TROJ_AGENT.AC and sqlceh.dll

[Johannes Thordarson]

Hi there,

I have not been able to quarantine or remove a worm from WinXP Home,
that identifies it self in Trend Micro's Internet Security as
TROJ_AGENT.AC. It is said to have infected a file that has the name of
sqlceh.dll in C:\Windows\System32\

It multiplies as I start IE6 or Notepad. I can not find it in the said
folder.

I can not find anything on this worm by searching the internet or
Trend Micro's site.

Do you recognize this worm?

What can I do to remove this worm?

Any help much appreciated.

Regards,

 

[null]

Hi there,

I have not been able to quarantine or remove a worm from WinXP Home,
that identifies it self in Trend Micro's Internet Security as
TROJ_AGENT.AC. It is said to have infected a file that has the name of
sqlceh.dll in C:\Windows\System32\

It multiplies as I start IE6 or Notepad. I can not find it in the said
folder.

I can not find anything on this worm by searching the internet or
Trend Micro's site.

Do you recognize this worm?

What can I do to remove this worm?

Seems it may be a new enough variant of Troj_Agent that Trend doesn't
yet have a description available. Using Project VGREP, eight hits are
found on Troj_Agent:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=troj_agent&product=0

I'd read the descriptions of the other variants. You can also click on
other av vendors that are highlighted (they use different names for
the Trojan and its variants) to see what descriptions they have
available.

You'll have to follow general Trojan removal methods, hopefully with
additional insights provided by descriptions of earlier variants. It's
usually a matter of finding unusual registry and other startup axis
point items, and removing the offending items so the Trojan can't
start after the next boot into Windows. You should be able to delete
the dll file Trend alerted on in Safe mode. See my web site for the
TrojanFinder download. It will help in pinpointing unusual running
processes as well.


Art
http://www.epix.net/~artnpeg

 

[David W. Hodgins]

I have not been able to quarantine or remove a worm from WinXP Home,
that identifies it self in Trend Micro's Internet Security as
TROJ_AGENT.AC. It is said to have infected a file that has the name of
sqlceh.dll in C:\Windows\System32\

I can not find anything on this worm by searching the internet or
Trend Micro's site.

Running a google search on "agent.ac (backdoor OR trojan)" returns several
results.

http://www.fhh.demon.nl/spam/trojans.html indicates this is one of several
trojans installed by attempting to unsubscribe from spam, which allows the
spammer full access to your computer.

A2 http://www.emsisoft.com/en/software/free/ indicates their scanner will
detect agent.ac, but I've never tried their product, and don't know if it will
remove it, or provide enough info to remove it yourself.

You can try hijackthis, if you want to try removing the malware only. Follow
the intructions at http://tomcoyote.org/hjt/ to get and use it.

Given that this backdoor has allowed the spammer to install anything they
want, which may, or may not be picked up by any scanners. The spammer
may have installed trogan versions of legit windows executables, that would
not be easy to find.

I strongly suggest it's time to back up any data you need, and then reformat
the partition, and reinstall xp from scratch.

You also need to change all of your passwords, email, irc, etc.

Before you do the reinstall, print a copy of
http://isc.sans.org/presentations/xpsurvivalguide.pdf

This may seem like an extreme response, but this is not a virus, where we know
what it's done. The only safe response is reformat/reinstall.

Regards, Dave Hodgins