Avasts been hijack please help

Viruses and worms
21

Please scan these files with Virus Total

C:\WINDOWS\unvise32.exe

C:\WINDOWS\Setup1.exe

22

Open Control Panel > Folder Options and click the View tab.

Make sure it is set as follows:

Place a check next to Show hidden files and folder.

Remove checks (if present) from

Hide extensions for known file types and

Hide protected operating system files

Then look for C:\windows\system32\zgrvbnzmrv.exe and scan at Virus Total if found (in addition to the two files mentioned above).

23

hi guys

I couldnt find zgrvbnzmrv.exe

only zgrvbnzmrv.dat , zgrvbnzmrv_nav.dat , zgrvbnzmrv_navps.dat .

Below are the scan for C:\WINDOWS\unvise32.exe and C:\WINDOWS\Setup1.exe

STATUS: FINISHEDComplete scanning result of “unvise32.exe”, received in VirusTotal at 04.19.2007, 21:35:34 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.464 04.19.2007 no virus found
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.19.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 no virus found
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5013 04.19.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2205 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 no virus found
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.19.2007 no virus found
VirusBuster 4.3.7:9 04.19.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found

Aditional Information
File size: 49664 bytes
MD5: 97f2dd09b050989617b14d1a87f2f64d
SHA1: 18f0b41a12b6b99971de1aad18a53e74ed99895b
packers: ASPACK
packers: Aspack

STATUS: FINISHEDComplete scanning result of “Setup1.exe”, received in VirusTotal at 04.19.2007, 21:42:16 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.464 04.19.2007 no virus found
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.19.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 No threat detected
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5013 04.19.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2205 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 no virus found
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.19.2007 no virus found
VirusBuster 4.3.7:9 04.19.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found

Aditional Information
File size: 249856 bytes
MD5: 5365986bd88284801b2e9099a1436574
SHA1: d3d3982279b2172b0189c9e73afaf2d4861afdbf
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=5365986bd88284801b2e9099a1436574

24

Hi Sean,

I think I see files related to a rootkit in the DSS log. Give F-Secure BlackLight a try and post the log it generates

http://www.f-secure.com/blacklight/

25

Other antirootkits could be found here: http://www.antirootkit.com/software/index.htm
A comparison test here: http://www.informationweek.com/software/showArticle.jhtml?articleID=196901062&pgno=1&queryText=

26

Hi

Rootkit scanners I’ve used
AVG Anti-Rootkit found nothing

F-Secure BlackLight Rootkit

04/19/07 22:29:02 [Info]: BlackLight Engine 1.0.61 initialized
04/19/07 22:29:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/19/07 22:29:02 [Note]: 7019 4
04/19/07 22:29:02 [Note]: 7005 0
04/19/07 22:29:05 [Note]: 7006 0
04/19/07 22:29:06 [Note]: 7011 648
04/19/07 22:29:06 [Note]: 7026 0
04/19/07 22:29:06 [Note]: 7026 0
04/19/07 22:29:10 [Note]: FSRAW library version 1.7.1021
04/19/07 22:40:20 [Note]: 2000 1012
04/19/07 22:40:20 [Note]: 2000 1012
04/19/07 22:40:22 [Note]: 2000 1012
04/19/07 22:41:29 [Note]: 7007 0

±---------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1052
±---------------------------------------------------

–== Dump Hidden File on C:\ ==–
No hidden files found.

–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.

–== Dump Hidden Process ==–
No hidden processes found.

–== Dump Hidden Driver ==–
No hidden drivers found.

RootkitRevealer

HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 08/09/2004 13:48 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hagel\DU Meter\Totals 24/03/2005 22:20 64 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 08/09/2004 13:51 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 08/09/2004 15:04 0 bytes Hidden from Windows API.
SYSTEM 01/01/1601 00:00 0 bytes Error dumping hive: Internal error.

it found 7 things but there was an error when trying to save it , tried another three times but just leaves an empty txt file

27

I just know that this is clean.

28

Can you type the other items found, or post a screen shot?

Also, right click the file C:\WINDOWS\unvise32.exe and click properties. Then click the Version tab. Is anything shown across from Copyright?

If you click Company, Internal Name, Original File Name, and Product Name in the lower left pane (if these are present), what’s shown in lower right pane?

EDIT: Has anyone but you had direct physical access to this computer?

29

And this seems related to Alcohol120

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 08/09/2004 13:51 58 bytes Data mismatch between Windows API and raw hive data.

30

Oh my gosh - I think I just regained my sanity.

Sean, Spyster 1.0.19 is a keylogger. Its hiding in plane sight right in front of us. I bet some of the scans you ran even alerted on it.

http://www.spywarelist.info/spyware_definitions_view.php?editid=6864&editid2=Spyster+1.0.19

http://www.spywaredb.com/remove-spyster/

http://www.spywaresearcher.com/details/6864

http://research.sunbelt-software.com/threatdisplay.aspx?name=Spyster%201.0.19&threatid=40977

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453087154

31

Thanks mauserme to be near of us…
Sometimes we feel comfortable to have knowledge people right beside us 8)
I’m far from discovering all the things you know about infections…

32

Its a learning process every time, Tech 8)

33

Hi guy’s

I’m gutted about spyster I’ve used it for about 7 years and in all that time not one program picked it up

as a key logger and all the scanning I’ve done in the last week.

I’ve uninstalled it and looked in the register for

HKEY_LOCAL_MACHINE\software\classes\clsid{c17f0025-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\classes\interface{c17f0024-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\classes\interface{c17f0026-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\classes\typelib{c17f0023-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\spyster.exe

nothing found

Trouble is it still not the thing what is using window explorer

34

This picture shows it better

35

It’s odd that your first screen shot shows all the packet transfers with Windows Explorer and none at all with Internet Explorer. Is that still the case?

36

Hi mauserme

Since the infection I’ve change my start page from google to blank as 2 of the mail
was gmail-smtp-in.i.google.com (66.249.93.114) and gsmtp183.google.com (64.233.183.27)

I think Internet Explorer was opened ready to post but just at the blank page so sygate showed it open

here’s a pic now

37

Hi mauserme

To answer your earlier questions

Has anyone but you had direct physical access to this computer?

No, I’m the only person to access this computer.

Here is all the info for unvise32.exe

Also, right click the file C:\WINDOWS\unvise32.exe and click properties. Then click the Version tab. Is anything shown across from Copyright?

Copyright © MindVision Software 1995-2000

If you click Company, Internal Name, Original File Name, and Product Name in the lower left pane (if these are present), what’s shown in lower right pane?

Other version information Value

Comments nothing there
Company MindVision Software
File Version 3.1.1
Internal Name Installer VISE
Language English (United States)
Legal Trademarks nothing there
Original File Name UNINSTAL.EXE
Private Build Descript nothing there
Product Name Installer VISE
Product Version 3.1.1
Special Build Descript nothing there

This is strange I think on the first screen of unvise32.exe it say

Created 15 April 2007 , 12:13.17
Modified 17 December 1999, 10:13.04
Accessed 20 April 2007 12:06.34

I’m I being silly or is there something weird here ?
How can something be modified before it was created ?

I’ve added a pic of it

38

Did you reboot between screen shots? The numbers for Windows Explorer have gone down.

EDIT: Download TCPView and lets see what it shows

http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx

39

Hi mauserme

No , I didn’t reboot.

There is 2 addresses

3.64-62-243.reverse.mccolo.com:8081 (64.62.243.3:8081)

checkip.chi.dyndns.com:http (204.13.250.51:80)

using explorer.exe

They are constanly sending or trying to

the last picture you saw was both address using UDP which i’ve disabled and TCP

Sometimes it one address at a time
or 2 or 3 or all of them

i’ve added sygate traffic log

40

here are the pictures using TCPView

Pic 1 is when nothing was trying

Pic 2 is when both were