Spyware, viruses, & security : unvise32.exe- a trojan?
unvise32.exe- a trojan?
by k5ox - 11/5/06 8:06 AMHello!
My spyware terminator scan showed 3 critical objects
under the title Trojan/SpyAgent32(Trojan) with threat ranking of 4. (I am using win Xp home edition with Inspiron 9300 laptop).
1.RegistryHKLM...\Microsoft\Windows\Currentversion\Uninstall\IgorPro
2. c:\..\All Users\Start Menu\Programs\Igor Pro\Remove Igor Pro.lnk
3. c:\Windows\unvise32.exe
I have a registered version of Igor Pro since last two years. Are these real threats?
Thanks in advance.
Raj
unvise32.exe
by Marianna Schmudlach
- 11/5/06 11:17 AM
In reply to: unvise32.exe- a trojan? by k5ox
A Google search brings this up:
http://www.google.ca/search?q=unvise32.exe&ie=utf-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a
I'd suggest, run Housecall
run the Housecall online virus scan located at:
http://housecall.trendmicro.com/housecall/start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.
done but..
by k5ox - 11/6/06 3:07 AM In reply to: unvise32.exe by Marianna Schmudlach
Thanks a lot Marianna.
I did as you suggested. The results showed vulnerabilities regarding windows security updates.
Microsoft Security Bulletin MS06-052
Microsoft Security Bulletin MS06-053
Microsoft Security Bulletin MS06-057
Microsoft Security Bulletin MS06-061
Microsoft Security Bulletin MS06-063
which mostly concern remote execution.
(I have installed these updates.)
However c:\windows\unvise32.exe still exists.
Any ideas? Thanks again.
Raj
Did you run Housecall??
by Marianna Schmudlach - 11/6/06 9:02 AM
In reply to: done but.. by k5ox
I also would suggest running AVG AntiSpyware:
First download AVG Anti-Spyware from HERE and save that file to your desktop.
After the installation, a free 30-day trial version containing all the extensions of the full version will be activated. At the end of the trial, these extensions will be deactivated and the program will turn into a feature-limited freeware version.
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found".
Close AVG Anti-spyware, do NOT run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions".
Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Pls. let us know how you are doing.
Got it!
by k5ox - 11/7/06 3:33 AM In reply to: Did you run Housecall?? by Marianna Schmudlach
Thanks Marianna for your reply.
I ran Housecall before and it said that I need to install
windows security updates, which I did.
I also ran AVG as you suggested, in the safe mode.
It did not find anything, however, when I rebooted to normal mode the unvise32.exe was gone. So it seems that
the threat is gone. In your opinion, if there is anything else that should be done, please let me know.
I must say I really appreciate your time for providing detailed instruactions. Thanks again!
Raj
Great job !
by Marianna Schmudlach - 11/7/06 7:54 AM
In reply to: Got it! by k5ox
Hi Raj,
yes, I would disable system restore - reboot - run again your anti virus and if everything is CLEAN - ENABLE system restore again.
How to Disable or Enable Windows XP System Restore.
http://www.online-tutorials.com/folder9/920.htm
You Are Welcome 
Done!
by k5ox - 11/9/06 2:27 AM In reply to: Great job ! by Marianna Schmudlach
Hi Marianna!
All done as per the instructions!
Thanks a million.
Raj
Super ! You Are Very Welcome :)
by Marianna Schmudlach - 11/9/06 8:02 AM
In reply to: Done! by k5ox
Happy SAFE Computing
exact name?
by k5ox - 11/13/06 5:33 AM In reply to: unvise.exe by philchilIs it unvise.exe or unvise32.exe? The file which I had was unvise32.exe.
Raj
Wise Uninstall program
by slahone - 11/13/06 6:28 AM In reply to: exact name? by k5oxI thought the actual name of the uninstaller was UnWise rather Unvise. If so, the virus writer is trying a little social engineering here...
: unvise32.exe- a trojan?
by Lucian.A - 11/17/06 12:00 AM In reply to: unvise32.exe- a trojan? by k5oxJust in case...read this http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=38745
Blackmal.A creates the following registry keys and values in order to execute the copy of itself from the TEMPORARY folder at the next system re-start e.g:
HKCC\Display\Fonts\(Default) = "C:\WINDOWS\TEMPORARY\unvise32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UNVISE32.EXE = "C:\WINDOWS\TEMPORARY\UNVISE32.EXE"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\WINDOWS\TEMPORARY\UNVISE32.EXE"
The worm selects an .exe file from the Windows folder and copies itself to the System folder as originalname<space>.exe. For example, if it finds a file named regedit.exe it copies itself to regedit .exe.
Blackmal.A creates the following registry keys and values in order to execute this copy from the System folder at the next system re-start (for example):
HKCC\Software\Microsoft\(Default) = "C:\WINDOWS\SYSTEM32\regedit .exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\WINDOWS\SYSTEM32\regedit .exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\regedit .exe = "C:\WINDOWS\SYSTEM32\regedit .exe"
The worm carries and drops two files that are legitimate libraries from OstroSoft:
OSSMTP .dll
oswinsck.dll....read the rest, check up your registry and hard disk for those keys and files....
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
