Avasts been hijack please help

[Lisandro]

Oh my gosh - I think I just regained my sanity.

Thanks mauserme to be near of us...
Sometimes we feel comfortable to have knowledge people right beside us
I'm far from discovering all the things you know about infections...

[mauserme]

Its a learning process every time, Tech 

[UK_Sean]

Hi guy's

I'm gutted about spyster I've used it for about 7 years and in all that time not one program picked it up

as a key logger and all the scanning I've done in the last week.

I've uninstalled it and looked in the register for

HKEY_LOCAL_MACHINE\software\classes\clsid\{c17f0025-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\classes\interface\{c17f0024-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\classes\interface\{c17f0026-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\classes\typelib\{c17f0023-1cae-11d4-a655-0080c88cceaf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\spyster.exe

nothing found

Trouble is it still not the thing what is using window explorer

[UK_Sean]

This picture shows it better

[mauserme]

It's odd that your first screen shot shows all the packet transfers with Windows Explorer and none at all with Internet Explorer.  Is that still the case?

[UK_Sean]

Hi mauserme

Since the infection I've change my start page from google to blank as 2 of the mail
was    gmail-smtp-in.i.google.com (66.249.93.114)  and gsmtp183.google.com (64.233.183.27)

I think Internet Explorer was opened ready to post but just at the blank page so sygate showed it open

here's a pic now

[UK_Sean]

Hi mauserme

To answer your earlier questions

Has anyone but you had direct physical access to this computer?

No,   I'm the only person to access this computer.


Here is all the info for unvise32.exe


Also, right click the file C:\WINDOWS\unvise32.exe and click properties.  Then click the  Version tab.  Is anything shown across from Copyright?

Copyright © MindVision Software 1995-2000

If you click Company, Internal Name, Original File Name, and Product Name in the lower left pane (if these are present), what's shown in lower right pane?

Other version information            Value

Comments                                   nothing there
Company                                     MindVision Software
File Version                                  3.1.1
Internal Name                              Installer VISE
Language                                    English (United States)
Legal Trademarks                       nothing there
Original File Name                      UNINSTAL.EXE
Private Build Descript                 nothing there
Product Name                             Installer VISE
Product Version                          3.1.1
Special Build Descript                nothing there



This is strange I think on the first screen of unvise32.exe it say


Created    15 April 2007 ,           12:13.17
Modified    17 December 1999,    10:13.04
Accessed   20 April 2007            12:06.34

I'm I being silly or is there something weird here ?
How can something be modified before it was created ?

I've added a pic of it

[mauserme]

Did you reboot between screen shots?  The numbers for Windows Explorer have gone down.

EDIT:  Download TCPView and lets see what it shows

http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx

[UK_Sean]

Hi mauserme

No , I didn't reboot.

There is 2 addresses

3.64-62-243.reverse.mccolo.com:8081   (64.62.243.3:8081)

checkip.chi.dyndns.com:http   (204.13.250.51:80)   
   
using explorer.exe

They are constanly sending or trying to

the last picture you saw was both address using UDP which i've disabled and TCP

Sometimes it one address at a time
or 2 or 3 or all of them

i've added sygate traffic log

[UK_Sean]

here are the pictures using TCPView

Pic 1 is when nothing was trying

Pic 2 is when both were

[T34]

Hello,

I`ve got the same problem with explorer.exe and have no idea what a thing is using it to connect with internet.
I read down the discussion but no solution yet, I hope soon we find the answer...
have more luck!

[DavidR]

First if have a firewall that provides outbound protection and you haven't already done so block explorer.exe from connecting.

What is your firewall ?

[mauserme]

I'll double check this later but those IPs don't seem malicious - just DNS and such.


Let's see if SDFIx turns up anything

Download SDFIX and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose "Extract All",
Open the extracted folder and double click "RunThis.bat" to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

[polonus]

Hi T34 & UK_SEAN,

Please download this program from here: http://www.sysinternals.com/Utilities/TdiMon.html

Fire up the proggie and save part of a log here, you can cut it up if it does not fit one posting and post it over several. What reads do you get if you fire netstat in de DOS prompt box, so netstat -a and netstat -an ; can you give this info also. Do you see something listening for? TCP 2869 incoming or 53 UDP blocked for?

polonus

[mauserme]

Thanks for jumping in , Polonus