Author Topic: Agent-DZ (Read 6318 times)

jskytx · « **on:** June 19, 2011, 08:57:52 PM »

A couple days ago Avast kept giving me a warning about apphelp32.exe being blocked. I also noticed that when I would google something I was being redirected to various sites. I did a boot scan with avast and it found 5 files in the sun\java files that were moved to the chest and it said it found an AGENT-DZ. I ran a spyware program and it found a couple things that it removed. I have no idea what to do at this point. Please help!

Pondus · « **Reply #1 on:** June 19, 2011, 09:08:00 PM »

run a quick scan with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

Lisandro · « **Reply #2 on:** June 19, 2011, 09:12:18 PM »

Maybe run two scannings: avast and Malwarebytes (MBAM) as Pondus said.

jskytx · « **Reply #3 on:** June 19, 2011, 09:41:41 PM »

It found 5 files and I removed all of them

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6897

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/19/2011 2:37:09 PM
mbam-log-2011-06-19 (14-37-09).txt

Scan type: Quick scan
Objects scanned: 164254
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\0200000045c47f671270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\0200000045c47f671270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\0200000045c47f671270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\0200000045c47f671270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

Pondus · « **Reply #4 on:** June 19, 2011, 10:06:44 PM »

not much....did you also run a quick scan with avast...anything detected

any avast warnings...is the redirect problem gone ?

jskytx · « **Reply #5 on:** June 19, 2011, 10:25:23 PM »

I ran the avast quick scan after the malwarebytes and nothing was found. I am still getting redirected after the files were removed my malwarebytes. No warnings or anything from avast at this point.

It does show there were 22 infected files with the boot-time scan and all of those were moved to the chest. It appears that all 22 infected files with the boot-time scan were from C:\Users\Home\AppData\LocalLow\Sun\Java\Deployment\cache

Pondus · « **Reply #6 on:** June 19, 2011, 10:32:54 PM »

OK one more try, this removes some redirects

Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?qid=208283363

jskytx · « **Reply #7 on:** June 19, 2011, 10:47:33 PM »

I tried that and it found nothing and I'm still being redirected. I can go directly to a site if I type in the address but using any search engine and I'm directed to various places. I have no clue how this happened!

Pondus · « **Reply #8 on:** June 19, 2011, 10:49:58 PM »

OK then Essexboy is next... i will send him a PM

jskytx · « **Reply #9 on:** June 19, 2011, 10:54:08 PM »

Thanks so much for your help!

essexboy · « **Reply #10 on:** June 19, 2011, 11:02:59 PM »

Would the redirect sites be scour by any chance ?

jskytx · « **Reply #11 on:** June 19, 2011, 11:24:35 PM »

I'm not 100% sure if any of them are scour sites but it seems that all the sites I'm taken to are shopping/survey sites

essexboy · « **Reply #12 on:** June 19, 2011, 11:53:35 PM »

OK lets have a look see

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Check the box that says 64 bit
Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in

%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

jskytx · « **Reply #13 on:** June 20, 2011, 04:16:01 AM »

I ran the OTS scan and attached the log

essexboy · « **Reply #14 on:** June 20, 2011, 07:38:40 PM »

On completion of this run let me know if the alerts are gone

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

 
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {013F3497-11DC-4DCF-B18F-E0948D14CBB0} [HKLM] -> C:\Windows\System32\audiodev32.dll [Reg Error: Value error.]
YY -> {7E0A8207-782A-8A4B-D64C-8BDDE63B9D4A} [HKLM] -> C:\ProgramData\audiodev32.dll [d0b49f17]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\ProgramData\audiodev32.dll -> C:\ProgramData\audiodev32.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Files/Folders - Created Within 30 Days]
NY ->  HotStartUserAgent32.exe -> C:\ProgramData\HotStartUserAgent32.exe
NY ->  audiodev32.dll -> C:\ProgramData\audiodev32.dll
NY ->  audiodev32.dll -> C:\Windows\System32\audiodev32.dll
[Files/Folders - Modified Within 30 Days]
NY ->  audiodev32.dll -> C:\ProgramData\audiodev32.dll
NY ->  1516886069 -> C:\Windows\System32\1516886069
NY ->  audiodev32.dll -> C:\Windows\System32\audiodev32.dll
NY ->  HotStartUserAgent32.exe -> C:\ProgramData\HotStartUserAgent32.exe
[Files - No Company Name]
NY ->  1516886069 -> C:\Windows\System32\1516886069
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Author Topic: Agent-DZ (Read 6318 times)

jskytx

Agent-DZ

Pondus

Re: Agent-DZ

Lisandro

Re: Agent-DZ

jskytx

Re: Agent-DZ

Pondus

Re: Agent-DZ

jskytx

Re: Agent-DZ

Pondus

Re: Agent-DZ

jskytx

Re: Agent-DZ

Pondus

Re: Agent-DZ

jskytx

Re: Agent-DZ

essexboy

Re: Agent-DZ

jskytx

Re: Agent-DZ

essexboy

Re: Agent-DZ

jskytx

Re: Agent-DZ

essexboy

Re: Agent-DZ