Downloader.Agent.uj / Trojan.Reboter / Alexa Related / Pipas.A

This problem is intermittent. First, eTrust EZ AV reported something but did not delete what it found. Ewido found Trojan.Reboter and Downloader.Agent.uj but reported an error trying to delete. SBS&D found and supposedly fixed Alexa Related and Pipas.A but the problems persist. Whatever it is, it consumes 100% CPU doing nothing useful, redirects Google links to bogus searchathand.com pages which report that domains like Microsoft, Google, Texaco, etc. do not exist, and seems to block Outlook from receiving my email although it being Saturday that could be coincidental.

I'll post Ewido, SB, and HJT logs. If someone can help, I'll try to login tomorrow, if it will let me. First, Ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:08:36 PM 9/23/2006

+ Scan result:



[1068] VM_00BC0000 -> Downloader.Agent.uj : Error during cleaning.
[1136] VM_00C70000 -> Downloader.Agent.uj : Error during cleaning.
[1220] VM_00840000 -> Downloader.Agent.uj : Error during cleaning.
[1276] VM_00800000 -> Downloader.Agent.uj : Error during cleaning.
[1300] VM_00810000 -> Downloader.Agent.uj : Error during cleaning.
[1304] VM_00850000 -> Downloader.Agent.uj : Error during cleaning.
[1316] VM_00920000 -> Downloader.Agent.uj : Error during cleaning.
[1320] VM_007F0000 -> Downloader.Agent.uj : Error during cleaning.
[1352] VM_007E0000 -> Downloader.Agent.uj : Error during cleaning.
[1364] VM_00C10000 -> Downloader.Agent.uj : Error during cleaning.
[1384] VM_00850000 -> Downloader.Agent.uj : Error during cleaning.
[1400] VM_00DC0000 -> Downloader.Agent.uj : Error during cleaning.
[1472] VM_00780000 -> Downloader.Agent.uj : Error during cleaning.
[1504] VM_007C0000 -> Downloader.Agent.uj : Error during cleaning.
[1520] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
[212] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning.
[216] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning.


::Report end

Next, SB:


--- Report generated: 2006-09-23 17:07 ---

Alexa Related: Link (Replace file, fixed)
C:\WINNT\Web\RELATED.HTM

Pipas.A: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-23 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-22 Includes\Cookies.sbi (*)
2006-09-22 Includes\Dialer.sbi (*)
2006-09-22 Includes\Hijackers.sbi (*)
2006-09-22 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-09-22 Includes\Malware.sbi (*)
2006-09-22 Includes\PUPS.sbi (*)
2006-09-22 Includes\Revision.sbi (*)
2006-09-22 Includes\Security.sbi (*)
2006-09-22 Includes\Spybots.sbi (*)
2005-02-16 Includes\Tracks.uti
2006-09-22 Includes\Trojans.sbi (*)

Last, HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:31:42 PM, on 9/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Robomagic\SocketWatch\swatch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\My Download Files\Antivirus, spyware etc tools\Utilities for Use On Demand\HiJackThis1.99.1\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.courts.wa.gov
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139151220796
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B12875F-C74E-425D-A82F-D10F526B6766}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AC1B538-59B2-4525-95D4-23F20343B05C}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

That is all. jj

 

Hi jjbode.

The items found by Spybot are harmless, no threat. Run Ewido in safe mode and be sure to update it, there were 3 updates today.

The only thing I see worth looking deeper about are the 017 entries. Did you have any other major infections which were removed recently? Let me know.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B12875F-C74E-425D-A82F-D10F526B6766}: NameServer = 85.255.113.90,85.255.112.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{8AC1B538-59B2-4525-95D4-23F20343B05C}: NameServer = 85.255.113.90,85.255.112.5

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5

Reboot post a new HJT log back into this thread please.

Then go to this page, Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.(please edit out any cookies or system_volume or recyler folder related entries)

 

TeMerc, thanks. No other recent infections of any kind. Ewido running in safe mode reported the same error while deleting as yesterday. Also ran HJT in safe mode to fix the 017 Dutch domain entries, log below. Now, off to Panda... jj

Logfile of HijackThis v1.99.1
Scan saved at 9:32:48 AM, on 9/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
E:\My Download Files\Antivirus, spyware etc tools\Utilities for Use On Demand\HiJackThis1.99.1\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.courts.wa.gov
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139151220796
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[End]

 

TeMerc, here is the Panda report. Nothing to edit as instructed.


Incident Status Location

Adware:adware/cws

​

Not disinfected

​

C:\Documents and Settings\Administrator\Favorites\Health

Potentially unwanted tool:Application/Restart

​

Not disinfected

​

C:\WINNT\system32\Tools\Restart.exe

Potentially unwanted tool:Application/Processor

​

Not disinfected

​

E:\My Download Files\Antivirus, spyware etc tools\Utilities for Use On Demand\smitRem (use on desktop)\Process.exe

Potentially unwanted tool:Application/Processor

​

Not disinfected

​

E:\My Download Files\Antivirus, spyware etc tools\Utilities for Use On Demand\smitRem (use on desktop)\smitRem.exe[smitRem/Process.exe]

Potentially unwanted tool:Application/Processor

​

Not disinfected

​

E:\My Download Files\Antivirus, spyware etc tools\Utilities for Use On Demand\SpyAxeFix (use on desktop)\Process.exe

Potentially unwanted tool:Application/Processor

​

Not disinfected

​

E:\My Download Files\Antivirus, spyware etc tools\Utilities for Use On Demand\SpyAxeFix (use on desktop)\SpyAxeFix.exe[SpyAxeFix/Process.exe]

Virus:Trj/Clicker.KN

​

Disinfected

​

E:\Data\OFFICE\COMPUTER\2004-11 problems\2004-11-19a malware files sent to Lonny\Found before unhide script\slservc.exe

Hacktool:HackTool Program.VA

​

Not disinfected

​

E:\Data\OFFICE\COMPUTER\2004-11 problems\2004-11-19a malware files sent to Lonny\Found before unhide script\hdr.dll

That is all. jj

 

Everything found by Panda is of no consequence, obviously some tools you had used previously?

I'm not sure exactly what Ewido is finding my original research yielded no conclusive information.

I'll have to look around more tonite or tomorrow, I'll be out most of the rest of the day til evening, then I have my test box to clean up it's full of some nasties from trawling the crackz an warez sites for new infections.

 

TeMarc, yes, most of what Panda found is leftover stuff from a 2yo fix, but these two lines are not:

Adware:adware/cwsNot disinfectedC:\Documents and Settings\Administrator\Favorites\Health

Potentially unwanted tool:Application/RestartNot disinfectedC:\WINNT\system32\Tools\Restart.exe

That Favorites entry has one URL a few weeks old, but I do not recognize Restart.exe.

With eTrust, Ewido, and ZoneAlarm in the background, I'm not sure what to think of the remaining symptoms. No more browser redirects but I still have 100% CPU usage with no other apps running. Outlook now receives but is slow to change views. CPU is Athlon XP 1800, 1G memory.

jj

 

Well you can delete the restart.exe, and see what if anything fails to work. I'm fairly certain it will be safe to delete. You can always recover it from the recycle bin.

With regards to CPU usage, what process is using all the CPUs? Can you go to task manager and see which process is doing it and post its name here.

 

TeMerc, after deleting restart.exe I tried to reboot but Windows froze up while not fully loaded so I restored it from the recycle bin in safe mode.

The CPU hog appears to be ZoneAlarm. With nothing running in the foreground except this browser window and Task Manager, the process vsmon.exe (ZoneAlarm's TrueVector Service) ranges about 32-56% CPU and the process zlclient.exe about 40-64%. It looks like these two always add up to 97-98%. I looked at its log earlier, it appeared to be working normally (several alerts/minute), but then it sorta froze (went inoperable and transparent to the desktop while Task Manager said it was running). I tried to look again just now and it sorta froze again. Both times only my browser window remained stable. I suppose I should uninstall/reinstall it. Any other suggestions jj

 

I want to say it's odd offhand that ZA would be sucking up that much juice. But the last few releases have been less than perfect.

What version are you running and is it the free or pro, or system suite which one so maybe we can find an answer.

 

ZoneAlarm version 6.5.731.000
Free, not pro and not system suite
jj

 

BTW I have some earlier ZA versions if you know a safe one. jj

 

The version you have may be ok, I'm not 100% sure when the bugs started, tho it could have been with v6.

I'd maybe peruse the ZA forums and see if there are others with your problem.

Official Zone Alarm Forum

This forum is run by Zone Alarm users.
Zone Alarm Forum

Zone Labs Products

 

Will do. May take a day or two. Have some landscape work to do and we have unusually fair weather for it here in the PNW. I used to live in PHX, had no idea how rare everyday dryness can be. jj

 

The forums did contain some reports of 100% CPU problems with vsmon.exe supposedly fixed ages ago, and with another file I don't see in Task Manager, but not with zlclient.exe. I uninstalled v. 6.5.737.000 and installed the last v that I had no problems with (6.5.722.000). CPU usage now normal. I'll report my experience to ZA.

Seem to be symptom free. Learn any more about Trojan.Reboter and Downloader.Agent.uj? jj

 

Glad you figured out it was ZA.

And no, I have not found anything out about the trojan noted.