Vinnie4

Hi,

Please can you help me my machine has displayed a message saying:

Critical System Warning !

Your system is infected with version of Trojan.Win32.Agent.azsy. This malicious program is a Trojan.
It is a Windows PE EXE.
Once launched, the Trojan copies its body to the current users's Windows startup directory and attemps to steal passwords from Int.

Please find below the contents of DDS.txt and I have attached Attach.zip:


DDS (Ver_09-05-14.01) - NTFSx86
Run by pat.reid at 12:40:09.38 on Sun 17/05/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.44.1033.18.254.58 [GMT 1:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Hotbar\bin\10.2.197.0\OEAddOn.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Hotbar\bin\10.2.197.0\HotbarSA.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\PAV\pav.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Hotbar\bin\10.2.197.0\Weather.exe
C:\Program Files\WayTech\Magic Keyboard\MagicKey.exe
C:\Program Files\WayTech\Magic Keyboard\OSD.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hotbar\bin\10.2.197.0\Srv.exe
C:\Documents and Settings\pat.reid\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://bt.yahoo.com/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant = hxxp://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Hotbar: {90b8b761-df2b-48ac-bbe0-bcc03a819b3b} - c:\program files\hotbar\bin\10.2.197.0\HostIE.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Hotbar: {90b8b761-df2b-48ac-bbe0-bcc03a819b3b} - c:\program files\hotbar\bin\10.2.197.0\HostIE.dll
EB: Hotbar Information Window: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - c:\program files\hotbar\bin\10.2.197.0\HostIE.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: BT Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [WeatherDPA] "c:\program files\hotbar\bin\10.2.197.0\Weather.exe" -auto
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Promon.exe] Promon.exe
mRun: [HotIDE] "c:\program files\acer\hotide\HotIDENT.exe"
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Startup Options] c:\program files\iomega\common\ImgStart.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [HotbarOE] c:\program files\hotbar\bin\10.2.197.0\OEAddOn.exe
mRun: [HotbarSA] "c:\program files\hotbar\bin\10.2.197.0\HotbarSA.exe"
mRun: [btbb_McciTrayApp] c:\program files\bt broadband desktop help\bin\BTHelpNotifier.exe
mRun: [PAV] c:\program files\pav\pav.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt broadband desktop help\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\magick~1.lnk - c:\program files\waytech\magic keyboard\MagicKey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} - hxxps://ltanet.lta.org.uk/home/Portal/resources/msddsc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241770784689
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37539.1430671296
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab

============= SERVICES / DRIVERS ===============

R0 IntelATA;Intel Ultra ATA Controller;c:\winnt\system32\drivers\IntelAta.sys [2002-10-10 79106]
R1 AW_HOST;AW_HOST;c:\winnt\system32\drivers\aw_host5.sys [2000-9-21 30398]
R1 awlegacy;awlegacy;c:\winnt\system32\drivers\awlegacy.sys [2000-9-21 10816]
R2 dmiproxy;dmiproxy;c:\winnt\system32\drivers\dmiproxy.sys [2002-10-10 36680]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2004-10-27 106559]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-3-6 233595]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-3-6 127050]
R2 nbmkmd;nbmkmd;c:\winnt\system32\drivers\nbmkmd.sys [2002-10-10 4080]
R3 NaiAvFilter1;NaiAvFilter1;c:\winnt\system32\drivers\naiavf5x.sys [2003-3-6 84448]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2000-9-21 77880]

=============== Created Last 30 ================

2009-05-17 12:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3b8.dat
2009-05-14 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-05-14 11:14 373,248 a------- c:\winnt\system32\winexplorer.dll
2009-05-14 11:14 <DIR> --d----- c:\program files\common files\Uninstall
2009-05-14 11:14 <DIR> --d----- c:\program files\PAV
2009-05-08 09:21 31,768 a------- c:\winnt\system32\wucltui.dll.mui
2009-05-08 09:21 23,576 a------- c:\winnt\system32\wuaucpl.cpl.mui
2009-05-08 09:21 18,456 a------- c:\winnt\system32\wuaueng.dll.mui
2009-05-08 09:21 23,576 a------- c:\winnt\system32\wuapi.dll.mui
2009-05-07 18:09 <DIR> --d----- c:\program files\CyberSky
2009-04-23 13:06 54,156 a---h--- c:\winnt\QTFont.qfn
2009-04-23 13:06 1,409 a------- c:\winnt\QTFont.for
2009-04-23 13:02 57,344 a------- c:\winnt\uneng.exe
2009-04-23 13:02 58,000 a------- c:\winnt\system32\drivers\cdr4_2K.sys
2009-04-23 13:02 49,152 a------- c:\winnt\system32\cdrtc.dll
2009-04-23 13:02 45,056 a------- c:\winnt\system32\cdral.dll
2009-04-23 13:02 23,420 a------- c:\winnt\system32\drivers\cdralw2k.sys
2009-04-23 13:02 <DIR> --d----- c:\program files\common files\Adaptec Shared
2009-04-23 13:01 192,512 ac------ c:\winnt\system32\dllcache\unregmp2.exe
2009-04-23 13:01 225,280 a------- c:\winnt\system32\wmpdxm.dll
2009-04-23 13:01 167,936 a------- c:\winnt\system32\wmerror.dll
2009-04-23 13:01 106,496 a------- c:\winnt\system32\wmpasf.dll
2009-04-23 13:01 98,304 a------- c:\winnt\system32\wmpshell.dll
2009-04-23 13:01 52,224 a------- c:\winnt\system32\mspmsnsv.dll

==================== Find3M ====================

2009-03-05 15:09 2,678 a------- c:\winnt\java\packages\data\2N97DBJB.DAT
2009-03-05 15:09 2,678 a------- c:\winnt\java\packages\data\SQOKAFXV.DAT
2009-03-05 15:09 2,678 a------- c:\winnt\java\packages\data\IL3NPRF1.DAT
2002-10-08 16:54 21,952 ----h--- c:\program files\folder.htt
2002-10-08 16:54 271 ----h--- c:\program files\desktop.ini
2002-07-24 13:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 12:41:02.72 ===============

Regards

Vinnie4

Vinnie4

Hi,
Please find attached my attachment and look forward to hear from you soon.

Regards

Vinnie4

Attached Files

Attach.zip (1.7 KB, 30 views)

Vinnie4

I have managed to fix this issue, this thread can be closed.

TheBruce1

Thanks for letting us know.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be closed.