Help plz

Discussion in 'Trojan Defence Suite' started by Prime, Apr 27, 2004.

Thread Status:
Not open for further replies.
  1. Prime

    Prime Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    3
    Found this whilst scanning using TDS, im trying to remove a worm on my system agobot or something like that....

    Anyclues?


    Scan Control Dumped @ 17:27:21 27-04-04
    (Deleted) RegVal Trace: RAT.Jeemp: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [System Service=C:\WINDOWS\System32\msrexe.exe]
     
  2. FanJ

    FanJ Guest

    Hi,

    A little bit difficult to say when you don't give a bit more info on this "worm on my system agobot or something like that....".

    I would send that file msrexe.exe (zipped) to support@diamondcs.com.au
    (if you still have that file).

    Then :
    in TDS-3: right-click and choose Delete file, TDS will kill the program if it is running.

    Then run HijackThis and post the log here.
     
    Last edited by a moderator: Apr 27, 2004
  3. FanJ

    FanJ Guest

    BTW:

    I see in your posting: RAT.Jeemp

    After today having updated my Radius-file, I see three RAT.Jeemp's in the Primary-list of TDS-3:

    RAT.Jeemp.a
    RAT.Jeemp.b
    RAT.Jeemp.c

    I don't know whether they were just added by Gavin.
    Nor do I not know whether TDS-3 should have shown one of those variants in your scan-dump.
    I hope that one of the DCS-guys could tell us a bit more about this ;)
     
  4. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    msrexe.exe Also sounds like an older subseven filename...interesting
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    WinTasks Process Library:
    msrexe - msrexe.exe - Process Information
    Process File: msrexe or msrexe.exe
    Process Name: Remote Access / Hacking tool / ICQ trojan
    Description: Added to the system as a result of an ICQ Trojan that alters Win.ini and System.ini files and generates several. .exe-files with randomly chosen names.
    Company: N/A
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
    Common Errors: N/A


    nice guy but not really. Cleansed out already?
     
  6. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Regarding agobot this is the description in AVG's virus encylopedia

     
  7. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Hello Prime,

    You can find removal instuctions here. TDS-3 will kill the process however you will need to edit the registry I do believe. Follow the directions in the link.

    best regards,
    hardyhar
     
  8. FanJ

    FanJ Guest

    Hi,

    If you need to edit your registry, then TDS-3 isn't doing its job well...

    Just my 2 cents ;)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Jan, i never had warnings to edit the registry, but remember TDS doesn't do anything automatically for you, it keeps you in the driver's seat and you decide what to delete or edit from the alarms you got.
    This is why it is very important to know which infection we're dealing with and to check all steps if they are all done and checking the registry when no registry keys are indicated could be part of the process.
     
  10. FanJ

    FanJ Guest

    Oops, sorry, Jooske !!!

    You're so definitely right: "TDS doesn't do anything automatically for you, it keeps you in the driver's seat and you decide what to delete or edit from the alarms you got" !

    Where are those karma cookies? I would have give you one right now !


    Edit
    Wait, here is one ;)
     

    Attached Files:

  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    yummieeeeeeeeeee! thanks! that was a big one to share with all this thread posters!
     
  12. Prime

    Prime Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    3
    Thanks for all teh help, I have all but eliminated this sucker, doin it as we speak.

    Thanks all.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Prime, are you sure it's gone, system restore closed, reboot scan again and no tracces left?
     
  14. Prime

    Prime Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    3
    Yeah well TDS doesnt show anything anymore so I assume its gone, I also Downloaded free Symantec trial found some viruses that it got rid of also, so im hoping alls clean at the present time.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    With that clean situation it's a good moment to enable system restore again and create a new system restore point manually so that's where you can go back to in future when needed.
     
Thread Status:
Not open for further replies.