Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Spy.Win32.Agent.azpj


  • This topic is locked This topic is locked
2 replies to this topic

#1 jseevers

jseevers

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 12 September 2009 - 12:07 PM

Hello,

My computer is apparently infected with Trojan-Spy.Win32.Agent.azpj. This seems to have a rootkit as any anti-virus software that I try to run in both safe-mode or regular will be disabled. I found Trojan-Spy.Win32.Agent.azpj by running an online scan from Kaspersky.

Below is the DDS log and Kaspersky scan:


DDS (Ver_09-07-30.01) - NTFSx86
Run by jseevers at 9:49:46.67 on Sat 09/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.238 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Documents and Settings\jseevers\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-9-11 296976]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-8-15 88192]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-7-3 303376]

=============== Created Last 30 ================

2009-09-12 09:21 <DIR> a-dshr-- C:\cmdcons
2009-09-12 09:20 230,912 a------- c:\windows\PEV.exe
2009-09-12 09:20 161,792 a------- c:\windows\SWREG.exe
2009-09-12 09:20 98,816 a------- c:\windows\sed.exe
2009-09-11 23:04 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-09-11 23:01 107,547 a------- c:\windows\system32\drivers\klin.dat
2009-09-11 23:01 95,259 a------- c:\windows\system32\drivers\klick.dat
2009-09-11 23:00 <DIR> --d----- c:\program files\Kaspersky Lab
2009-09-11 23:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-09-11 22:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-09-11 21:28 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-11 21:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-11 21:05 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-11 20:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-09-11 20:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-09-11 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-09-11 18:49 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-09-11 18:49 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-09-11 18:49 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-09-11 18:49 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-09-11 16:10 <DIR> --d----- C:\mfe
2009-09-11 16:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-09-11 16:00 <DIR> --d----- c:\program files\Citrix
2009-08-24 10:24 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-08-16 03:01 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-15 10:33 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-08-15 10:33 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-08-15 10:29 2,142,720 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-15 10:29 2,186,112 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-15 10:29 2,020,864 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-15 10:29 2,062,976 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-15 10:24 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-15 10:07 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-15 10:04 1,743 a--shr-- c:\windows\system32\drivers\103C_HP_NTBK_HP Compaq nc6220 (EA766UC#ABA)_YN_0U_QCNU5380J5S_EU_46_I308A_SHP_VKBC Version 40.20_B68DTU Ver. F.0C_T050722_WXH2_L409_M504_J60_7Intel_8Pentium M_91.86_#090815_N80864220_(EA766UC#ABA)_XMOBILE_CN10.MRK
2009-08-15 10:04 32,356 -------- c:\windows\system32\pusbfd1.sys
2009-08-15 10:04 26,629 -------- c:\windows\system32\pusbfd2.vxd
2009-08-15 09:55 199,040 a------- c:\windows\system32\drivers\SynTP.sys
2009-08-15 09:55 196,608 a------- c:\windows\system32\SynCtrl.dll
2009-08-15 09:55 163,840 a------- c:\windows\system32\SynCOM.dll
2009-08-15 09:55 143,360 a------- c:\windows\system32\SynTPAPI.dll
2009-08-15 09:55 110,592 a------- c:\windows\system32\SynTPCo4.dll
2009-08-15 09:55 <DIR> --d----- c:\program files\Synaptics
2009-08-15 09:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-08-15 09:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-15 09:54 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-08-15 09:54 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-08-15 09:54 1,419,232 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-08-15 09:54 16,768 a------- c:\windows\system32\drivers\HpqKbFiltr.sys
2009-08-15 09:54 1,560,576 a------- c:\windows\system32\BttnCmns_64.dll
2009-08-15 09:54 1,560,576 a------- c:\windows\system32\BttnCmns.dll
2009-08-15 09:54 987,136 a------- c:\windows\system32\BttnCmn.dll
2009-08-15 09:52 88,192 a------- c:\windows\system32\drivers\gtipci21.sys
2009-08-15 09:52 28,672 a------- c:\windows\cttib1.dll
2009-08-15 09:52 17,120 a------- c:\windows\system32\drivers\tiscfw.deb
2009-08-15 09:52 168,448 a------- c:\windows\system32\drivers\tifm21.sys
2009-08-15 09:51 <DIR> --d----- c:\program files\Texas Instruments Inc
2009-08-15 09:47 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-15 09:43 47,104 a------- c:\windows\system32\WACntlPnl.cpl
2009-08-15 09:43 <DIR> --d----- c:\program files\HPQ
2009-08-15 09:43 <DIR> --d----- c:\program files\Broadcom
2009-08-15 09:42 <DIR> --d----- c:\windows\Options
2009-08-15 09:39 2,732,032 a------- c:\windows\system32\Netw2r32.dll
2009-08-15 09:39 2,209,408 a------- c:\windows\system32\drivers\w29n51.sys
2009-08-15 09:39 557,056 a------- c:\windows\system32\Netw2c32.dll
2009-08-15 09:34 139,264 a------- c:\windows\system32\igfxres.dll
2009-08-15 09:24 <DIR> --d----- c:\program files\Analog Devices
2009-08-15 09:23 <DIR> --d----- C:\swsetup
2009-08-15 09:22 26,496 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-08-14 22:55 2,422 a------- c:\windows\system32\wpa.bak
2009-08-14 22:08 <DIR> --d----- c:\documents and settings\jseevers
2009-08-14 22:07 <DIR> --ds---- c:\windows\system32\Microsoft
2009-08-14 22:07 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-14 22:05 229,439 ac------ c:\windows\system32\dllcache\multibox.dll
2009-08-14 22:04 177,698 ac------ c:\windows\system32\dllcache\c_20949.nls
2009-08-14 22:03 23,392 a------- c:\windows\system32\nscompat.tlb
2009-08-14 22:03 16,832 a------- c:\windows\system32\amcompat.tlb
2009-08-14 22:03 316,640 a------- c:\windows\WMSysPr9.prx
2009-08-14 22:03 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-08-14 22:02 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-08-14 22:01 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-14 22:00 <DIR> --d----- c:\program files\Online Services
2009-08-14 22:00 <DIR> --d----- c:\program files\Messenger
2009-08-14 22:00 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-08-14 21:59 <DIR> --d----- c:\program files\Windows NT
2009-08-14 14:54 <DIR> --d----- c:\program files\common files\ODBC
2009-08-14 14:54 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-08-14 14:54 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-08-14 23:11 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-14 22:01 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 21:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 15:48 219,664 a------- c:\windows\system32\klogon.dll
2009-06-29 09:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 -------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll

============= FINISH: 9:49:55.56 ===============


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 11, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 12, 2009 06:30:15
Records in database: 2782922
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 7181
Threats found: 1
Infected objects found: 32
Suspicious objects found: 0
Scan duration: 00:32:22


File name / Threat / Threats count
svchost.exe\993E0132.x86.dll/svchost.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 4
globalroot\Device\__max++>\993E0132.x86.dll/globalroot\Device\__max++>\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 16
spoolsv.exe\993E0132.x86.dll/spoolsv.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
McSACore.exe\993E0132.x86.dll/McSACore.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
McNASvc.exe\993E0132.x86.dll/McNASvc.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
MpfSrv.exe\993E0132.x86.dll/MpfSrv.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
alg.exe\993E0132.x86.dll/alg.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
iexplore.exe\993E0132.x86.dll/iexplore.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 2
mcsysmon.exe\993E0132.x86.dll/mcsysmon.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
msb.exe\993E0132.x86.dll/msb.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
jqs.exe\993E0132.x86.dll/jqs.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
a.exe\993E0132.x86.dll/a.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1
java.exe\993E0132.x86.dll/java.exe\993E0132.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 1

Scanning stopped by the user.

Attached Files



BC AdBot (Login to Remove)

 


#2 jseevers

jseevers
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 12 September 2009 - 02:31 PM

I have fixed this issue by running Combofix and Malwarebytes. I then reinstalled my virus software and it is working correctly.

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 14 September 2009 - 04:42 PM

Thank you for letting us know jseevers. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users