Troj/Haxspy-A

Please follow the instructions for removing Trojans.

Troj/Haxspy-A is a backdoor Trojan for the Windows platform.

When Troj/Haxspy-A is installed the following files are created:

<System>\HPCHuninstaller.exe
<System>\chgsprt.sys
<System>\chrr2.ini
<System>\idchr2.dat
<System>\mspdnx.dll

The file chgsprt.sys is detected as Troj/Haxdor-Gen, and is used to hide Troj/Haxspy-A on an infected system.

chrr2.ini and idchr2.dat are data files and can be safely deleted.

The following registry entry is created to run code exported by the Trojan library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
eplrr9
(DEB86EBB-7184-46B6-A85C-ABD9F6E25067)

The file chgsprt.sys is registered as a new system driver service named "chgsprt", with a display name of

"WDNDrive". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\chgsprt\

The file mspdnx.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\(DEB86EBB-7184-46B6-A85C-ABD9F6E25067)

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDXchanger\

Troj/Haxspy-A provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Search assistant".

Troj/Haxspy-A listens on a random port for incoming traffic.

Troj/Haxspy-A can act as a proxy, and can be instructed to download and execute files from a remote server by injecting code into one of several system processes.

Troj/Haxspy-A can be instructed to download a new HOSTS file.

Troj/Haxspy-A monitors browser usage.