Trojan.win32.agent.azsy

This virus seems to have been missed by Avast, and is not showing in the virus search.

The virus pretends to have detected itself, and then asks for money to remove it.

I found this on http://windowsprotection.net/how-to-remove-trojanwin32agentazsy-trojanwin32agentazsy-removal-guide/

Anyone know if this website is genuine?

“Trojan.win32.agent.azsy is a hazardous computer infection that enhances the malicious activity of its sponsoring rogue spyware remover called Personal Antivirus. Trojan.win32.agent.azsy penetrates into computers obscurely through security gateways and other system vulnerabilities. Trojan.win32.agent.azsy may remain unattended and undetected until it’s detected by a reliable professional antivirus tool. When running inside the compromised computer, Trojan.win32.agent.azsy issues fake alerts that pop up to tell the users he/she has multiple security issues that need to be handled by Personal Antivirus, i.e. it encourages people to purchase and install the licensed version of Personal Antivirus, which is a rogue anti-spyware. In addition to the above, Trojan.win32.agent.azsy makes the infected computer exposed to outer threats by opening up illicit connections that facilitate remote access to the compromised computer and may enable further manipulation from the outside. Both Trojan.win32.agent.azsy and the related rogue anti-spyware Personal Antivirus are unwanted PC applications and must be eradicated once detected. If not removed, these malwares may lead to computer freezes and crashes, privacy violations and may also deteriorate the internet connection quality.”

There is little point in searching the virus database as there is no standard naming convention for virus/malware naming and win32:agent could be absolutely anything.

So unless you have a sample to scan or upload it is impossible to say if avast detects it. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject (if avast isn’t detecting it).

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

The name windowsprotection.net fills me with awe NOT, I would only deal with know anti-malware sites. Whilst it appears to be genuine there is no way I would consider downloading an unknown scanner from a relatively unknown site. However it seems that it is trying to get you to download spyware doctor as a little over 22MB. To resolve what may be the usual rogue security 2009 variant.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Both of these combined are much smaller that the suggested download at windowsprotection.net.

David - many thanks for your quick response. In the meantime I had discovered that Spyware Doctor scans but doesn’t repair unless you pay. (Sounds suspiciously like the original problem, so I won’t try that.)

I installed Spybot, which detected multiple copies of a couple of trojans, and is now taking ages to re-scan after a reboot as it couldn’t remove files that were in use.

When that finishes, I’ll try your suggestions of Malwarebytes and SUPERantispyware.

The avast “Information about known viruses” database did show Win32:Agent-AZS[Trj] but it does seem unlikely that a virus would display a warning containing it’s own name. I guess that it just uses a random list of virus names to give credibility to its claim that its program needs to be installed. It certainly fooled my friend, who doesn’t often use a computer and just assumed that it was something that he was supposed to agree to.

There are some programs that even though legit use this to make you buy and I think that that is bordering on blackmail/rogueware and should be made perfectly clear before you even download it.

If they explained before download, that you need to upgrade in order to clean the computer, then that would be fair enough, but no way would I enter my credit card number onto a computer before the cleaning had been completed!

Hi Navvy,

There is a name for this: this is called SCAREware. It is not rogue because the scanner functions and does not add to your misery to extra scare, but you have to draw your paybook to have your computer cleansed.
The least you can say it is a form of aggressiveness I do not like with software. Where are the days you had a tool for free if you dropped the developer a postcard, this was postcardware.
The avast formula is a community friendly formula: they run a free scanner for personal use, a similar formula like ZA free, that do the same with their free firewall,

polonus

Spybot removed the virus, but it reinstalled itself during the startup. (The DOS screens flashing up during installation seemed to match the description of the virus named in the subject line. It was referring to dll files in Windows\system32)

Malwarebytes was a lot faster scanning, and seems to have cleared the problem.

I’ve unplugged the internet connection, and Avast is doing a scan (probably the first scan since it was installed…)

If you can post the logs it helps us to get an idea of what was found and offer additional advice, that’s why we ask for the log file.

Avast failed to report any problem, so I presume there would be no relevant log.

I don’t know what file originally caused the problem, but I assume it will have been one of the hundreds deleted by either Malwarebytes or Spybot. Unfortunately I didn’t take a copy of logs from these programs - too late in the evening to worry about anything other than getting the computer working again.

The logs I asked for were from the MBAM and SAS scans.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

And that is why the logs are so helpful to us to help you. Both programs, retain the logs opening MBAM again and the Logs are under the Logs tab and in SAS under the Control Center (Preferences), Statistics/Logs tab.

!st post here, hope you guys can help…got the ol’ “Personal Anit-Virus” thing on my computer, not terribly savvy on this stuff, but are you saying that if I download the items you mentioned, it’ll wipe out this nasty bugger??? Or am I gonna have to pay or reload SW??? Not sure why the forum is suggesting I start a new topic, if this gets no response, guess I’ll do just that…

It is suggesting you start a new topic because of the fact this one almost 3 months old, so some of the information in it could be dated.

However, it is still relevant.

Work through my first reply a step at a time, don’t look at it as one massive task but one of different steps, complete one step, report, get advice and move on to the next step. Use the two programs suggested (both free) one at a time and post the contents of the report/log file in the next post.

No one can say for sure if this will catch and kill it, that is why we ask you to take it in stages and post the results so we can advise what needs to be done next.

Avast just ran a scan, found and deleted many infected files, but there were a couple that it couldn’t repair, move to chest, I’d done this before, but had’nt run the full scan…so I ignored and it went on to scan 100%…the icon that was showing for the “personal antivirus” in the tray in the r/h corner is now gone!!! Am I home free, or just dreamin’??? If this problem reoccurs, I’ll start doing as you suggest…thx

as i was typing this, 2 more suspect files were detected by avast, prolly those same 2 that I couldn’t do anything with before…suggestion???

Why couldn’t the file/s not be moved to the chest, file in use, etc. ?
If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php. Don’t opt for deletion (you have no options left), always send to the chest and investigate.

What is the malware name, infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

Having ignore it, the file is still in place, but avast wouldn’t/shouldn’t let it run, so you need to take further action, like the boot-time scan mentioned above.

As you can see we need information to be able to help when it relates to infected files.

Have you run the MalwareBytes AntiMalware yet ?
If not do so after a boot-time scan and report its findings.

I’ve done the boot time scan 2 or 3 times…each time it has stopped at about 40% or so and given me a couple infected files to deal with(can’t recall their names but will get that info next time) but none of the options could do anything at least the ones I tried which were move to chest, repair, and delete(I know now not to do that one). At that point I selected ignore and it went on to finish the scanning(only on the 3rd scan did I complete the scan) and it found the multiple infected files that it deleted(I’m guessing, I think thats what it said). At that point I noticed the Personal Antivirus icon gone from the lower r/h tray(what do you call that tray???)…I’ll get back to it soon and start on your suggestions…thx, Ed

You don’t have to keep repeating the boot-time scan if nothing was found first time round it is unlikely to find other things if nothing has changed on your system.

Ignoring is not the thing to do as I have said it achieves nothing when an infected file is found select the Send to chest option. The boot-time scan should be able to take action as there really shouldn’t be anything to stop it since windows isn’t running. If dealt with then the boot-time scan should complete and windows should boot normally (is that happening) ?

Check this file C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt this records the information on the boot-time scan and it should contain the details on any detections and post that information.

We ask questions to get a better understanding about the problem, if you don’t answer them we are working blind and doesn’t help either of us. So please answer the question in my previous post about previous detections.

The lower r/h tray is called various things depending on your OS (MS keeps changing it), I refer to it as the system tray as that is what it was first called in early versions of windows. It is also known as the Notification area/tray.

Move on to MalwareBytes AntiMalware (MBAM) but dont forget to post the answers to previous questions.

Any help would be appreciated-I have this same virus. I followed the suggestions given in the beginning of this discussion. When I downloaded the malware-the icon showed up on my desk top and I right clicked and clicked on start scan-nothing happens. The hourglass comes up for a few seconds and then goes away and nothing. It seemed to load properly. HELP. Susan

E:\Images\CapturedScreenPrint\forum-new-topic.gif - Please start a New Topic of your own as this will just confuse the topic with advice for multiple people and we will try to help.

  • Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

Either that or start from the first post in the topic and try to work your way through it, if you can’t do that and need assistance then we would need the questions already asked answered and this is when it gets confusing for those being helped along with those helping and any trying to follow the topic.

So for those reasons it really is best to have your own topic.

Here’s the boot scan report…
07/22/2009 13:09
Scan of all local drives

File C:\95276492.exe is infected by Win32:Tiny-ES [Trj], Deleted
File C:\Documents and Settings\katy\Local Settings\Temporary Internet Files\Content.IE5\6MFD53HR\2_z[1].htm is infected by HTML:IEslice-D [Trj], Deleted
File C:\Documents and Settings\katy\Local Settings\Temporary Internet Files\Content.IE5\6MFD53HR\3_z[1].htm is infected by JS:Agent-ES [Trj], Deleted
File C:\Documents and Settings\katy\Local Settings\Temporary Internet Files\Content.IE5\HW95JX93\l[1].htm is infected by VBS:Encrypted-gen, Deleted
File C:\System Volume Information_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP601\A0127284.exe is infected by Win32:Tiny-ES [Trj], Deleted
File C:\WINDOWS\cpbrkpie.ocx is infected by Win32:Adware-AI [Trj], Deleted
File C:\WINDOWS\Temp\ja.exe[UPX] is infected by Win32:Obfuscated-DH [Trj], Deleted
Number of searched folders: 5878
Number of tested files: 236792
Number of infected files: 7


08/31/2009 23:20
Scan of all local drives

File C:\Documents and Settings\family\Local Settings\Temp\7ZipSfx.000\NetFilter.exe is infected by Win32:MalOb-C [Cryp]
Scanning aborted

Number of searched folders: 1188
Number of tested files: 4515
Number of infected files: 1


09/02/2009 00:34
Scan of all local drives

File C:\Documents and Settings\family\Local Settings\Temp\7ZipSfx.000\NetFilter.exe is infected by Win32:MalOb-C [Cryp], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}
Scanning aborted

Number of searched folders: 1190
Number of tested files: 4408
Number of infected files: 1


09/02/2009 12:44
Scan of all local drives

File C:\Program Files\PersonalAV\PAV.exe is infected by Win32:Trojan-gen {Other}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc10.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc11.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc12.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc13.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc6.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc7.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\RECYCLER\S-1-5-21-1417001333-583907252-839522115-1003\Dc9.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP601\A0127285.ocx is infected by Win32:Adware-AI [Trj], Deleted
Number of searched folders: 6558
Number of tested files: 121617
Number of infected files: 9


09/03/2009 01:20
Scan of all local drives

File C:\System Volume Information_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154781.sys is infected by Win32:Alureon-CV [Rtk], Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154783.dll is infected by Win32:Fasec [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}
File C:\System Volume Information_restore{8C1815BE-BDC6-45FA-B6EE-367DF9495606}\RP647\A0154784.dll is infected by Win32:Fasec [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}
File C:\WINDOWS\system32\UACpappanybig.dll is infected by Win32:Fasec [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}
Number of searched folders: 6559
Number of tested files: 121783
Number of infected files: 4

Those that I said I couldn’t move to chest I first tried repair, so did that cause the inability to move to chest??? That’s why I went on to ignore so that the scan could continue…should I do one more scan and catch those that I missed???

Some of those infections are in system restore points,to remove them you need to disable/ re-enable system restore.Please run a quick scan with Malwarebytes. Also I see UACpappanybig.dll this may be protected by a rootkit but not definately. Post the MBAM log