Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Trojan.WIN.32.Agent.azsy VIRUS- need help to remove asap!

Created: 30 Jun 2009 | 8 comments

Trojan.WIN.32.Agent.azsy VIRUS- need help to remove asap please...

Hello,
I am new at this forum...thank you for your patient.

I have the above virus....any idea how to get rid of it.

Thanks again,
Al,
acadianstar@hotmail.com

Discussion Filed Under:

Comments 8 CommentsJump to latest comment

Mohammad Altaf Khan's picture

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.
Delete the following system registrykey:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following files:
%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe
Delete all files from %Temporary Internet Files%.
Update your antivirus databases and perform a full scan of the computer

Mohammad Altaf Khan's picture

This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++.

Installation
Once launched, the Trojan copies its body to the current user’s Windows startup directory:

%Documents and Settings%\<user_name>\Main Menu\Programs\Startup\uninstall.exe
Payload

Once the victim machine has been rebooted, the Trojan extracts a file from itself. The file will have one of the names shown below:

%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe
This file is 404992 bytes in size. It will be detected by  Anti-Virus as Trojan-Downloader.Win32.Agent.aoth.

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan places a link to the file it extracted from its body in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"
<rnd1> is a name chosen from the list below:
CrashDump
EventLog
Init
lsass
Regscan
RunDll
Setup
Sound
svchosts
System
TaskMon
UPNP
Windows
<rnd> is the path to the file extracted from the Trojan shown in the list above.

Once the Trojan had delivered its payload, it will delete both its body and its copy "%Documents and Settings%\\Main Menu\Programs\Startup\uninstall.exe".

This Trojan will not run on Russian versions of Windows.

Nitin Salvi's picture

Hi,

Best way to remove trojan is to run sdat updated patch in cmd.

1) make one scan folder in c drive and paste sdat5620.exe and extract in your c drive itself.
1) start ur pc in safemode with command prompt.
2)go to c drive and tye following command as

C:\>cd scan

C:\scan>scan/adl/all/clean/repair/delete/analyze/program/report/scan.txt   and press enter key.

the above command will start scanning your hard drive and it will clean and delete virus.

path to download sdat patch is given below.

http://www.mcafee.com/apps/downloads/security_upda...

Thanks and Regards,

Nitin Salvi

Ajit Jha's picture

I would suggest u to run the loadpoint utility and analyse the log and on the basis of analyzing upload the suspeciuos file to submit.symantec.com/gold

Regard's

Ajit Jha

Technical Consultant

ASC & STS

sbertram's picture

Hi did you run any free online scanners.  One you can run is from Trend Micro called House call, link is below.  See if that cleans up the mess.
Good luck.
http://housecall.trendmicro.com/

MilosCvetkovic's picture

Hello, does anybody know how to delete this virus from computer?
I don't have a anti-virus protection, and i bought avira anti-virus security, but windows doesn't want to instal this program (avira anti-virus) and my cousin brought me one program for deleting viruses, but he founded 20 other viruses, and not the TROJAN.ASPX.JS.32 and my computer works so slow and i can't do much with him.
Does anybody knows how to delete this virus? Or do i need some program for deleting or there is another way? Thanks again!!!

deepak.vasudevan's picture

Please start up your Symantec Program and ensure it says the virus patterns are uptodate. Then either selective folder or a full system scan. That should cure the malady.

If you do not have an AV tool installed can you follow the removal instructions below:

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the following system registry key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd1>" = "<rnd2>"
  3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  4. Delete the following files:
    %Documents and Settings%\<user_name>\Application Data\svchosts.exe
    %Documents and Settings%\<user_name>\Application Data\taskmon.exe
    %Documents and Settings%\<user_name>\Application Data\rundll.exe
    %Documents and Settings%\<user_name>\Application Data\service.exe
    %Documents and Settings%\<user_name>\Application Data\sound.exe
    %Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
    %Documents and Settings%\<user_name>\Application Data\lsas.exe
    %Documents and Settings%\<user_name>\Application Data\logon.exe
    %Documents and Settings%\<user_name>\Application Data\helper.exe
    %Documents and Settings%\<user_name>\Application Data\event.exe
    %Documents and Settings%\<user_name>\Application Data\dumpreport.exe
    %Documents and Settings%\<user_name>\Application Data\msiexeca.exe
  5. Delete all files from %Temporary Internet Files%.
  6. Update your antivirus databases and perform a full scan of the computer
  7. As soon as possible download an AV and install it.

Source Courtesy: http://www.securelist.com/en/descriptions/6256927/Trojan.Win32.Agent.azsy