Trojan.win32.agent.azsy

[Navvy]

This virus seems to have been missed by Avast, and is not showing in the virus search.

The virus pretends to have detected itself, and then asks for money to remove it.

I found this on http://windowsprotection.net/how-to-remove-trojanwin32agentazsy-trojanwin32agentazsy-removal-guide/

Anyone know if this website is genuine?

"Trojan.win32.agent.azsy is a hazardous computer infection that enhances the malicious activity of its sponsoring rogue spyware remover called Personal Antivirus. Trojan.win32.agent.azsy penetrates into computers obscurely through security gateways and other system vulnerabilities. Trojan.win32.agent.azsy may remain unattended and undetected until it’s detected by a reliable professional antivirus tool. When running inside the compromised computer, Trojan.win32.agent.azsy issues fake alerts that pop up to tell the users he/she has multiple security issues that need to be handled by Personal Antivirus, i.e. it encourages people to purchase and install the licensed version of Personal Antivirus, which is a rogue anti-spyware. In addition to the above, Trojan.win32.agent.azsy makes the infected computer exposed to outer threats by opening up illicit connections that facilitate remote access to the compromised computer and may enable further manipulation from the outside. Both Trojan.win32.agent.azsy and the related rogue anti-spyware Personal Antivirus are unwanted PC applications and must be eradicated once detected. If not removed, these malwares may lead to computer freezes and crashes, privacy violations and may also deteriorate the internet connection quality."

[DavidR]

There is little point in searching the virus database as there is no standard naming convention for virus/malware naming and win32:agent could be absolutely anything.

So unless you have a sample to scan or upload it is impossible to say if avast detects it. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.


Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject (if avast isn't detecting it).
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

The name windowsprotection.net fills me with awe NOT, I would only deal with know anti-malware sites. Whilst it appears to be genuine there is no way I would consider downloading an unknown scanner from a relatively unknown site. However it seems that it is trying to get you to download spyware doctor as a little over 22MB. To resolve what may be the usual rogue security 2009 variant.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Both of these combined are much smaller that the suggested download at windowsprotection.net.

[Navvy]

David - many thanks for your quick response.  In the meantime I had discovered that Spyware Doctor scans but doesn't repair unless you pay.  (Sounds suspiciously like the original problem, so I won't try that.)

I installed Spybot, which detected  multiple copies of a couple of trojans, and is now taking ages to re-scan after a reboot as it couldn't remove files that were in use.

When that finishes, I'll try your suggestions of Malwarebytes and SUPERantispyware.

The avast "Information about known viruses" database did show Win32:Agent-AZS[Trj] but it does seem unlikely that a virus would display a warning containing it's own name. I guess that it just uses a random list of virus names to give credibility to its claim that its program needs to be installed.  It certainly fooled my friend, who doesn't often use a computer and just assumed that it was something that he was supposed to agree to.

[DavidR]

There are some programs that even though legit use this to make you buy and I think that that is bordering on blackmail/rogueware and should be made perfectly clear before you even download it.

[Navvy]

If they explained before download, that you need to upgrade in order to clean the computer, then that would be fair enough, but no way would I enter my credit card number onto a computer before the cleaning had been completed!

[polonus]

Hi Navvy,

There is a name for this: this is called SCAREware. It is not rogue because the scanner functions and does not add to your misery to extra scare, but you have to draw your paybook to have your computer cleansed.
The least you can say it is a form of aggressiveness I do not like with software. Where are the days you had a tool for free if you dropped the developer a postcard, this was postcardware.
The avast formula is a community friendly formula: they run a free scanner for personal use, a similar formula like ZA free, that do the same with their free firewall,

polonus

[Navvy]

Spybot removed the virus, but it reinstalled itself during the startup.  (The DOS screens flashing up during installation seemed to match the description of the virus named in the subject line.  It was referring to dll files in Windows\system32\)

Malwarebytes was a lot faster scanning, and seems to have cleared the problem.

I've unplugged the internet connection, and Avast is doing a scan (probably the first scan since it was installed...)

[DavidR]

If you can post the logs it helps us to get an idea of what was found and offer additional advice, that's why we ask for the log file.

[Navvy]

Avast failed to report any problem, so I presume there would be no relevant log.

I don't know what file originally caused the problem, but I assume it will have been one of the hundreds deleted by either Malwarebytes or Spybot.  Unfortunately I didn't take a copy of logs from these programs - too late in the evening to worry about anything other than getting the computer working again.

[DavidR]

Avast failed to report any problem, so I presume there would be no relevant log.

The logs I asked for were from the MBAM and SAS scans.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

I don't know what file originally caused the problem, but I assume it will have been one of the hundreds deleted by either Malwarebytes or Spybot.  Unfortunately I didn't take a copy of logs from these programs - too late in the evening to worry about anything other than getting the computer working again.

And that is why the logs are so helpful to us to help you. Both programs, retain the logs opening MBAM again and the Logs are under the Logs tab and in SAS under the Control Center (Preferences), Statistics/Logs tab.

[fast eddie]

!st post here, hope you guys can help...got the ol' "Personal Anit-Virus" thing on my computer, not terribly savvy on this stuff, but are you saying that if I download the items you mentioned, it'll wipe out this nasty bugger??? Or am I gonna have to pay or reload SW??? Not sure why the forum is suggesting I start a new topic, if this gets no response, guess I'll do just that...

[DavidR]

It is suggesting you start a new topic because of the fact this one almost 3 months old, so some of the information in it could be dated.

However, it is still relevant.

Work through my first reply a step at a time, don't look at it as one massive task but one of different steps, complete one step, report, get advice and move on to the next step. Use the two programs suggested (both free) one at a time and post the contents of the report/log file in the next post.

No one can say for sure if this will catch and kill it, that is why we ask you to take it in stages and post the results so we can advise what needs to be done next.

[fast eddie]

Avast just ran a scan, found and deleted many infected files, but there were a couple that it couldn't repair, move to chest, I'd done this before, but had'nt run the full scan...so I ignored and it went on to scan 100%...the icon that was showing for the "personal antivirus" in the tray in the r/h corner is now gone!!! Am I home free, or just dreamin' If this problem reoccurs, I'll start doing as you suggest...thx

as i was typing this, 2 more suspect files were detected by avast, prolly those same 2 that I couldn't do anything with before...suggestion???

[DavidR]

Why couldn't the file/s not be moved to the chest, file in use, etc. ?
If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php. Don't opt for deletion (you have no options left), always send to the chest and investigate.

What is the malware name, infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

Having ignore it, the file is still in place, but avast wouldn't/shouldn't let it run, so you need to take further action, like the boot-time scan mentioned above.

As you can see we need information to be able to help when it relates to infected files.

Have you run the MalwareBytes AntiMalware yet ?
If not do so after a boot-time scan and report its findings.

[fast eddie]

I've done the boot time scan 2 or 3 times...each time it has stopped at about 40% or so and given me a couple infected files to deal with(can't recall their names but will get that info next time) but none of the options could do anything at least the ones I tried which were move to chest, repair, and delete(I know now not to do that one). At that point I selected ignore and it went on to finish the scanning(only on the 3rd scan did I complete the scan) and it found the multiple infected files that it deleted(I'm guessing, I think thats what it said). At that point I noticed the Personal Antivirus icon gone from the lower r/h tray(what do you call that tray???)...I'll get back to it soon and start on your suggestions...thx, Ed