Troj/Agent-ENG

Please follow the instructions for removing Trojans.

Troj/Agent-ENG is a Trojan for the Windows platform.

When first run Troj/Agent-ENG copies itself to <System>\qttask.exe and creates the following files:

<System>\odbcct32.dll - detected as Troj/Agent-ENG
<System>\mpd.dll - detected as Troj/Agent-ENG
<System>\perfc053.dat - detected as Troj/Agent-ENG
<System>\perfh062.dat - detected as Troj/Agent-EJW

Troj/Agent-ENG also creates the following non-malicious files:

<System>\AcroIEObject.dll
<System>\drivers\npf.sys
<Windows>\~ipcfg211
<Windows>\~res416
<Windows>\~start127
<Windows>\~tmp312
<Windows>\~view441
<Windows>\kb899583.log

The file <System>\AcroIEObject.dll creates registry entries under:

HKCR\AcroIEObject.AcroIEObj.1\
HKCR\AcroIEObject.AcroIEObj\
HKCR\AppID\AcroIEObject.DLL\

The following registry entry is created to run qttask.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime
<System>\qttask.exe

The following registry entries are created to run code exported by odbcct32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termserv
DLLName
odbcct32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termserv
Impersonate
0

The non-malicious file npf.sys is registered as a new system driver service named "NPF", with a display name of "Netgroup Packet Filter". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NPF\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\

The non-malicious file nm.sys is registered as a new system driver service named "NM", with a display name of "Network Monitor Driver". Registry entries are created under:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\

Additional registry entries may also be created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FTPDefault\