Troj/Agent-DSF

Please follow the instructions for removing Trojans.

Troj/Agent-DSF is a Trojan for the Windows platform.

Troj/Agent-DSF includes functionality to access the internet and communicate
with a remote server via HTTP. Troj/Agent-DSF is a Trojan for the Windows platform.

Troj/Agent-DSF includes functionality to access the internet and communicate
with a remote server via HTTP.

When first run Troj/Agent-DSF copies itself to <Windows>\scvhost.exe and
creates the file <Windows>\mswinsck.ocx.

The file mswinsck.ocx is clean and can be deleted.

The following registry entries are created to run scvhost.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\(B1B5B0BF-A20B-A600-E040-F0F90BCC201C)
StubPath
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
Windows Update
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
msconfig
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
icq lite
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
Update Checker
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
AntiVir
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
(default)
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msconfig
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
icq lite
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Update Checker
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AntiVir
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(default)
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows Update
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
msconfig
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
icq lite
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Update Checker
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
AntiVir
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
(default)
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Windows Update
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
msconfig
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
icq lite
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Update Checker
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
AntiVir
<Windows>\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
(default)
<Windows>\scvhost.exe

The following registry entry is changed to run scvhost.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe scvhost.exe

(the default value for this registry entry is "Explorer.exe" which causes the
Microsoft file <Windows>\Explorer.exe to be run on startup).

The file mswinsck.ocx is registered as a COM object, creating registry entries
under:

HKCR\CLSID\(248DD896-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\CLSID\(248DD897-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\Interface\(248DD892-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\Interface\(248DD893-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock.1\
HKCR\TypeLib\(248DD890-BB45-11CF-9ABC-0080C7E7B78D)

The following registry entries are set, disabling the registry editor (regedit)
and the Windows task manager (taskmgr):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1