TSPY_AGENT.TQ

[Sla#s]

Running the online version of Trend Micro Housecall produced a result
that said I had "TSPY_AGENT.TQ", a keylogger but I cannot find any
useful information on removing it.
Several places give the Win XP register info about it but none of the
keys mentioned are on my machine.

It does not show on a scan with Clamwin.

Can anyone help?

TIA
Slatts

 

[David H. Lipman]

From: "Sla#s" <[email protected]>

| Running the online version of Trend Micro Housecall produced a result
| that said I had "TSPY_AGENT.TQ", a keylogger but I cannot find any
| useful information on removing it.
| Several places give the Win XP register info about it but none of the
| keys mentioned are on my machine.
|
| It does not show on a scan with Clamwin.
|
| Can anyone help?
|
| TIA
| Slatts

Start with the Sophos module in the below tool...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Sla#s]

From: "Sla#s" <[email protected]>

| Running the online version of Trend Micro Housecall produced a result
| that said I had "TSPY_AGENT.TQ", a keylogger but I cannot find any
| useful information on removing it.
| Several places give the Win XP register info about it but none of the
| keys mentioned are on my machine.
|
| It does not show on a scan with Clamwin.
|
| Can anyone help?
|
| TIA
| Slatts

Start with the Sophos module in the below tool...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

After a scan with Sophos the following was reported:
---------------------------------------------------------------
92652 files swept in 3 hours, 36 minutes and 49 seconds.
318 errors were encountered.
2 viruses were discovered. (and removed)
2 files out of 92652 were infected.
-------------------------------------------------------
The 318 errors were all either Archive files or video files, both VOB
and mp4. I note what Sophos say about "zip bombs".
The two viruses were the ECAIR test file and Virus 'Troj/Clagger-W'
found in file c:\System Volume Information\_restore...

Can I assume a file in "restore" is inactive? (I realise if restored it
would be active.)

I will run Trend next and post the result.

Thanks for your help.
Slatts

 

[Sla#s]

Trend found nothing and KAV found:
-------------------------------------------------

Result for all objects:

Sector Objects : 0 Known viruses : 4
--------------------------------------------------
But when I looked for what they were I found
they were PSKILL.EXE and PGCEDIT.EXE which were "not-a-virus" but
deleted anyway.

Slatts

 

[David H. Lipman]

From: "Sla#s" <[email protected]>

|
| Trend found nothing and KAV found:
| -------------------------------------------------
|
| Result for all objects:
|
| Sector Objects : 0 Known viruses : 4
| --------------------------------------------------
| But when I looked for what they were I found
| they were PSKILL.EXE and PGCEDIT.EXE which were "not-a-virus" but
| deleted anyway.
|
| Slatts

The files in the System Restore cache are inactive and are NOT to be worried about unless
you may restore from an infected restore point.

While the ustilites note are NOT malicious themselves, they may be used in a malicious
fashion and there fore they were removed.

You started this thread indicating... "..Trend Micro Housecall produced a result that said I
had "TSPY_AGENT.TQ"..."

The Trend Sysclean utility uses the SAME Pattern File (signatures) as the web based scanner.
I find it interesting it found nothing.

So what is the fully qualified name and path to the file(s) that were found to be infected
with "TSPY_AGENT.TQ" as noted by Trend's HouseCall ?

 

[Sla#s]

From: "Sla#s" <[email protected]>

You started this thread indicating... "..Trend Micro Housecall produced a result that said I
had "TSPY_AGENT.TQ"..."

The Trend Sysclean utility uses the SAME Pattern File (signatures) as the web based scanner.
I find it interesting it found nothing.

So what is the fully qualified name and path to the file(s) that were found to be infected
with "TSPY_AGENT.TQ" as noted by Trend's HouseCall ?

I regret I did not note the path :-( (I couldn't find a log file.)

As Sophos removed 'Troj/Clagger-W' and thereafter 'TSPY_AGENT.TQ' was
not found, could this mean that the two vendors use separate names for
the same infection? (It does not Google.)

Just for luck I did a scan with the original on-line version of
Housecall and naturally it reveals no infections either.


Thank you for your help
Slatts

 

[David H. Lipman]

From: "Sla#s" <[email protected]>


| I regret I did not note the path :-( (I couldn't find a log file.)
|
| As Sophos removed 'Troj/Clagger-W' and thereafter 'TSPY_AGENT.TQ' was
| not found, could this mean that the two vendors use separate names for
| the same infection? (It does not Google.)
|
| Just for luck I did a scan with the original on-line version of
| Housecall and naturally it reveals no infections either.
|
| Thank you for your help
| Slatts

I could find NO cross-referencing information that would indicate the two names refer back
to the same Trojan.

As to a generalized statement Trojans could have the different names by different vendors,
this is often the case and rarely do the AV vendors call the same infector the same name.