unknown application

Hello Avast,

This is to inform you about the following:

A few days ago, Windows Defender caught the installation of un unknown application on our computer. The application was probably put on the computer during a Messenger session, but I cannot be sure of that. Because I cannot find any information about this application on the Internet, and because the Avast! scanner which is installed on the computer, didn’t catch it, I’m sending you this information. I’m not sure what the application does, but I suspect it is a keyboard logger. Sometimes, while on Internet, the keyboard seemed to skip key strokes. In Windows applications everything worked fine. After disabling the application, the keyboard didn’t skip anymore.

The computer runs Windows Vista Home Basic SP1

The application does not produce a User Interface, but is visible as a process.

Application registry keys found:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"c:\users\herman\appdata\local\iieisyo.exe" iieisyo
HKEY_USERS\S-1-5-21-1567621564-2413531816-831747631-1000
\Software\Microsoft\Windows\CurrentVersion\Run"c:\users\herman\appdata\local\iieisyo.exe" iieisyo

The application was installed in the following location, and contained the following files:
c:\users[user]\appdata\local
iieisyo.exe
iieisyo.dat
iieisyo_nav.dat
iieisyo_navps.dat
pabmhya.bat

This last file is the uninstaller, and contains the following code:
@echo “Uninstalling the software…”
@“c:\users[user]\appdata\local\iieisyo.exe” -uninstall

When executing this batch file, a dialog box with the following message is produced:
“You must be connected to the Internet to uninstall this software. Please, connect your computer to the Internet and click on ‘Retry’.”

Should you need further info, please let me know.

Regards,

Herman.


Welcome to the forums, HermanVista. :slight_smile:

As a first step to gather more information …

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Do not download HJT to the desktop but instead download it into it’s own folder on the hard drive. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


If you still have a sample of iieisyo.exe - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

It certainly looks suspicious as a) the file name looks randomly generated b) no google hits for that file name.

Ok, thanks for this. I will follow up on it when I’m back at the pc in question, which should be tomorrow some time. 'till then…

No problem, glad I could help.

Welcome to the forums.

Hi again,

I sent the exe through the chest (via a different e-mail then mine, though). Hope you can figure out what it is. I’ve isolated the files in question on the pc. I guess HijackThis won’t do any good anymore?

Cheers.

Herman.

On contrary, it’s on step 5 of the general cleaning procedure I’ll suggest you to be sure you’re clean:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Ok, so I did what you guys suggested. You should know that I had already zipped the unknown application files. Nothing in relation to the unknown application seems to have been found, just some adaware spies and lost registry keys. I used Avast! for bootscan and roorkit scan. Here are some log files (attached).

I’d be greatful if you could keep me posted as to what that application exactly does!

Many thanks.

HermanVista, I’m not an expert on HijackThis… I need help from other users :wink:

Hallo HermanVista,

Er werd geen actieve software firewall aangetroffen, activeer daarom de Microsoft firewall,
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
Je zou het volgende met HJT kunnen fixen:
O1 - Hosts: 207.24.89.108 wxw.gamershell.com Must be fixed!
Kijk of je de volgende herkent, anders fixen graag:
O16 - DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
Nasty Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
Hetzelfde geldt hier: O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab Checken eventueel op VirusTotal.com
En deze eveneens: O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - hxxp://mojoliciuos.spaces.live.com/PhotoUpload/VistaMsnPUpldnl-be.cab
Kunnen compleet goed zijn, maar toch even nachecken (opladen naar virustotal.com s.v.p.

De volgende 02 is gedeactiveerd, misschien heb je dat zelf gedaan, maar hij is goed, hoor:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Safe Unnecessary (deactivated) entry that can be fixed. This entry is safe.

Dat wat betreft je hijackthis log, het andere logje ga ik alsnog analyseren, bijgevoegd nog een systeem scan analyse via hijackthis,
Hierbij moet je ook hetvolgede bestand opladen naar virustotal om te zien of het geen malware is:
The process OCR Aware belongs to the software ScanSoft OmniPage SE or OmniPage Pro by ScanSoft, Inc (www.scansoft.com) or Nuance Communications, Inc.

Description: File OpwareSE4.exe is located in a subfolder of “C:\Program Files”. Known file sizes on Windows XP are 69632 bytes (70% of all occurrence), 75304 bytes, 79400 bytes.
OpwareSE4.exe is not a Windows system file. The program has no visible window. Program is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). It can change the behavior of other programs or manipulate other programs. The program can be removed using the control panel Add\Remove programs applet. OpwareSE4.exe is able to record inputs. Therefore the technical security rating is 55% dangerous, however also read the users reviews.

Important: Some malware camouflage themselves as OpwareSE4.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the OpwareSE4.exe process on your pc whether it is pest. Dus OpwareSE4.exe vinden met de zoekfunctie van Windows en dan deze executable opladen om te zien wat virustotal vindt,

groetjes hier uit de buurt van Rotterdam,

polonus

Ok, erg bedankt. I’m continuing in English so others can follow if they wish:

I am running Vista, not XP.
Windows FireWall is on.
Could it be that the ScanSoft OmniPage process belongs to a Canon multifunctional printer/scanner we have connected, just as OpwareSE4?


Yes, sometimes ScanSoft OmniPage is included with some Canon printers. There should be documentation of this with the manuals that came with the printer.

http://g.s.scandoo.com/search?q=ScanSoft+OmniPage+Canon&btnG=Search&hl=en&sa=2


Hi HermanVista,

Yes your OS is Vista, seen that from the HJT logfile, and good that you checked all that could probably be suspicious against the good old live online scanner(s) at virustotal.com, and so now you have found that File OpwareSE4.exe is a legit executable that came with your Canon printer installation.
So the 01 and 016 I gave in my previous posting can be fixed using hijackthis.
Analyzing what is running on your computer from day to day can be very instructive and enhance your understanding and feeling of security. Do an extra run with the updated SUPERAntiSpyware to be downloaded from here: http://www.superantispyware.com/superantispywarefreevspro.html (this is the free home user version) - SAS is light on Resources, 30-50% Faster Scanning, has Vista Integration and will not interfere with your existing anti-virus or anti-spyware applications!! So you can leave it on your computer, I hope you enjoyed your welcome here, and come here more often and eventually learn to help others,

het beste van ons allemaal,

polonus

I surely enjoyed all your help!

Many thanks.


You are welcome. I am happy if I help in any way. :slight_smile: