WIN32.AGENT-LVW

I have been using avast 4.8 home edition on windows XP (home) SP 2 for a few weeks.

It finds the win32.agent-lvw trojan, and it moves it to the virus chest. After few days the trojan pops up again (quite often after the start up of the pc)and avast clean it again to the virus chest and so on.

How can I definitively remove the trojan?

Thanks for help,
Marcello

This is either being downloaded again or restored by an other undetected or hidden element to the infection.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
SUPERantispyware On-Demand only in free version, this may be able to detect the hidden or undetected element.

Can you check this?
http://forum.avast.com/index.php?topic=34545.msg289783#msg289783

SuperAntispyware worked. It found two hidden trojans downloader and it moved them to the quarantine area. I hope no more troubles will pop ups from that…

Please report the information from the SAS detections, see the log file it makes (malware name, file name, location) ?

Or if the quarantine give any information.

You didn’t give the information requested about the avast detections either ?

I am now using conjuntely SuperAntispyware and Avast.

From the SuperAntispyware quarantine :

  • AdAware tracking cookies (I think they were uninfluential…)
  • trojan Vundo-Variant/F (I guess that was the problem)

From the Avast Chest:
5 occurences of WIN32.AGENT-LVW everyone with a different filename: es bkffaa.exe, pjctda.exe, etc.

Hope it helps

For replicant virus, I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. As you already done, uUse SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

The avast detections (file names) certainly look like randomly generated names associated with Vundo, add to that the SAS detection of a Vundo variant, I would say there is another more specific tool should you run.

Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

Download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

Below is an example of a Vundo infection, though there are many different filenames.

O2 - BHO: (no name) - {EFCB1D95-FFF6-47BB-B6C9-61A523F04322} - C:\WINDOWS\system32\vturr.dll
[/b]O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll[/b]