Agent-DZ

A couple days ago Avast kept giving me a warning about apphelp32.exe being blocked. I also noticed that when I would google something I was being redirected to various sites. I did a boot scan with avast and it found 5 files in the sun\java files that were moved to the chest and it said it found an AGENT-DZ. I ran a spyware program and it found a couple things that it removed. I have no idea what to do at this point. Please help!

run a quick scan with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

Maybe run two scannings: avast and Malwarebytes (MBAM) as Pondus said.

It found 5 files and I removed all of them

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6897

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/19/2011 2:37:09 PM
mbam-log-2011-06-19 (14-37-09).txt

Scan type: Quick scan
Objects scanned: 164254
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT.fsharproj (Trojan.BHO) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\0200000045c47f671270c.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\0200000045c47f671270o.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\0200000045c47f671270p.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\0200000045c47f671270s.manifest (Malware.Trace) → Quarantined and deleted successfully.

not much…did you also run a quick scan with avast…anything detected

any avast warnings…is the redirect problem gone ?

I ran the avast quick scan after the malwarebytes and nothing was found. I am still getting redirected after the files were removed my malwarebytes. No warnings or anything from avast at this point.

It does show there were 22 infected files with the boot-time scan and all of those were moved to the chest. It appears that all 22 infected files with the boot-time scan were from C:\Users\Home\AppData\LocalLow\Sun\Java\Deployment\cache

OK one more try, this removes some redirects

Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?qid=208283363

I tried that and it found nothing and I’m still being redirected. I can go directly to a site if I type in the address but using any search engine and I’m directed to various places. I have no clue how this happened!

OK then Essexboy is next… i will send him a PM

Thanks so much for your help!

Would the redirect sites be scour by any chance ?

I’m not 100% sure if any of them are scour sites but it seems that all the sites I’m taken to are shopping/survey sites

OK lets have a look see

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

I ran the OTS scan and attached the log

On completion of this run let me know if the alerts are gone

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {013F3497-11DC-4DCF-B18F-E0948D14CBB0} [HKLM] -> C:\Windows\System32\audiodev32.dll [Reg Error: Value error.]
YY -> {7E0A8207-782A-8A4B-D64C-8BDDE63B9D4A} [HKLM] -> C:\ProgramData\audiodev32.dll [d0b49f17]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\ProgramData\audiodev32.dll -> C:\ProgramData\audiodev32.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Files/Folders - Created Within 30 Days]
NY ->  HotStartUserAgent32.exe -> C:\ProgramData\HotStartUserAgent32.exe
NY ->  audiodev32.dll -> C:\ProgramData\audiodev32.dll
NY ->  audiodev32.dll -> C:\Windows\System32\audiodev32.dll
[Files/Folders - Modified Within 30 Days]
NY ->  audiodev32.dll -> C:\ProgramData\audiodev32.dll
NY ->  1516886069 -> C:\Windows\System32\1516886069
NY ->  audiodev32.dll -> C:\Windows\System32\audiodev32.dll
NY ->  HotStartUserAgent32.exe -> C:\ProgramData\HotStartUserAgent32.exe
[Files - No Company Name]
NY ->  1516886069 -> C:\Windows\System32\1516886069
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

It appears that the problem is now gone! Thanks so much for your help. Now that it is fixed can you tell me what the problem was?

Here is the log from the fix:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{013F3497-11DC-4DCF-B18F-E0948D14CBB0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{013F3497-11DC-4DCF-B18F-E0948D14CBB0}\ deleted successfully.
C:\Windows\System32\audiodev32.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{7E0A8207-782A-8A4B-D64C-8BDDE63B9D4A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7E0A8207-782A-8A4B-D64C-8BDDE63B9D4A}\ deleted successfully.
C:\ProgramData\audiodev32.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls:C:\ProgramData\audiodev32.dll deleted successfully.
File C:\ProgramData\audiodev32.dll not found.
[Files/Folders - Created Within 30 Days]
C:\ProgramData\HotStartUserAgent32.exe moved successfully.
File C:\ProgramData\audiodev32.dll not found!
File C:\Windows\System32\audiodev32.dll not found!
[Files/Folders - Modified Within 30 Days]
File C:\ProgramData\audiodev32.dll not found!
C:\Windows\System32\1516886069 moved successfully.
File C:\Windows\System32\audiodev32.dll not found!
File C:\ProgramData\HotStartUserAgent32.exe not found!
[Files - No Company Name]
File C:\Windows\System32\1516886069 not found!
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 55193 bytes
->Temporary Internet Files folder emptied: 3659106 bytes
->Java cache emptied: 587813 bytes
->Flash cache emptied: 456 bytes

User: Home
->Temp folder emptied: 33109751 bytes
->Temporary Internet Files folder emptied: 216299662 bytes
->Java cache emptied: 170701594 bytes
->Flash cache emptied: 1227018 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 675840 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 137261514 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33172 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 709740608 bytes

Total Files Cleaned = 1,214.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Guest
->Flash cache emptied: 0 bytes

User: Home
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 06202011_125145

Files\Folders moved on Reboot…
C:\Users\Home\AppData\Local\Temp\Low~DFBDDF.tmp moved successfully.
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOE94RC0\main[1].js moved successfully.
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MIIISERS\print[1].css moved successfully.
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2AP18ELD\indexCAN2VR24.htm moved successfully.
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot…

It goes by various names trjan krypt gen/tracur is the more common http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FTracur.A

Let it run for a day or so and if no further problems appear I will remove my tools

Could you go to the following file and add to the virus chest and then upload to the virus lab please

C:_OTS\moved files\C:\Windows\System32\audiodev32.dll .

Thanks for the help essexboy. It seems that whatever fix you gave me worked and I haven’t had any problems since! I uploaded the file you mentioned to the virus lab last week.

Thankee - now to remove my rubbish ;D

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup an select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: