Results 1 to 3 of 3

Thread: Trojan

  1. #1
    herme3 Guest

    Default Trojan

    There is a Trojan that is capable of completely disabling the most recent version of ZoneAlarm, Symantec AntiVirus, and the Windows XP firewall. This Trojan appears to be a new version of Haxdoor. It downloaded itself into my computer without displaying any security approval boxes. All that I saw was the following window:

    The download completed in only a few seconds, so I didn t have time to press the cancel button. The file that was downloaded was C:\0.exe which appears to be the installer program for the Trojan. I have captured the installer program in a ZIP file and uploaded it to so security experts could analyze this file and help stop this Trojan.

    The installer program created the following files in my C:\Windows\System32 folder:







    These files cannot be seen from My Computer due to the Trojan s ability to hide itself. Once the Trojan was fully installed, it automatically disabled ZoneAlarm Pro. I ran both Symantec AntiVirus and Microsoft AntiSpyware but they didn t find the Trojan. I also tried to start the Windows XP firewall, but it was also disabled.

    The Trojan was running under the System process. It began sending and receiving data across the Internet. Since the Trojan contains a password stealer and a keylogger, I would guess that it was sending that information to the people that created the Trojan. I used a packet sniffer, and saw that data was being sent from the Trojan to the following IP addresses:

    Both of these IP addresses go to an apache server without an index page. Does anybody think that these IP addresses belong to the people who created this Trojan? How can these people be traced? Since the Trojan contains spyware, I think the people who created this are receiving a lot of personal information from computers that have been infected.

    I have tried several different AntiVirus and AntiSpyware programs, but I couldn t find any that could remove this Trojan. However, I did find a way to manually remove it. Here are the steps that I took to remove this Trojan:

    1. Download and install the free Unlocker application from

    2. Delete the file C:\0.exe. If you get an error message, right-click on 0.exe and click on Unlocker . Then click on Unlock All and close the Unlocker application. You should now be able to delete the file.

    3. Start Microsoft Word and click on the Open button. Go to the folder C:\Windows\System32

    4. In the File name: box, type avpe64.sys and press Open .

    5. Press ctrl+A and then press the delete key.

    6. Now click on the Save button. If you see a warning about the text format, press Yes .

    7. Repeat steps 3-5 for the files "klgcptini.dat", "qz.dll", "qz.sys", and "stt82.ini".

    8. Restart your computer.

    9. Go to My Computer, and go to the C:\Windows\System32 folder.

    10. Right-click on avpe32.dll and then click on Unlocker .

    11. Click on Unlock All and then close the Unlocker application.

    12. Delete the file avpe32.dll and then delete the files "klgcptini.dat", "qz.dll", "qz.sys", and "stt82.ini".

    13. Empty your Recycle Bin. Now the Trojan should be removed from your computer.

    I hope that Zone Labs will investigate this Trojan and find a way to protect ZoneAlarm users from it. Will they read the information in this post, or should I e-mail them?

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:6.0

  2. #2
    unhappy_viewer Guest

    Default Re: Trojan

    While upgrades to ZA attempts to put in some sort of protection against Trojan Horses, as with any other software installed on your computer, these protection are bound to be cracked by hackers (thats why I stress that you should should not use outdated security products).

    The best way to protect yourself is of course to have common sense and a nice balance of security products. One a computer, one should have a antivirus, a antitrojan program(like Ewido, Trojan Hunter, a-squared), a few antispyware apps. Users should also not download unknown software from the internet as they can be malicious, nor open email attachments they are not sure of.

  3. #3
    Join Date
    Mar 2004
    Brisbane, Australia

    Default Re: Trojan

    You should also submit this piece of scumware to your anti-virus vendor ASAP.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts