got this trojan in a file called mscmsr.dll - don't know where itcame from...

March 7, 2008

I am sorry I don't know the name of the trojan, just the file it seems

to have infected. My anti-vir (AVIRA) software has detected it a few

times and I delete it, only to find it reoccuring again and again.

I am dealing with this issue of a trojan that my Anti-Vir software

continues to inform me about when I run any spyware programs like

Lavasoft or Spybot. I delete the file with the Anti-Vir, but it seems

to keep popping up. I think this is a new one because the google

search I did on it says 'March 04, 2008'...lucky me. So what do I do

about it? Right now I am running Anti-Vir full system check in Safe

mode - taking forever 2 hours already and only at 10% of a 80gig hard

drive. The files is located in the Windows/system32 folder.

Anybody else have this trojan? Any suggestions? I can't do a system

restore because I have been instead backing up my hard drive about

once a month (and it has been close to a month since the last backup,

so I would lose a month of work).

March 7, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

From: "David De" <daviddelaneyfilmdirector@gmail.com>

| I am sorry I don't know the name of the trojan, just the file it seems

| to have infected. My anti-vir (AVIRA) software has detected it a few

| times and I delete it, only to find it reoccuring again and again.

|

| I am dealing with this issue of a trojan that my Anti-Vir software

| continues to inform me about when I run any spyware programs like

| Lavasoft or Spybot. I delete the file with the Anti-Vir, but it seems

| to keep popping up. I think this is a new one because the google

| search I did on it says 'March 04, 2008'...lucky me. So what do I do

| about it? Right now I am running Anti-Vir full system check in Safe

| mode - taking forever 2 hours already and only at 10% of a 80gig hard

| drive. The files is located in the Windows/system32 folder.

| Anybody else have this trojan? Any suggestions? I can't do a system

| restore because I have been instead backing up my hard drive about

| once a month (and it has been close to a month since the last backup,

| so I would lose a month of work).

OK, now that your here, we can discontine the other thread.

Please check your Avira AntiVir logs. The name of the Trojan will be helpful.

Also you noted that you can delete the file but it keeps coming back. It obviously has a

peer file loaded and keeping the infection going.

However if you can delete the file, c:\Windows\system32\mscmsr.dll, please submit a sample

to Virus Total. You may have to disable AntiVir temporarily to submit the file.

http://www.virustotal.com/flash/index_en.html

The submission will then be tested against many different AV vendor's scanners.

That will give you an idea what it is and who recognizes it. In addition, unless told

otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...

mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

March 7, 2008

On Mar 6, 8:43 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>

wrote:

> From: "David De" <daviddelaneyfilmdirec...@gmail.com>

>

> | I am sorry I don't know the name of the trojan, just the file it seems

> | to have infected. My anti-vir (AVIRA) software has detected it a few

> | times and I delete it, only to find it reoccuring again and again.

> |

> | I am dealing with this issue of a trojan that my Anti-Vir software

> | continues to inform me about when I run any spyware programs like

> | Lavasoft or Spybot. I delete the file with the Anti-Vir, but it seems

> | to keep popping up. I think this is a new one because the google

> | search I did on it says 'March 04, 2008'...lucky me. So what do I do

> | about it? Right now I am running Anti-Vir full system check in Safe

> | mode - taking forever 2 hours already and only at 10% of a 80gig hard

> | drive. The files is located in the Windows/system32 folder.

> | Anybody else have this trojan? Any suggestions? I can't do a system

> | restore because I have been instead backing up my hard drive about

> | once a month (and it has been close to a month since the last backup,

> | so I would lose a month of work).

>

> OK, now that your here, we can discontine the other thread.

>

> Please check your Avira AntiVir logs. The name of the Trojan will be helpful.

>

> Also you noted that you can delete the file but it keeps coming back. It obviously has a

> peer file loaded and keeping the infection going.

>

> However if you can delete the file, c:Windowssystem32mscmsr.dll, please submit a sample

> to Virus Total. You may have to disable AntiVir temporarily to submit the file.

Alright, after 7 hours of Avira-Anti Vir, it looks like - TR/

Dldr.Agent.kdt - the anti virus program asked me what to do with this

trojan and I said delete it. I haven't had a chance to turn on the

computer since it found that one.

I am not sure where to get the log though, but I will look today.

>

> http://www.virustotal.com/flash/index_en.html

> The submission will then be tested against many different AV vendor's scanners.

> That will give you an idea what it is and who recognizes it. In addition, unless told

> otherwise, Virus Total will provide the sample to all participating vendors.

>

> You can also submit a suspect, one at a time, via the following email URL...

> mailto:s...@virustotal.com?subject=SCAN

>

> When you get the report, please post back the exact results.

>

> --

> Davehttp://www.claymania.com/removal-trojan-adware.html

> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

March 7, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

From: "David De" <daviddelaneyfilmdirector@gmail.com>

| Alright, after 7 hours of Avira-Anti Vir, it looks like - TR/

| Dldr.Agent.kdt - the anti virus program asked me what to do with this

| trojan and I said delete it. I haven't had a chance to turn on the

| computer since it found that one.

| I am not sure where to get the log though, but I will look today.

|

I could not find; TR/Dldr.Agent.kdt in the Avira library :-(

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

March 8, 2008

Here is the log file :

AntiVir PersonalEdition Classic

Report file date: Thursday, March 06, 2008 19:09

Scanning for 1136109 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 1) [5.1.2600]

Username: Administrator

Computer name:

Version information:

BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 9/5/2007 19:47:45

AVSCAN.DLL : 7.0.6.0 49192 Bytes 9/5/2007 19:47:45

LUKE.DLL : 7.0.5.3 147496 Bytes 9/5/2007 19:47:47

LUKERES.DLL : 7.0.6.1 10280 Bytes 9/5/2007 19:47:47

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:32:52

ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 04:49:39

ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 2/24/2008 04:15:23

ANTIVIR3.VDF : 7.0.2.245 216576 Bytes 3/6/2008 21:20:15

AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 3/1/2008 14:53:51

AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26

AVPREF.DLL : 7.0.2.2 25640 Bytes 9/5/2007 19:47:45

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24

AVPACK32.DLL : 7.6.0.3 360488 Bytes 1/15/2008 22:19:46

AVREG.DLL : 7.0.1.6 30760 Bytes 9/5/2007 19:47:45

AVARKT.DLL : 1.0.0.20 278568 Bytes 9/5/2007 19:47:40

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 9/5/2007 19:47:43

NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 9/5/2007 19:47:35

RCTEXT.DLL : 7.0.62.0 86056 Bytes 9/5/2007 19:47:36

SQLITE3.DLL : 3.3.17.1 339968 Bytes 9/5/2007 19:47:47

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\antivir

personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: H:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Thursday, March 06, 2008 19:09

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

12 processes with 12 modules were scanned

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'H:\'

[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '34' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\David\Local Settings\Temporary Internet Files

\Content.IE5\SA7E9WEY\appD[1].cab

[0] Archive type: CAB (Microsoft)

--> inapp5.exe

[DETECTION] Is the Trojan horse TR/Agent.AHDK.1

[iNFO] The file was deleted!

C:\Documents and Settings\David\Local Settings\Temporary Internet Files

\Content.IE5\XPSAKWO4\appB[1].cab

[0] Archive type: CAB (Microsoft)

--> inapp4.exe

[DETECTION] Is the Trojan horse TR/Drop.Agent.Exo.2

[iNFO] The file was deleted!

C:\WINDOWS\system32\mscmsr.dll

[DETECTION] Is the Trojan horse TR/Dldr.Agent.kdt

[iNFO] The file was deleted!

Begin scan in 'H:\' <Summers>

H:\backup of all C\Program Files\movie magic screenwriter\netpub.exe

[DETECTION] Contains a detection pattern of the (dangerous)

backdoor program BDS/Hupigon.Gen Backdoor server programs

[iNFO] The file was deleted!

End of the scan: Friday, March 07, 2008 01:57

Used time: 6:48:08 min

The scan has been canceled!

13718 Scanning directories

556411 Files were scanned

4 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

4 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

556407 Files not concerned

5195 Archives were scanned

1 Warnings

89 Notes

March 8, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

From: "David De" <daviddelaneyfilmdirector@gmail.com>

| Here is the log file :

|

| C:\Documents and Settings\David\Local Settings\Temporary Internet Files

| \Content.IE5\SA7E9WEY\appD[1].cab

| [0] Archive type: CAB (Microsoft)

| --> inapp5.exe

| [DETECTION] Is the Trojan horse TR/Agent.AHDK.1

| C:\Documents and Settings\David\Local Settings\Temporary Internet Files

| \Content.IE5\XPSAKWO4\appB[1].cab

| [0] Archive type: CAB (Microsoft)

| --> inapp4.exe

| [DETECTION] Is the Trojan horse TR/Drop.Agent.Exo.2

| [iNFO] The file was deleted!

| C:\WINDOWS\system32\mscmsr.dll

| [DETECTION] Is the Trojan horse TR/Dldr.Agent.kdt

| [iNFO] The file was deleted!

| Begin scan in 'H:\' <Summers>

| H:\backup of all C\Program Files\movie magic screenwriter\netpub.exe

| [DETECTION] Contains a detection pattern of the (dangerous)

| backdoor program BDS/Hupigon.Gen Backdoor server programs

| [iNFO] The file was deleted!

|

Have Dave:

Besides the Trojans, you have BDS/Hupigon.Gen (assuming it isn't a False Positive).

Not Good :-(

Download and execute HiJack This! (HJT)

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

Create a HJT log file and post it in one of the below locations...

Include the Avira log you provided.

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:

http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:

http://www.bleepingcomputer.com/forums/forum22.html

http://castlecops.com/forum67.html

Suggested tertiary:

http://www.dslreports.com/forum/cleanup

http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

http://www.atribune.org/forums/index.php?showforum=9

http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://forum.networktechs.com/forumdisplay.php?f=130

http://forums.maddoktor2.com/index.php?showforum=17

http://www.spywarewarrior.com/viewforum.php?f=5

http://forums.spywareinfo.com/index.php?showforum=18

http://forums.techguy.org/f54-s.html

http://forums.tomcoyote.org/index.php?showforum=27

http://forums.subratam.org/index.php?showforum=7

http://www.5starsupport.com/ipboard/index.php?showforum=18

http://www.malwarebytes.org/forums/index.php?showforum=7

http://makephpbb.com/phpbb/viewforum.php?f=2

http://forums.techguy.org/54-security/

http://forums.security-central.us/forumdisplay.php?f=13

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

March 8, 2008

> Have Dave:

>

> Besides the Trojans, you have BDS/Hupigon.Gen (assuming it isn't a False Positive).

>

> Not Good :-(

>

> Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

Tried to download, but when running, I get this error "The NTVDM CPU

has encountered an Illegal Instruction. CS0dd5 IP:0255 OP:65 63 75 72

65 Choose Close to terminate the application. I will have to try in

SAFE mode to see what happens.

>

> Create a HJT log file and post it in one of the below locations...

> Include the Avira log you provided.

>

> { Please - Do NOT post the HJT Log here ! }

>

> Forums where you can get expert advice for HiJack This! (HJT) logs.

>

> NOTE: Registration is REQUIRED in any of the below before posting a log

>

> Suggested primary:http://www.thespykiller.co.uk/index.php?board=3.0

For this board, where do I post the hijack log?

>

> Suggested secondary:http://www.bleepingcomputer.com/forums/for...om/forum67.html

>

> Suggested tertiary:http://www.dslreports.com/forum/cleanuphtt...isplay.php?f=13

>

> --

> Davehttp://www.claymania.com/removal-trojan-adware.html

> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

March 8, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

David De wrote:

> For this board, where do I post the hijack log?

You don't. David was very clear and I'll repeat it: do not post HijackThis

logs to the Microsoft public newsgroups. It takes a great deal of time and

expertise to analyze HJT logs and there are privacy issues. Instead, choose

one of the specialty forums listed below, register, read their posting FAQ,

and post your HJT log there. Not here.

http://aumha.org/downloads/hijackthis.zip

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn

http://www.bleepingcomputer.com/forums/ind...showtutorial=42 - another

tutorial

http://aumha.net/ - Click on the HijackThis forum. Read the announcement and

the stickies first .

http://www.atribune.org/forums/index.php?showforum=9

http://aumha.net/viewforum.php?f=30

http://www.bleepingcomputer.com/forums/forum22.html

http://castlecops.com/forum67.html

http://www.dslreports.com/forum/cleanup

http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://spywarewarrior.com/viewforum.php?f=5

Malke

--

MS-MVP

Elephant Boy Computers

www.elephantboycomputers.com

Don't Panic!

March 8, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

Privacy issue's? Not true.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads

The list grows. Leythos the stalker http://www.leythosthestalker.com, David

H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.

Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell

"Malke" <malke@invalid.invalid> wrote in message

news:OdX5B6VgIHA.4684@TK2MSFTNGP06.phx.gbl...

> David De wrote:

>

>> For this board, where do I post the hijack log?

>

> You don't. David was very clear and I'll repeat it: do not post HijackThis

> logs to the Microsoft public newsgroups. It takes a great deal of time and

> expertise to analyze HJT logs and there are privacy issues. Instead,

> choose

> one of the specialty forums listed below, register, read their posting

> FAQ,

> and post your HJT log there. Not here.

>

> http://aumha.org/downloads/hijackthis.zip

> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn

> http://www.bleepingcomputer.com/forums/ind...showtutorial=42 - another

> tutorial

> http://aumha.net/ - Click on the HijackThis forum. Read the announcement

> and

> the stickies first .

> http://www.atribune.org/forums/index.php?showforum=9

> http://aumha.net/viewforum.php?f=30

> http://www.bleepingcomputer.com/forums/forum22.html

> http://castlecops.com/forum67.html

> http://www.dslreports.com/forum/cleanup

> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

> http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html

> http://gladiator-antivirus.com/forum/index.php?showforum=170

> http://spywarewarrior.com/viewforum.php?f=5

>

> Malke

> --

> MS-MVP

> Elephant Boy Computers

> www.elephantboycomputers.com

> Don't Panic!

March 8, 2008

> > David De wrote:

>

> >> For this board, where do I post the hijack log?

I meant the spykiller group, not this one - I should have been

clearer.

After posting there, I have done the combofix and updated the log file

for HJT on there - just waiting for a response

http://thespykiller.co.uk/index.php?topic=6134.0

I am not sure if the combofix gets rid of the virus or not, or is it

just a diagnostic tool?

>

> > You don't. David was very clear and I'll repeat it: do not post HijackThis

> > logs to the Microsoft public newsgroups. It takes a great deal of time and

> > expertise to analyze HJT logs and there are privacy issues. Instead,

> > choose

> > one of the specialty forums listed below, register, read their posting

> > FAQ,

> > and post your HJT log there. Not here.

>

March 8, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

From: "David De" <daviddelaneyfilmdirector@gmail.com>

|

| I meant the spykiller group, not this one - I should have been

| clearer.

|

| After posting there, I have done the combofix and updated the log file

| for HJT on there - just waiting for a response

| http://thespykiller.co.uk/index.php?topic=6134.0

| I am not sure if the combofix gets rid of the virus or not, or is it

| just a diagnostic tool?

|

You are in good hands with Derek. I sent him a Personal Message thanking him for assisting

you.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

March 9, 2008

Very kind of you. Thanks for the followup.

> |

>

> You are in good hands with Derek. I sent him a Personal Message thanking him for assisting

> you.

>

> --

> Davehttp://www.claymania.com/removal-trojan-adware.html

> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

March 9, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where it came from...

From: "David De" <daviddelaneyfilmdirector@gmail.com>

| Very kind of you. Thanks for the followup.

No problem.

I also sent you an email. Would you be so kind as to check your GMail account.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

March 10, 2008

Re: got this trojan in a file called mscmsr.dll - don't know where

I use Norton 360. It cost but is well worth it. They will help you rid you

computer of a virus.

"David H. Lipman" wrote:

> From: "David De" <daviddelaneyfilmdirector@gmail.com>