Win32.Trojan.Spy.Agent.kb detected by ZoneAlarm Internet Security

[Densha188]

On one of my computers running WinXP Sp2 with Zone Alarm Internet Security
Suite Ver. 7.0.470.000 and ver. 7.0.473.000
Anti-virus engine version 3, DAT file version 9551551049
Anti-spyware engine version 5.0.189.0, DAT file version 01.200805.3945
AntiSpam version 5.0.6.8903

After doing a scan with ZA Anti-spyware, it detected
Win32.Trojan.Spy.Agent.kb as a medium level threat trojan. It detected in the
Windows Registry file.

RegistryKey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005

After Quarantine and deleting it and doing another scan just to amke sure,
ZA reports no more trojan. But when I shutdown the computer and turn off the
power supply for a few minutes and then turn it back on. Rebooted the
computer and login in. I did another anti-spyware scan and it found that
trojan again in the registry. It seems to come back when it detects an
interent connection. Since I'm on a LAN and it's always connected to the net
via router.

So how do I fully get rid of that trojan. I already tried an older backup
image of WinXP I had made back in Dec.2007, but that didn't help. The only
other way I can think of is re-formate to entire computer.

Also do you guys think that my other files on the other drives maybe infected?

 

[David H. Lipman]

From: "Densha188" <Densha188@discussions.microsoft.com>

| On one of my computers running WinXP Sp2 with Zone Alarm Internet Security
| Suite Ver. 7.0.470.000 and ver. 7.0.473.000
| Anti-virus engine version 3, DAT file version 9551551049
| Anti-spyware engine version 5.0.189.0, DAT file version 01.200805.3945
| AntiSpam version 5.0.6.8903
|
| After doing a scan with ZA Anti-spyware, it detected
| Win32.Trojan.Spy.Agent.kb as a medium level threat trojan. It detected in the
| Windows Registry file.
|
| RegistryKey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
\0005
|
| After Quarantine and deleting it and doing another scan just to amke sure,
| ZA reports no more trojan. But when I shutdown the computer and turn off the
| power supply for a few minutes and then turn it back on. Rebooted the
| computer and login in. I did another anti-spyware scan and it found that
| trojan again in the registry. It seems to come back when it detects an
| interent connection. Since I'm on a LAN and it's always connected to the net
| via router.
|
| So how do I fully get rid of that trojan. I already tried an older backup
| image of WinXP I had made back in Dec.2007, but that didn't help. The only
| other way I can think of is re-formate to entire computer.
|
| Also do you guys think that my other files on the other drives maybe infected?

The below is incomplete..

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005

There must be MORE to the malware infection. Either this is a False Positive or the ZA ant
malware utility is failing to detect the rest of this Trojan, Win32.Trojan.Spy.Agent.kb .

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[David Williams]

Problem with Win32.trojan.spy.agent.kb

I just googled the virus,was led to this page, am having the exact same problem.In CA Yahoo Anti-Spy,the virus is called Konvoy B,with absolutely no practical removal instructions that can be understood.Although it could just be my computer,many anti-malware sites and their forums are inaccessible,as well as Notepad.exe and msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is advertised continuously while surfing FireFox,even when in Safe Mode.
I'll help in any ways I can,but please help me get this infection off of my computer.
Just as well,I am running a Vista with Zone Alarm Security Suite with all of the newest updates.

Again,I am posting only what I'm told by ZA.

 

[David H. Lipman]

Re: Problem with Win32.trojan.spy.agent.kb

From: <David Williams>

| I just googled the virus,was led to this page, am having the exact same problem.In CA
| Yahoo Anti-Spy,the virus is called Konvoy B,with absolutely no practical removal
| instructions that can be understood.Although it could just be my computer,many
| anti-malware sites and their forums are inaccessible,as well as Notepad.exe and
| msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is advertised continuously
| while surfing FireFox,even when in Safe Mode. I'll help in any ways I can,but please help
| me get this infection off of my computer. Just as well,I am running a Vista with Zone
| Alarm Security Suite with all of the newest updates.
|
| Again,I am posting only what I'm told by ZA.



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe Format --> uncheck "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[smc]

David Williams3761921 Wrote:
> I just googled the virus,was led to this page, am having the exact same
> problem.In CA Yahoo Anti-Spy,the virus is called Konvoy B,with
> absolutely no practical removal instructions that can be
> understood.Although it could just be my computer,many anti-malware
> sites and their forums are inaccessible,as well as Notepad.exe and
> msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is
> advertised continuously while surfing FireFox,even when in Safe Mode.
> I'll help in any ways I can,but please help me get this infection off
> of my computer.
> Just as well,I am running a Vista with Zone Alarm Security Suite with
> all of the newest updates.
>
> Again,I am posting only what I'm told by ZA.




[SMC - reply]
Win32.Trojan.Spy.Agent.kb has been an issue with my network. First
indications I had a problem was the inability to "send" email. Email
on two of the computers on the network is hosted on Comcast servers,
who finally killed my email port and my ability to send email due to
the massive amounts of email going through my system. It appears that
this virus opened the door for unsolicited email ("spam") to be sent
through one of the network computers. I've since re-directed email to
be sent through another port and email once again is functional.

Both computers are updated daily with the latest ZA virus definitions
and email is scanned inbound and outbound. After running a ZA Spyware
scan, Win32.Trojan.Spy.Agent.kb surfaced on one computer only, this
one running Outlook Express.

After quarantined in ZA the trojan re-surfaced during the next scan.
So far I've re-quarantined AND deleted both in quarantine. Another
scan after re-boot showed a clean computer, however I realize the
probability of this returning is still relatively high. -smc


--
smc
------------------------------------------------------------------------
smc's Profile: http://forums.techarena.in/member.php?userid=50407
View this thread: http://forums.techarena.in/showthread.php?t=974108

http://forums.techarena.in

 

[Curtisw]

Re: Win32.Trojan.Spy.Agent.kb detected by ZoneAlarm Internet Secur

I also was warned by ZASuite today about win32 spy agent.

Looking in the registry, this is "driver YMAX MagicJack USB Device" which is
my MagicJack internet phone. It has been installed since Christmas and works
fine. I don't know why ZASuite picked it up as a virus today. My computer
seems to be functioning normaly. I will watch my outgoing email activity.


"smc" wrote:

>
> David Williams3761921 Wrote:
> > I just googled the virus,was led to this page, am having the exact same
> > problem.In CA Yahoo Anti-Spy,the virus is called Konvoy B,with
> > absolutely no practical removal instructions that can be
> > understood.Although it could just be my computer,many anti-malware
> > sites and their forums are inaccessible,as well as Notepad.exe and
> > msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is
> > advertised continuously while surfing FireFox,even when in Safe Mode.
> > I'll help in any ways I can,but please help me get this infection off
> > of my computer.
> > Just as well,I am running a Vista with Zone Alarm Security Suite with
> > all of the newest updates.
> >
> > Again,I am posting only what I'm told by ZA.
>
>
>
>
> [SMC - reply]
> Win32.Trojan.Spy.Agent.kb has been an issue with my network. First
> indications I had a problem was the inability to "send" email. Email
> on two of the computers on the network is hosted on Comcast servers,
> who finally killed my email port and my ability to send email due to
> the massive amounts of email going through my system. It appears that
> this virus opened the door for unsolicited email ("spam") to be sent
> through one of the network computers. I've since re-directed email to
> be sent through another port and email once again is functional.
>
> Both computers are updated daily with the latest ZA virus definitions
> and email is scanned inbound and outbound. After running a ZA Spyware
> scan, Win32.Trojan.Spy.Agent.kb surfaced on one computer only, this
> one running Outlook Express.
>
> After quarantined in ZA the trojan re-surfaced during the next scan.
> So far I've re-quarantined AND deleted both in quarantine. Another
> scan after re-boot showed a clean computer, however I realize the
> probability of this returning is still relatively high. -smc
>
>
> --
> smc
> ------------------------------------------------------------------------
> smc's Profile: http://forums.techarena.in/member.php?userid=50407
> View this thread: http://forums.techarena.in/showthread.php?t=974108
>
> http://forums.techarena.in
>
>

 

[John Doe]

Re: Win32.Trojan.Spy.Agent.kb detected by ZoneAlarm Internet Secur

get rid of ZA, it's clearly useless.

"Curtisw" <Curtisw@discussions.microsoft.com> wrote in message
news:F8E398E0-3D8B-49B5-A5F7-E6F770AD84B7@microsoft.com...
>I also was warned by ZASuite today about win32 spy agent.
>
> Looking in the registry, this is "driver YMAX MagicJack USB Device" which
> is
> my MagicJack internet phone. It has been installed since Christmas and
> works
> fine. I don't know why ZASuite picked it up as a virus today. My computer
> seems to be functioning normaly. I will watch my outgoing email activity.
>
>
> "smc" wrote:
>
>>
>> David Williams3761921 Wrote:
>> > I just googled the virus,was led to this page, am having the exact same
>> > problem.In CA Yahoo Anti-Spy,the virus is called Konvoy B,with
>> > absolutely no practical removal instructions that can be
>> > understood.Although it could just be my computer,many anti-malware
>> > sites and their forums are inaccessible,as well as Notepad.exe and
>> > msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is
>> > advertised continuously while surfing FireFox,even when in Safe Mode.
>> > I'll help in any ways I can,but please help me get this infection off
>> > of my computer.
>> > Just as well,I am running a Vista with Zone Alarm Security Suite with
>> > all of the newest updates.
>> >
>> > Again,I am posting only what I'm told by ZA.
>>
>>
>>
>>
>> [SMC - reply]
>> Win32.Trojan.Spy.Agent.kb has been an issue with my network. First
>> indications I had a problem was the inability to "send" email. Email
>> on two of the computers on the network is hosted on Comcast servers,
>> who finally killed my email port and my ability to send email due to
>> the massive amounts of email going through my system. It appears that
>> this virus opened the door for unsolicited email ("spam") to be sent
>> through one of the network computers. I've since re-directed email to
>> be sent through another port and email once again is functional.
>>
>> Both computers are updated daily with the latest ZA virus definitions
>> and email is scanned inbound and outbound. After running a ZA Spyware
>> scan, Win32.Trojan.Spy.Agent.kb surfaced on one computer only, this
>> one running Outlook Express.
>>
>> After quarantined in ZA the trojan re-surfaced during the next scan.
>> So far I've re-quarantined AND deleted both in quarantine. Another
>> scan after re-boot showed a clean computer, however I realize the
>> probability of this returning is still relatively high. -smc
>>
>>
>> --
>> smc
>> ------------------------------------------------------------------------
>> smc's Profile: http://forums.techarena.in/member.php?userid=50407
>> View this thread: http://forums.techarena.in/showthread.php?t=974108
>>
>> http://forums.techarena.in
>>
>>