Endpoint Protection

Trojan.Win32.Agent.Azsy / Personal Antivirus / Trojan on Computer Running Symantec Endpoint (Up-to-date definitions)

No Problems Detected on computer it states it is protected .......

This is a very nasty Trojan.

It puts up constant popups to trick user into installing Personal Antivirus which has a EXTREMLY similar icon to Symantec's Icon in the taskbar.

It puts up additional messages about other trojans etc... telling you to block them with this Personal Antivirus trying to trick you into buying it etc....

It is horrible..............

My question, how and why did this get on a computer running Symatec Endpoint in the first place?

What should I do?

I want to prevent my enterprise from getting this on any computer.

You should submit this threat to the Symantec Security Response team for analysis.

https://submit.symantec.com/websubmit/basic.cgi
https://submit.symantec.com/websubmit/gold.cgi
https://submit.symantec.com/websubmit/essential.cgi

Make sure that it is not spread to other computers on your network.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Once the malware is wiped out, It is recommended that you upgrade your Endpoint Protection to the latest version which is MR4 MP2. Most of the bugs have been addressed in this version and the malware detection is more efficient.

Migrating to Symantec Endpoint Protection 11.0.4202 (MR4 MP2)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009051906042048

I have updated my post with 2 attachments.

(NOTE: Kaspersky added a Description on Mar 12 2009 about this ..... I suggest Symantec follow updates from Kaspersky so they can stay on top of issues better)

Symantec is unable to detect anything wrong when running a FULL SCAN.

This computer will have to be re-imaged now because Symantec did not stop this mal-ware/trojan etc... from executing.....

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782828

 It can be a new variant of the same threat..
I have submitted atleast 5-6 samples of the same Antivirus360 which was very infamous some time back..
Symantec might be detecting the other variants by some other name or just by the name trojan.
even the file names change all the exe's will have the same file name but the DLL that hooks into IE might change its name and location i every variant.

antivirus360 and XP antivirus had more than 400 variants.

So as you see any Suspected file submit it to symantec response...as it might be the one which was hiding from long time and going un-detected..

Main propogation method of these threats are through hacked websites.
So they put diffrent variants in diffrent websites...you might have got infected with that website which is not popularly used by others.

This is not my computer, I am IT Support.

I need to get this computer back to user tommorow morning.

Since what I have read says it is hard to remove 100% with no doubt, I will re-image machine to be safe.

Once compromised it cannot be 100% trusted.It might have dropped a bot or anything.

www.support1000.comThanks for sharing this blog.

My husband's computer was invaded by the trojan    Trojan.Win32.Agent.Azsy/Personal Antivirus while he was searching for a truck topper. We didn't activate it by clicking anywhere it was. Unfortunately we've been attempting to send this file to Symantec but the trojan keeps on blocking any attempt we make to do so. We have also tried going to PcPitstop and it also blocks us and "provides" two buttons with a trick (we're sure) to get us to allow it to download into our computer. We are still confused though as to how to remove it. Should we just take my Husband's computer to a professional to remove it or can we do it ourselves? And if so, how?

I stopped the annoying pop ups with this trojan (Trojan.Win32.agent.azsy) by doing the following (although it is not removed from my system and still lingers harmless on my system I will continue to track this bugger)

Windows XP

1. CLICK on start and CLICK on RUN.
2. In the RUN menu there is a box. Type in msconfig and CLICK on the ENTER key or CLICK on the OK button.
3. A menu "System Configuration Utility" will appear and along the top of this menu select the STARTUP tab (Note...be very careful in this area) and scroll down and look for a Startup Item called "pav" and CLICK in the check box to remove the check (Warning...unless you are very experienced in this area DO NOT uncheck or check any other boxes. Terrible results could and will happen, but there is option out).
4. After you remove the check CLICK the OK button and a menu will appear asking to reboot your computer and asking you to Exit and Restart? Yes...Do It Now!
5. When the system reboots there will be another menu that will come up on startup that lets you (The User) know you have changed the System Configuration. Here you can opt out and select to return everything back or continue with startup.

The Program loads in your  C:\ Drive under the path "C:\Program Files\PersonalAV\pav.exe" I just deleted the folder along with the executable (pav.exe) from this directory.

This worked for me taking out the annoying popups and warnings of infected virus on your system which are most likely not true. A scare for you to purchase this software. This company has found a path around Symantec's Norton Anti Virus. I am now searching it's path to completely remove from my system. 7-31-2009 

I beleive that the personal antivirus doesnt have a malicious content so that our SEP cannot get this kind of software or application, try to get the md5 file fingerprint of the said personal antivirus and create a policy which block this application from running 

I am having the exact same problem with my Symantec Endpoint Protection constantly updated with version and virus definitions and it not protecting my system from being infected from this virus/malware.  I also can't find any information on Symantec's knowledge base on how to deal with it.  Is Symantec working on this issue?  Any solutions on how to remove it automatically for free?

Hi Guys,

did all of you followed what Mr. Cycletech's advise?Is our virus definition already updated with this kind of virus.I dont have that virus yet but If I do have I will immedietly submit to security response.Please cooperate

Thanks,

hello guyz,

did follow mr.cycletech's advice, thanks bro!!!

I've encountered Personal Antivirus on an office computer.  SEP 11 did not detect anything (as everyone else has mentioned).  I tried Malwarebytes Anti-Malware ( http://www.malwarebytes.org/mbam.php ) and it found the threats immediately.  Here is a screenshot of the results:  http://img10.imageshack.us/img10/2064/malwarebytesresults.jpg    I will be submitting the infected files to Symantec shortly.

This brings up a serious question.  How is it that Symantec--which is the industry leader and which cost us some serious cash--was not able to detect this virus but a free program found it with no problems.  Even the start menu items called "PersonalAV" eluded Symantec.  I understand that there are many variations of the same files, but Symantec is supposed to be at the head of the pack.  A friend of mine encounted the Personal Antivirus problem about a year ago and again Malwarebytes was the only real solution.  I've just lost a great deal of confidence in Symantec.

Greetings,

Here is some information on how these threats work:

The initial threat is usually some sort of downloader, such as a a Trojan Horse or something similar that gets on the system. Once this is there, it reaches out to a website and downloads the fake antivirus program.

All antivirus protection currently works on signatures, this means we have to of had a sample of the threat to detect it. We have recently seen that the writers of these types of programs are updating their programs once or twice an hour, meaning on any given day there could be 40-50 new variants. There is a website out there that these writers use to send copies of their programs to test against, the website has all the latest antivirus vendors. They are slightly modifying the code so as to get around the vendors, when they are doing this test they usually only check the major vendors such as Symantec. Once they get around us they update their website so it will spread.

Symantec has been focused on expanded our heuristics detection which we are using to combat this problem though we obviously aren't were we would ideally like to be here.

As far as the screenshot that was sent: http://img10.imageshack.us/img10/2064/malwarebytesresults.jpg
The only malicious item I see there is the C:\windows\sytem32\msxmlm.dll file, the rest of the detections are only registry keys and files/folders that aren't doing anything. A common misperception is that because the free security software finds all of this stuff and Symantec doesn't Symantec isn't doing an effective job. Symantec does not detect or alert on harmless items, this means these registry keys, the shortcut (.ink), the folder itself (Program Files\Uninstall\\PersonalAV\) etc. are not even being looked at by Symantec. These files are benign and will cause no harm to the system.

The other side of this is you are only seeing when Symantec misses a detection and the other vendor catches it. How often does Symantec catch these when the other products do not? How often do these other products exhibit false positives? No antivirus vendor is going to catch threats 100% of the time though Symantec is one of the leaders in detecting and removing threats such as these.

As for that screenshot, I would submit the msxmlm.dll file and any .DLL/.EXE file in the PersonalAV folder to the Symantec submission site listed above. Once we received a sample your Symantec product will be automatically updated with definitions, with this done we will remove any of the malicious content that these files are generating.

I See symantec is quite good at combating malware, I've been using endpoint 11.4202.75 for quite some time now, it's almost perfect though I wish the heuristics were stronger. That's one problem because I see Mcafee users benefitting from the 'Artemis' in-the-cloud technology that Mcafee is using now to detect more malware than most other vendors in the market right now.

This detection can be classified as a PUP( Potentially Unwanted Program). Just unfortunate it wasn't detected by Symantec. I still have to agree with John, it does not mean Symantec sucks, there's no foolproof piece of security that exists.

Just a sad reality.

could yuo help me out i'm willing to pay just need u to get some viruses of my laptop/
?

What virus do you think has infected your system?
See this Symantec KB  "The 5 Steps of Virus Troubleshooting" as a starting point.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Let us know if you need more help.

Thomas

Trojan.Win32.Agent.azsy or so i thinck it all started when i (not on perpus) instaled a personal anti virus and they want me to pay i was going to until i read a couple of segments up and i thought it might be all just one big hoxs. what do you suggest?

Make sure you have the latest definitions, follow these removal instructions.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-011616-5036-99&tabid=3

thomas

I have had this happen a lot these days and the Client's who I am IT support for are getting extremely annoyed that they have paid good money to purchase what I recommended to them the Indrustry leader in Antivirus/Malware and I am so sad to read what I am reading. It is dishearting that I have to use a freeware program to remove something that my purchase application does not protect against.

The systems I support are using SAV CE 10.1.5xx and the settings are immendently delete the threat but it is still happening. We have Firewall Proxy that preventing any downloader application to be allowed by the enduser but it is still happening. I am geting very concern in the way Symantec is handling this serious issue.

Maybe Symantec should get into contact with Malware or Spybot execs to work to find who is creating this Rogue virus like you did about the Mellisa Virus <remember that one>

Mr Mike

You are my hero---I encountered Personal antivirus  and Norton 360 did not pick anything up.
I took your advice and downloaded the free Malwarebytes Anti Malware.
Did a complete scan---305 files affected.    NO problems, now completed gone.
Would you recommend buying this program for future use?.

Only problem I have now is when I start the compluter comes up with a pop up "run DLL"??.


thanks again and thank you to everyone on this site for the wealth of info,.

thanks again

...Check to make sure that there is no directory called "PAV" under C:\Program Files

My fiance's brother got nailed by it from a Facebook link (apparently) and called me to the rescue. Even for me, I almost got fooled by it as it look remarkably like AVG that was running on the laptop.

Managed to get a proper scan done and the exe was in the PAV folder...

Hopefully that'll help someone (don't forget to remove the key in the registry too HKLM\Software\Microsoft\Windows\CurrentVersion\Run and if you need to, kill the pav.exe process that is running)

Regards,

Chris Bulovic

I have Norton 360 but have now apparently got this "personal antivirus" trojan thing. Last night I also downloaded and ran AVG (on a friend's advise) and neither of them have fixed the "Personal Antivirus" pop ups on my machine.  Can somebody please tell me what I'm meant to do.  I'm not an IT expert and I pay to have Norton 360 so this doesn't happen.  Isn't this meant to be covered by the updates?
I don't want to go messing around with files because I don't know what I am doing!  Should I call the Symantec virus removal line?

clairemich....I am having the same problem with the personal antivirus trojan thing.  How do I remove it??

Here is a Symantec KB that may get you started.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Also read some of the posts in this thread, there are some possible solutions listed here.


But you should really be posting in the Norton community for your issue. This forum is meant for Enterprise customers.

http://community.norton.com/norton/

Regards,
Thomas

(newbie here),, Issue: i am able to delete the w32.downadup worm but it keeps coming back.. (past two weeks). I'm using the w32.downadup removal tool, ficker. // Have W2K3 servers with SEP11.0.4. tnx in advance.

JO

 

 

HI please post this to a new discussion. tnx

Are you saying that my version of Norton Antivirus 2009 that has 107 days remaining of its subscription is not up to date enough to catch the personal antivirus that I believe is Trojan.Win32.agent.azsy

My version is - Version 16.5.0.134

I have a family member and a friend who both were using current versions of Norton -- one the Antivirus 2009 and the other the current version of the security suite (I think) and they both got caught with the above virus - one downloaded (using Firefox - as the virus was blocking them from using IE 7) McAfee Internet Security and it caught the virus right away.  The other took it into a shop for repair for a cost of $70.

Thank you in advance for your reply--I do not want this virus.

Karlee,

You are posting on the Symantec Forum for Enterprise products. You should be posting on the Norton Forum, http://community.norton.com/norton/.
Your version of Norton 2009 is current, but you need to make sure that you have the latest virus definitions installed to detect the newest threats. These are released many times daily. See the Norton Protection Blog for detailed info.

http://community.norton.com/t5/Norton-Protection-Blog/The-Norton-Pulse-Updates-Feature/ba-p/28272#M212

Cheers,
Thomas

personal anti-virus [trojan win32 agent azsy is driving me nuts with this popup. HOW DO YOU TELL IT TO GET LOST!!!!!!!!!!!!!

I cant even believe that this pice of malware slipped thru SEP. Symantec really needs to invest more resources in their product detection and TruScan technologies.

Interesting virus. I have seen very little thus far on this one, there is a forum at

This is a new virus, i believe. I have been in touch with Green AV, and they have heard of it, twice. microsoft security , as of this morning, the guy i talked to said he had not heard of it, but instantly recognized it as a virus. He didn't speak real good english, so i couldn't get exacting details. There is a posting on the above link from some guy who claims his cure works. Will probably try it tomorrow.

Anybody know anything about this? How to get rid of it? I have tried a lot of things. I am running windows xp professional on a dell. My email, if this forum allows, is mrfiddlesticks@yahoo.com. And my phone number is 618-383-2875, if this forum allows me to put my phone number in, please call any hour. Thanks.

http://www.symantec.com/connect/search?filters=type%3Asc_forum This is a very pesky thing, What i have is windows security center, a legitimate thing in my windows xp, it has apparently been affected by a virus, i get a balloon popping up with its source showing from the windows security icon. no matter what i do, it wants me to buy something called Green AV. Green AV appears to be a letitimate product that has had good reviews. There is a virus in my computer making windows security demand that i buy Green AV. Freakin bizarre man. It's been there four days, i have learned to live with it and its very annoying attributes. It pops up windows constantly demanding that i buy. It also tells me that my computer is infected. No kidding? I am seeking the cure. The free AVG scan detected something, but was vague as to what it really was. Avast, on its most sensitive and secure setting skips right over it; avast, as of about five oclock tuesday hasn't got a clue.

This threat is detected as Trojan.Fakeavalert.

You should downloan the latest rapid release and follow the removal instructions - http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=3

RR Def's found here - http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

Keep us updated on your situation.

Regards,
Thomas

I need help.  I don't exactly know how to explain everything correctly but this is what's happening to me.  I have Symantec Endpoint Protection 11.  I was not receiving my updates.  I have an inhouse server.  One of my computers Proactive Threat Protection disabled.  When I hit "Fix"  I was informed it was waiting for Definitions.  The definition was waiting for the server to download updates to this computer.  All other computers were updated correctly.  A list of Trojan errors appeared on my screen.  Different dialog boxes starting flashing on my screen.  I can unistall the Protection and reinstall to get the green dot, but as soon as I go to my Internet Explorer, it automatically goes back to the original problem of being disabled.  I am at my wits end.  What can I do?  I am scared to open anything on my computer in fear of a virus.  Can someone help me?

I'm not really sure what you are fearing, because looks like your machine is infected already. Go download malwarebytes and see what it finds.

As far as "waiting for updates", you can run "luall" from the CMD line and see if it fixes the issue.

My wife just got this.  I have no idea why NAV either 1) did not stop it from infecting her 2) could not find and repair it.  We have the latest NAV 2009 with definitions updates minutes before she was infected.

Here is the simple way to fix it. 

First,  DO NOT disable your system restore as suggested in the document linked above by Cycletech . 

That blows away all of your system restore points.    I have no clue why Symantec would suggest that and why Microsoft does not warn you of that when trying to turn it off.

Here is the simple way to blow this away:
1)  put your computer in "Safe Mode" and reboot. 
Instructions here:  http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

2) In safe mode,  pick an earlier restore date: 
Instructions here: http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

Your computer will come back up in normal mode.

That's it ...  trogen is gone ... registry settings are back to normal ... done

Pick a restore date just before the infection.  If you go back too far and installed other software you will lose it and have to reinstall.

"The other side of this is you are only seeing when Symantec misses a detection and the other vendor catches it. How often does Symantec catch these when the other products do not? How often do these other products exhibit false positives? No antivirus vendor is going to catch threats 100% of the time though Symantec is one of the leaders in detecting and removing threats such as these."

Exactly ... by definition no anitvirus will be 100% because I have heard there are an estimated 20,000 new viruses a day.  So why did NAV make me remove my other AV product to install NAV 2009?

I was pissed to say the least.  At least you did not make me unistall Windows Defender ... yes I was running 3 AV products.   I would have also had that 4th AV product by the Russian company but was pissed when it insisted I uninstall Norton ... so back it went.

If Norton did not force me to uninstall the other product,  my wife's computer may not have been infected. 

So why don't you explain to me why you forced me to uninstall your competitors product?   P.S.  I'm a software engineer so get technical.

 WebGuru is right disabling system restore will blow away all of your old system restore points. But he is wrong when he says that restoring to an earlier point will rid you of viruses. Let me explain.

System restore is a tool that will simply restore your computer to a earlier configuration. So it will "alter" all of your program files, registry entires to the earlier state that it was. BUT it does nothing to the files on your computer. So things like My Documents remain untouched during the system restore. I would say that the vast majority of virus's deliberately target this sector of files on the computer so it can not be easily taken out by system restore. I am shocked that restoring his computer to an earlier time remotely helped in removing this particular virus. But he is completely right when he says that turning off system restores blows away all of your restore points. But this is exactly what we want you to do when we tell you to turn it off. The reason this is, is that people that write virus's can have their virus "hide" in system restore points (which are essentially just files) and re-open once the computer gets booted normally again. This is why it is essential to blow away all of those restore points, and that is why we tell you to do it. He is right though, maybe we should start warning people that this will happen, but it is also neccessary.

Here are more links that backup what I am saying:

http://aumha.net/viewtopic.php?f=26&t=35435
http://antivirus.about.com/od/windowsbasics/a/systemrestore.htm

Thank you for explaining that.   

Going back did stop it from appearing on the tool bar and poping up alerts.  In Safe mode we ran a full scan with NAV 2009 (which had updated and hour earlier) and it did not find anything so it sounds like this is a varient you guys don't know about.   I read above how they test and create varients you can't detect.     I know that this trojan would not let us do a system restore in normal mode, which came back "no changes have been made".

I'm not sure how I "submit" a sample, if it is still on the computer.   I'm very concerned now  if anything is lingering since she pays bills online with that computer.

As I said above, I had read that there are over 20,000 new viruses created a day.  I'm sure it keeps you guys busy.

I realize that no matter what you do, you can never have 100% protection since there will always be a lag between the creators and AV,

P.S.  When I was looking into this I noticed that Microsoft office programs had all been recently used and my wife said se did not use them.  I'm guessing it tried to hide it's self in various documents?

Based on what I have read above. 

I see the problem (when they can test their new virus changes at a website) as you are predictable and they are not.

You need to be unpredictable.  Let me explain.

I believe that you look for a 100% certain signature of known viruses , and that is good but it's also predictable.  Obviously, your goal is to try to find a virus from among the millions of know viruses ever created very quickly. 

For each virus you should also be looking for a random snippet of code as an "alert".  By random, I mean that every licensees definitions download is different (hence the word random).  That now makes you unpredictable.  Notice I said licensee and not every download. You want to make it very expensive to try to acquire all the code snippets you use.

This code snippet might create false alerts but the object then would be for you to analyze that code more closely.  The snippets might  not give you a 100% identification but if you were to take random snippets and they all appear in a high percentage of virus variants, it would give you a higher likelihood that this might be a new variant.

The idea here is that this forces them to do a 100% rewrite to avoid detection because slight modifications will be detected.  The more work you can create for them to do to avoid detection, the higher the cost to create new viruses and the lower the number of new viruses created. 

P.S. my expertise is math and developing fast efficient algorithms.

Yesterday we downloaded the latest definitions and it found and cleaned it (my wife kept it offline just in case).  Reverting back via System Restore cleaned up the tool bar and stopped the poping ads but it was obviously still hidden in some files which NAV could not find until last night when we tried again.

I am praising gods and buying my frient Tony a case of beer.  The solution, if you have this very annoying but non-critical disease, one of probably several solutions, is to download the malware removal thing which will be displayed when you go to this link.  If you have this hideous virus, i beg of you, destroy it! Most infuriating thing I have had to deal with lately. http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

 1. To disable System Restore (Windows Me/XP):

had Personal Security popup on a W7 and XP client.
On W7 the user clicked on the cancel button and it installed itself.
SEP MR5 detected nothing
Malwarebytes detected 21 infected objects on the W7 computer.
Submitting to our Symantec TAM for security response to analyse
Symantec have already agreed to develope an IPS signature based on the URL that the popup was coming from.
Certainly looks like malware to me, not just innocent files.