as no other application so far has detected anything. I'm writing from my computer, I'll see if I can upload a screenshot from my son's computer.
     
  12. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    A screen shot
     

    Attached Files:

  13. ASpace

    ASpace Guest

    Why don't you post on a HijackThis forum such as Aumha.org (http://forum.aumha.org) . It seems there is something that may need further analysis , you know that HJT logs and other malware instructions are not allowed here at Wilders :thumb:
     
  14. Leo2005

    Leo2005 Registered Member

    Joined:
    May 31, 2007
    Posts:
    179
    Location:
    Braunschweig (Germany)
    these heuristic warnings should be send to avira. heuristik2(at)avira.com
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Restore some of them to a folder of ur choice and upload to VT- virus total).
    SAS labelled by Antivir as malware-- very fishy, may be a very nasty infection on ur system that has modified other executables.
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    You could post in Avira's forum also since it is an Avira's detection. Also as suggested restore those files flagged as HEUR\Malware to a folder on your desktop for example and send them archived with password: infected to heuristik2@avira.com (To restore them select each file from Quarantine and choose Restore to...).

    I haven't read but did you run a bit defender online scan ?

    P.S. I have SuperAntiSpyware installed on my computer together with Avira and it is not detected as malware. Your SAS may be modified and really infected. ;)
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Osanabn, can u run Autoruns from sysinternals. Run it, press escape to stop. then go to Options and check Verify code signatures and hide Microsoft enteries. then press F5 to rerun the scan. Alloow outbound access if autoruns or services.exe wants. Then save the report- file> save as and upload here as txt file.
     
  18. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Thanks I've just done it, let's see what they say.
     
  19. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Thank you for showing the exact procedure to send malware to Avira, I have no experience as my computer has never been infected...
     
  20. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Aigle, this is what i'm going to do next, and as soon as i have some kind of results i'll post them.

    This is all new to me as my computer never had such problems, it sort of shows that here at Wilders we are not so paranoid after all.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Also "Autoruns", Osaban!
     
  22. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I'm beginning to think that a reformat of my son's computer might be the quickest way to solve this problem. Time is too valuable, I really appreciate your suggestions. Thanks
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You are right. From the screenshot I guess these can,t be false positives.
    I will highly recommend a re-format. But if possible it,s best to grb some copies of this nasty jusy to see what it is.

    Also i wonder what,s the source of it and why Antivir did not detect the very first arrival of it.
     
  24. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    The other odd thing is that his system has been running always in protected mode with Returnil (passworded, so he could not disable it). So either this malware sneaked through the sand box or must have been dormant for some reasons, before the installation of Returnil.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That is too strange. I am very much interested to upload some of these to virus total. Please just get this info before a format.
     
Thread Status:
Not open for further replies.