Forum Discussion

acadianstar's avatar
16 years ago

Trojan.WIN.32.Agent.azsy VIRUS- need help to remove asap!


Trojan.WIN.32.Agent.azsy VIRUS- need help to remove asap please...

Hello,
I am new at this forum...thank you for your patient.

I have the above virus....any idea how to get rid of it.

Thanks again,
Al,
acadianstar@hotmail.com
  • Removal instructions

    If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

    Use Task Manager to terminate the Trojan process.
    Delete the following system registrykey:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd1>" = "<rnd2>"
    Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
    Delete the following files:
    %Documents and Settings%\<user_name>\Application Data\svchosts.exe
    %Documents and Settings%\<user_name>\Application Data\taskmon.exe
    %Documents and Settings%\<user_name>\Application Data\rundll.exe
    %Documents and Settings%\<user_name>\Application Data\service.exe
    %Documents and Settings%\<user_name>\Application Data\sound.exe
    %Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
    %Documents and Settings%\<user_name>\Application Data\lsas.exe
    %Documents and Settings%\<user_name>\Application Data\logon.exe
    %Documents and Settings%\<user_name>\Application Data\helper.exe
    %Documents and Settings%\<user_name>\Application Data\event.exe
    %Documents and Settings%\<user_name>\Application Data\dumpreport.exe
    %Documents and Settings%\<user_name>\Application Data\msiexeca.exe
    Delete all files from %Temporary Internet Files%.
    Update your antivirus databases and perform a full scan of the computer

  • This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++.

    Installation
    Once launched, the Trojan copies its body to the current user’s Windows startup directory:

    %Documents and Settings%\<user_name>\Main Menu\Programs\Startup\uninstall.exe
    Payload

    Once the victim machine has been rebooted, the Trojan extracts a file from itself. The file will have one of the names shown below:

    %Documents and Settings%\<user_name>\Application Data\svchosts.exe
    %Documents and Settings%\<user_name>\Application Data\taskmon.exe
    %Documents and Settings%\<user_name>\Application Data\rundll.exe
    %Documents and Settings%\<user_name>\Application Data\service.exe
    %Documents and Settings%\<user_name>\Application Data\sound.exe
    %Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
    %Documents and Settings%\<user_name>\Application Data\lsas.exe
    %Documents and Settings%\<user_name>\Application Data\logon.exe
    %Documents and Settings%\<user_name>\Application Data\helper.exe
    %Documents and Settings%\<user_name>\Application Data\event.exe
    %Documents and Settings%\<user_name>\Application Data\dumpreport.exe
    %Documents and Settings%\<user_name>\Application Data\msiexeca.exe
    This file is 404992 bytes in size. It will be detected by  Anti-Virus as Trojan-Downloader.Win32.Agent.aoth.

    In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan places a link to the file it extracted from its body in the system registry:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd1>" = "<rnd2>"
    <rnd1> is a name chosen from the list below:
    CrashDump
    EventLog
    Init
    lsass
    Regscan
    RunDll
    Setup
    Sound
    svchosts
    System
    TaskMon
    UPNP
    Windows
    <rnd> is the path to the file extracted from the Trojan shown in the list above.

    Once the Trojan had delivered its payload, it will delete both its body and its copy "%Documents and Settings%\\Main Menu\Programs\Startup\uninstall.exe".

    This Trojan will not run on Russian versions of Windows.

  • https://www-secure.symantec.com/connect/blogs/live-scenario-how-w32sality-infects-uses-machine
  • Hi,

    Best way to remove trojan is to run sdat updated patch in cmd.


    1) make one scan folder in c drive and paste sdat5620.exe and extract in your c drive itself.
    1) start ur pc in safemode with command prompt.
    2)go to c drive and tye following command as

    C:\>cd scan

    C:\scan>scan/adl/all/clean/repair/delete/analyze/program/report/scan.txt   and press enter key.

    the above command will start scanning your hard drive and it will clean and delete virus.

    path to download sdat patch is given below.

    http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise

    Thanks and Regards,

    Nitin Salvi
  • I would suggest u to run the loadpoint utility and analyse the log and on the basis of analyzing upload the suspeciuos file to submit.symantec.com/gold

  • Hello, does anybody know how to delete this virus from computer?
    I don't have a anti-virus protection, and i bought avira anti-virus security, but windows doesn't want to instal this program (avira anti-virus) and my cousin brought me one program for deleting viruses, but he founded 20 other viruses, and not the TROJAN.ASPX.JS.32 and my computer works so slow and i can't do much with him.
    Does anybody knows how to delete this virus? Or do i need some program for deleting or there is another way? Thanks again!!!
  • Please start up your Symantec Program and ensure it says the virus patterns are uptodate. Then either selective folder or a full system scan. That should cure the malady.

    If you do not have an AV tool installed can you follow the removal instructions below:


    Removal instructions

    If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

    1. Use Task Manager to terminate the Trojan process.
    2. Delete the following system registry key:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "<rnd1>" = "<rnd2>"
    3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
    4. Delete the following files:
      %Documents and Settings%\<user_name>\Application Data\svchosts.exe
      %Documents and Settings%\<user_name>\Application Data\taskmon.exe
      %Documents and Settings%\<user_name>\Application Data\rundll.exe
      %Documents and Settings%\<user_name>\Application Data\service.exe
      %Documents and Settings%\<user_name>\Application Data\sound.exe
      %Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
      %Documents and Settings%\<user_name>\Application Data\lsas.exe
      %Documents and Settings%\<user_name>\Application Data\logon.exe
      %Documents and Settings%\<user_name>\Application Data\helper.exe
      %Documents and Settings%\<user_name>\Application Data\event.exe
      %Documents and Settings%\<user_name>\Application Data\dumpreport.exe
      %Documents and Settings%\<user_name>\Application Data\msiexeca.exe
    5. Delete all files from %Temporary Internet Files%.
    6. Update your antivirus databases and perform a full scan of the computer
    7. As soon as possible download an AV and install it.

    Source Courtesy: http://www.securelist.com/en/descriptions/6256927/Trojan.Win32.Agent.azsy


  • Dr. Pragya Goel is the leading Obstetrician (Obstetrics is the field of study concentrated on pregnancy, childbirth and the postpartum period) and the best Gynecologist in Chandigarh. She offers the latest and state of the art cutting-edge treatments for various gynecological conditions.
    Ensuring the latest and advanced practices and experts to help you through your ailments. Dr. Pragya Goel is highly experienced Gynecologist doctor in Chandigarh with over 18 years of clinical experience. She is an expert in Handling High risk Pregnancy, Infertility Treatment, Adolescent Healthcare, Minimally Invasive Laparoscopic & Gynecological Surgeries. Offering Holistic treatment and facilities encompassing all aspects of women and baby healthcare.

    Address : Cloudnine Hospital, Plot no. 48, 2, Industrial Area Phase II, Chandigarh, 160002

    Website : https://www.drpragyagoel.com/