Author Topic: win32 : Agent LKZ  (Read 6567 times)

0 Members and 1 Guest are viewing this topic.

Gmpa

  • Guest
win32 : Agent LKZ
« on: May 11, 2008, 09:37:12 AM »
Hi, Avast Home Ediction detected a virus called  win32 : Agent LKZ [trj].  I've read other topic with a very similar symptoms with the name of "Agent-IRZ [trj]".
It appears that some folders were renamed to .exe and became hidden folders.

A friend of mine has the same problem, so it seems that this virus is propagating very fast...

What can i do to safely it?

Thank you.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: win32 : Agent LKZ
« Reply #1 on: May 12, 2008, 01:23:06 AM »
Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.
The best things in life are free.

mybribri03

  • Guest
Re: win32 : Agent LKZ
« Reply #2 on: May 12, 2008, 07:59:29 PM »
Hi I use Windows XP. Mine found the same virus win32 : Agent LKZ [trj] I tried to put it in the chest but it said that was no memory left so I deleted it. Confused on what to do. I just installed Advast today don't know why the chest would be full?? Please give advice.

« Last Edit: May 12, 2008, 08:10:29 PM by mybribri03 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: win32 : Agent LKZ
« Reply #3 on: May 12, 2008, 08:18:13 PM »
I just installed Advast today don't know why the chest would be full?? Please give advice.
Maybe the infected file was greater than the Chest limit.
You can check this limit into Program settings > Chest.
Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)
The best things in life are free.

mybribri03

  • Guest
Re: win32 : Agent LKZ
« Reply #4 on: May 12, 2008, 08:59:18 PM »
Maybe the infected file was greater than the Chest limit.
You can check this limit into Program settings > Chest.
Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)
[/quote]

The fie was in some kind of program file with music in the file name. Unsure of the whole name.
I am using Avast 4.8 Version Home Edition with VPS File (virus Database)
Maximum size of chest is 256MB
Maximum size of file to be sent is 1024.

Hope this heps...I am new to this program.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: win32 : Agent LKZ
« Reply #5 on: May 12, 2008, 11:19:27 PM »
Maximum size of chest is 256MB
Hope this heps...I am new to this program.
Well... it's difficult to say what happened. What I suggest now is the general cleaning procedure to be sure you're clean:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89228
  • No support PMs thanks
Re: win32 : Agent LKZ
« Reply #6 on: May 12, 2008, 11:41:03 PM »
<snip>
Maximum size of chest is 256MB
Maximum size of file to be sent is 1024.

The problem might be that the file detected as infected is over 1024KB (1MB) and as such would exceed the file size limit, you can increase the file size limit to say 2048 (2MB)
« Last Edit: May 12, 2008, 11:44:48 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Gmpa

  • Guest
win32 : Agent LKZ
« Reply #7 on: May 13, 2008, 01:13:29 AM »
Hi, Tech



I´m using Xp, i've scheduled a boot-time scanning and there were some infected files detected. I choose to send them to Chest as you suggest me to.

1 - The infected file name are here:

C:\nzm1.exe


2- With Spyware Terminator there were no spywares or trojans detected.

3- With avast anti-rootkit there were no rootkits detected.

4- i've downloaded SpywareBlaster too.


5- Finally the hijack log.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:06:55, on 13-05-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\Ficheiros comuns\Portrait Displays\Shared\dtsrvc.exe
C:\Programas\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Smith Micro\StuffIt11\ArcNameService.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Portrait Displays\Pivot Software\wpctrl.exe
C:\Programas\Portrait Displays\HP My Display\DTHtml.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Ficheiros comuns\Portrait Displays\Shared\HookManager.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Portrait Displays\Pivot Software\floater.exe
C:\Programas\Canon\MyPrinter\BJMyPrt.exe
C:\Programas\Ficheiros comuns\InstallShield\UpdateService\isuspm.exe
C:\Programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\SpywareBlaster\spywareblaster.exe
C:\Programas\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Guilherme Almeida\Ambiente de trabalho\HiJackThis\HijackThis.exe


Gmpa

  • Guest
[Part 2] win32 : Agent LKZ
« Reply #8 on: May 13, 2008, 01:13:57 AM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programas\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Programas\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programas\Ficheiros comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programas\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programas\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ISUSPM] "C:\Programas\Ficheiros comuns\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Programas\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programas\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programas\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192905083062
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8C3EB88-9502-48CD-B96B-AEAD3B5431B2}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Programas\Ficheiros comuns\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programas\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programas\Spyware Terminator\sp_rsser.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Programas\Smith Micro\StuffIt11\ArcNameService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 11332 bytes


Um abraço camarada (vi a tua bandeira, ehehe sou português  ;) )


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: win32 : Agent LKZ
« Reply #9 on: May 13, 2008, 03:51:44 AM »
Gmpa, I'm not an expert on HijackThis. Hope somebody else could help you on it.
Um abraço ;)
The best things in life are free.