Author Topic: Trojan.win32.agent.azsy  (Read 21751 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Trojan.win32.agent.azsy
« Reply #15 on: September 03, 2009, 02:45:42 PM »
You don't have to keep repeating the boot-time scan if nothing was found first time round it is unlikely to find other things if nothing has changed on your system.

Ignoring is not the thing to do as I have said it achieves nothing when an infected file is found select the Send to chest option. The boot-time scan should be able to take action as there really shouldn't be anything to stop it since windows isn't running. If dealt with then the boot-time scan should complete and windows should boot normally (is that happening) ?

Check this file C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt this records the information on the boot-time scan and it should contain the details on any detections and post that information.

We ask questions to get a better understanding about the problem, if you don't answer them we are working blind and doesn't help either of us.  So please answer the question in my previous post about previous detections.

The lower r/h tray is called various things depending on your OS (MS keeps changing it), I refer to it as the system tray as that is what it was first called in early versions of windows. It is also known as the Notification area/tray.

Move on to MalwareBytes AntiMalware (MBAM) but dont forget to post the answers to previous questions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tessnina

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #16 on: September 03, 2009, 03:01:53 PM »
Any help would be appreciated-I have this same virus.  I followed the suggestions given in the beginning of this discussion.  When I downloaded the malware-the icon showed up on my desk top and I right clicked and clicked on start scan-nothing happens.  The hourglass comes up for a few seconds and then goes away and nothing.  It seemed to load properly. HELP.  Susan

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Trojan.win32.agent.azsy
« Reply #17 on: September 03, 2009, 03:32:10 PM »
E:\Images\CapturedScreenPrint\forum-new-topic.gif - Please start a New Topic of your own as this will just confuse the topic with advice for multiple people and we will try to help. 
- Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

Either that or start from the first post in the topic and try to work your way through it, if you can't do that and need assistance then we would need the questions already asked answered and this is when it gets confusing for those being helped along with those helping and any trying to follow the topic.

So for those reasons it really is best to have your own topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fast eddie

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #18 on: September 03, 2009, 08:14:19 PM »
Here's the boot scan report...
07/22/2009 13:09
Scan of all local drives

File C:\95276492.exe is infected by Win32:Tiny-ES [Trj], Deleted
File C:\Documents and Settings\katy\Local Settings\Temporary Internet Files\Content.IE5\6MFD53HR\2_z[1].htm is infected by HTML:IEslice-D [Trj], Deleted
File C:\Documents and Settings\katy\Local Settings\Temporary Internet Files\Content.IE5\6MFD53HR\3_z[1].htm is infected by JS:Agent-ES [Trj], Deleted
File C:\Documents and Settings\katy\Local Settings\Temporary Internet Files\Content.IE5\HW95JX93\l[1].htm is infected by VBS:Encrypted-gen, Deleted
File C:\System Volume Information\_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP601\A0127284.exe is infected by Win32:Tiny-ES [Trj], Deleted
File C:\WINDOWS\cpbrkpie.ocx is infected by Win32:Adware-AI [Trj], Deleted
File C:\WINDOWS\Temp\ja.exe\[UPX] is infected by Win32:Obfuscated-DH [Trj], Deleted
Number of searched folders: 5878
Number of tested files: 236792
Number of infected files: 7

----------------------------------------
08/31/2009 23:20
Scan of all local drives

File C:\Documents and Settings\family\Local Settings\Temp\7ZipSfx.000\NetFilter.exe is infected by Win32:MalOb-C [Cryp]
Scanning aborted

Number of searched folders: 1188
Number of tested files: 4515
Number of infected files: 1

----------------------------------------
09/02/2009 00:34
Scan of all local drives

File C:\Documents and Settings\family\Local Settings\Temp\7ZipSfx.000\NetFilter.exe is infected by Win32:MalOb-C [Cryp], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}
Scanning aborted

Number of searched folders: 1190
Number of tested files: 4408
Number of infected files: 1

----------------------------------------
09/02/2009 12:44
Scan of all local drives

File C:\Program Files\PersonalAV\PAV.exe is infected by Win32:Trojan-gen {Other}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc10.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc11.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc12.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc13.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc6.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc7.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc9.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP601\A0127285.ocx is infected by Win32:Adware-AI [Trj], Deleted
Number of searched folders: 6558
Number of tested files: 121617
Number of infected files: 9

----------------------------------------
09/03/2009 01:20
Scan of all local drives

File C:\System Volume Information\_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154781.sys is infected by Win32:Alureon-CV [Rtk], Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information\_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154783.dll is infected by Win32:Fasec [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}
File C:\System Volume Information\_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154784.dll is infected by Win32:Fasec [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}
File C:\WINDOWS\system32\UACpappanybig.dll is infected by Win32:Fasec [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}
Number of searched folders: 6559
Number of tested files: 121783
Number of infected files: 4
 
Those that I said I couldn't move to chest I first tried repair, so did that cause the inability to move to chest??? That's why I went on to ignore so that the scan could continue...should I do one more scan and catch those that I missed???

micky77

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #19 on: September 03, 2009, 08:22:33 PM »
Some of those infections are in system restore points,to remove them you need to disable/ re-enable system restore.Please run a quick scan with Malwarebytes. Also I see UACpappanybig.dll this may be protected by a rootkit but not definately. Post the MBAM log

fast eddie

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #20 on: September 03, 2009, 10:17:12 PM »
Here's the mbam log file...scan is done, mbam is giving me the option of remove or ignore..           UACpappanybig.dll...saw that found by Avast...mbam didn't see it what about that???
Database version: 2736
Windows 5.1.2600 Service Pack 2

9/3/2009 1:09:03 PM
mbam-log-2009-09-03 (13-08-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 216329
Time elapsed: 49 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> No action taken.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> No action taken.
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> No action taken.

Files Infected:
C:\WINDOWS\system32\msxmlm.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\family\Local Settings\Temp\drv4865240.exe (Trojan.Dropper) -> No action taken.
C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> No action taken.
C:\WINDOWS\system32\UACwdbxmplvpe.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.


Malwarebytes' Anti-Malware 1.40
Database version: 2736
Windows 5.1.2600 Service Pack 2

9/3/2009 1:09:03 PM
mbam-log-2009-09-03 (13-08-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 216329
Time elapsed: 49 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> No action taken.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> No action taken.
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> No action taken.

Files Infected:
C:\WINDOWS\system32\msxmlm.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\family\Local Settings\Temp\drv4865240.exe (Trojan.Dropper) -> No action taken.
C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> No action taken.
C:\WINDOWS\system32\UACwdbxmplvpe.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

micky77

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #21 on: September 03, 2009, 10:47:44 PM »
Ok fast Eddie, wish you had been faster, off to bed now  ;D. Any how, first with MBAM you took no action.Run again, this time have MBAM fix the threats. REBOOT

Its possible Avast has removed rootkit Alureon. Just to be sure, download Rootrepeal,unzip, and open. click REPORT at the bottom, then SCAN, then tick all boxes,OK, then tick C drive,OK, when the scans done, save report. Copy/paste log http://rootrepeal.googlepages.com/


http://www.malwarebytes.org/forums/index.php?showtopic=12709
« Last Edit: September 03, 2009, 10:49:27 PM by micky77 »

fast eddie

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #22 on: September 03, 2009, 10:55:31 PM »
I don't see any option to FIX, only remove or ignore I left the scan page open so the previous scan is still active should I remove or ignore??? No FIX option available...

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojan.win32.agent.azsy
« Reply #23 on: September 03, 2009, 11:02:41 PM »
I don't see any option to FIX, only remove or ignore I left the scan page open so the previous scan is still active should I remove or ignore??? No FIX option available...

Remove.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

fast eddie

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #24 on: September 03, 2009, 11:16:07 PM »
Done and done...here's the log...

Malwarebytes' Anti-Malware 1.40
Database version: 2736
Windows 5.1.2600 Service Pack 2

9/3/2009 2:10:23 PM
mbam-log-2009-09-03 (14-10-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 216329
Time elapsed: 49 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msxmlm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\family\Local Settings\Temp\drv4865240.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwdbxmplvpe.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Not sure what to do in response to Mickeys 6:22 post...

I hope this does the trick...you guys are a big help...thx, Ed

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojan.win32.agent.azsy
« Reply #25 on: September 03, 2009, 11:29:01 PM »

Not sure what to do in response to Mickeys 6:22 post...

I hope this does the trick...you guys are a big help...thx, Ed


To clean System Restore:

Create a clean restore point then delete all previous infected restore points
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

YoKenny

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #26 on: September 04, 2009, 12:19:23 AM »
I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

micky77

  • Guest
Re: Trojan.win32.agent.azsy
« Reply #27 on: September 04, 2009, 07:03:30 AM »
Not sure what to do in response to Mickeys 6:22 post...

Basically the files beginning with UAC (uacinit.dll ,UACwdbxmplvpe.dat) are protected by the rootkit, which also begins with UAC but ends in sys
Now Avast has already, in all probability removed the rootkit.
C:\System Volume Information\_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154781.sys is infected by Win32:Alureon-CV [Rtk]

 If not these files will keep returning. Rootrepeal will show this. so see this post, and run rootrepeal http://forum.avast.com/index.php?topic=47639.msg402995#msg402995
Another option would be to reboot, re run MBAM, if it comes up clean, I would assume the rootkit has already gone.