VX2 & 180solutions

First thing I hope I'm posting in the right forum.

Let me start by saying I use IE (yeah I know, I'm an idiot) but I locked down the internet security settings so everything is on disable.

I use Spybot S&D. Spywareblaster and AdAware. I also use Outpost free firewall and have a Cisco SOHO 91 router.

I used to use Nav (its been off my computer for a long time) but now I only use MicroWorlds free virus scanner which I think uses the Kaspersky engine. I guess I'm lucky because I never get viruses. I would use MW scanner every week or two. The only thing I've downloaded recently was Acobat Reader Ver 7.

I hadn't scanned in about 2 weeks and yesterday when I ran MWs scanner it said I got 180solutions spyware/adware virus and VX2 spyware/adware virus. And I need to buy the full product to remove them.

My service provider is WOW which has a scanner on the home page that uses RAV. I scanned with RAV and it showed no problems. I also downloaded NOD32 beta and ran that and it also came up with no viruses. Same thing with Trendmicros scanner.

I found on AdAware web site that there is an addon for VX2 so I downloaded that and ran it and it also showed no infection from VX2.

I'm hoping someone can give me some insights into these problems. Or is it possible MW scanner is mistaken?

Thanks

Jaws

 

I'm not going to call you an idiot for using a locked down IE ('cos I use it myself ...he he!), but, since you raised the subject, I am going to call you an idiot for apparently having no realtime AV protection! If I'm reading you right, you took off NAV and now rely solely on periodic demand scans. Well you might get away with that if you knew what you were doing and had something like Process Guard, or even WinPatrol, as a long stop; but it is hardly recommended!

Actually, it could be that e-scan is just putting the frighteners on you! Have you gone into 'Safe' and done a full system scan with AdAware? The main scanner of AdAware should tell you if you have VX2, the plug in is only really looking for Look2Me, which is a varient. If you want to try some specialised tools for VX2 try these:-

For a link for symantec's FixBinet.exe tool:- http://securityresponse.symantec.com/avcenter/venc/data/adware.betterinternet.html

For VX2 Finder:- http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

For a good, KAV engined, online scan try here:- http://support.f-secure.com/enu/home/ols.shtml

And don't forget MS-AS (if you have XP).

Finally you may care to try a trial of Ewido (if you have XP or 2000):- http://www.ewido.net/en/

This may all prove to be a red herring from e-scan, but we shall see!

 

Hi TopperID,

Thanks for the reply.

It's good to know someone else doesn't think firefox is the best thing since sliced bread. I personally like IE and I'm used to it so I use it but you do have to lock it down. By the way no offense taken by your remark. I've been pretty lucky as far as viruses go.

Now, on to the tools you recommended. Tried AdAware in safe mode and it showed nothing on VX2 or 180solutions. I would have been surprised if it did since you think it would found them from the get go.

Tried the next three products and they also came up negative. Maybe e-scan is spoofing people. It sure looks that way.

I do run win2000pro so I downloaded Ewido (what a name) and it found an infection (backdoor.hacdef.a - with a file I guess it was using in my temp folder - viewtcp.exe) that none of the other scanners found! What a surprise, it was the only scanner that found it. But still nothing on VX2 or 180solutions. I googled the infection and it seems there is no connection with VX2 that I could see. Do you know what damage the infection could do? I didn't notice anything unusual.

To bad there isn't a free version of Ewido for home use. I don't mind paying for programs and I do pay for shareware that I find useful. But I'm not rolling in dough right now. I imagine if it was only a one time charge I'd go for it but every year, eh.

Anyway, thanks for the info, you've been a great help.

Jaws

 

Ewido is FREE without the realtime scanner.

Cheers

 

Oh Jaws - you've got yourself a rootkit!

If you look here you'll see the various names backdoor.hacdef.a goes under:-

http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=backdoor.hacdef.a&product=0

One of which is Hack Defender, see what Symantec has to say about it:-

http://www.symantec.com/avcenter/venc/data/backdoor.hackdefender.html

The problem with rootkits is that when they install on your machine they stealth themselves and become invisible to all the normal means of detection. If an AV has the signatures it can catch the blighter at its most vulnerable, ie when it first enters your machine, before it gets installed - afterwards things are more problematic. Fortunately I don't think this one is 'kernel' level and maybe no damage has been done; but you may need further checks with the correct tools.

I just hope Ewido was able to find all the relevant files. Incidently, there is a genuine prog by Sysinternals called tcpview.exe, it is very good (I use it myself!); but yours is a mispelling of this - which often indicates a dodgy file!

There is a prog called UnHackMe, which may help you I will have to check up on this. In the meantime you really must make sure you run an AV realtime, which could have prevented this nasty from getting on your machine in the first place.

PS - as an edit, you could try RootkitRevealer from Sysinternals and see if that uncovers some more files:- http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

 

I ran the default rootkit revealer scan and no discrepecies were found. If I uncheck - hide standard ntfs metadata files, 75 discrepencies are found across 2 hard drives and 5 partitions.

One hard drives which has c: - d: - e: partitions and my second hard drive g: which only has my swap file and h: which is empty and recently formatted.

I don't get it. There seems to be no damage or strange occurences on my computer. What exactly does this infection do and can it send info past my firewall and router? Are my passwords safe? I do use the user login (ctrl - alt - delete, user name and password when starting up the computer). I read the symantec article and am having a hard time understanding it.

Like I said before Ewido only found the infection and viewtcp.exe.

I guess it's time to cough up some money for an AV program. Do you consider Ewido the best for win2000pro? Or would one of the free one do the same job.

EDIT
Something strange happened. After I used the tools you suggested in your first reply including ewido, I ran e-scan again to see if VX2 & 180solutions would still be reported, and they were.

When I run e-scan it puts a lot of files in my temp folder which is in my d: drive. Well I normally empty my temp folder after I run e-scan but this time I forgot to.

Anyway, I go and scan with ewido again just before I edit this last post and guess what I find. Infection - backdoor.hacdef.a is back with viewtcp.exe as the file to be quarantined and it's in the temp folder on my d: drive. Something smells rotten in Denmark with this e-scan.

I'm thinking e-scan had to put Viewtcp.exe there. Ewido puts nothing in my temp folder. Do you think it's possible for viewtcp.exe to come back by itself?

Thanks

Jaws

 

If you think you have a rootkit you can also try UnHackMe which you can download a trial from here http://www.greatis.com/unhackme/download.htm . Very Nice program.

Let us know how it goes.

Hope this helps,

Chris

 

Hi chris,

I downloaded unhackme and ran it, it only took like a second to do its scan and found no problems. Is it normal to do the scan so fast?

Back to my previous edited post, whenever I've seen a virus its been on the c: drive, not on the d: drive. Why wound viewtcp.exe show up in the middle of all the temp folder files after running the microworld e-scan scanner?

I know this is a stupid question but would anybody want to try running the e-scan file and see if they get the infection and VX2 & 180solutions from it?

Thanks

Jaws

 

The reasons why I did not think this was a false positive from Ewido are:-
a) I can't find any info on Viewtcp.exe and if this was a genuine executable you would expect it to turn up on Google somewhere;
b) It is a transposition of the name tcpview.exe, which is a genuine prog used for trojan defence, such name similarities are always suspicious;
c) I use, trust and like Ewido - but that is a gut thing and not rational!

It is possible that Ewido got this thing before it installed itself, the problem is that once they install, rootkit trojans become pratically impossible for normal AVs to find. There is one little experiment you could try - clear out your temp files, run e-scan and then see if Ewido can still pick up backdoor.hacdef.a. If it can that may suggest a FP on a file put there by e-scan.

With regard to the RootkitRevealer results, don't worry about unhiding the ntfs files, you are really concerned about other hidden files. If you look at the screenshot on the Sysinternals site you will see what the display will look like if it finds HackerDefender - if you don't have that you should be OK. But of course there is no harm in seeking a second opinion from UnHackMe, as suggested by Chris above.

HackerDefender is a backdoor trojan - which means it can do a lot of damage, see here for details:- http://www.viruslist.com/en/viruses/encyclopedia?chapter=152540521#back
You really don't want this on your machine!!

As to future defence, Ewido is a specialist Anti-Trojan which also finds a lot of other stuff. It finds things that an AV will miss, but it is NOT an AV and should be used in addition to an AV and not instead. If you want me to recommend a good free AV, then my personal favourite (with a good detection rate) is AntiVir/AVPE http://www.majorgeeks.com/download955.html
You will lose the Guard for Ewido after a couple of weeks, but you can continue to use the scanner free and combined with AntiVir realtime, and occasional online scans, you should have good free protection.

I haven't given details about 180solutions, which is Adware and not normally detected by AVs, because I don't think you have it - you would uninstall manually via Control Panel/Add Remove Progs:-

http://www.doxdesk.com/parasite/nCase.html
http://www.pchell.com/support/ncase.shtml

VX2/BetterInet is harder to get rid of, but you probably don't have it!

http://www.doxdesk.com/parasite/Transponder.html

Edit - your last post beat me to it!

 

Just installed and ran MWAVE.exe located here http://www.mwti.net/antivirus/mwav.asp
I think this is what you were talking about. It did not detect VX2 & 180solutions so it is not installing it.

Also viewtcp.exe did not show up either.

Hope this helps,

Chris

 

I did some experiments first thing this morning. I scanned with ewido with an empty temp folder and found no problems.

I then scanned with e-scan ver.6.0.2 that was downloaded on 4/3/05. Came up with VX2 & 180solutions again. Used ewido and it showed infection: backdoor.hacdef.a with file to be quarantined viewtcp.exe. So I did quarantine it.

I then cleared my temp folder again.

So now I go to MW e-scan site and download their scanner mwave.exe. Now it's ver. 6.0.5 (Chris this is probably the version you scanned with) and scanned again with this version. This time I don't get the VX2 & 180solution notice of infection as its scanning. But I check the temp file folder and viewtcp.exe is there! So without deleting anything in the folder I scan with ewido and this time it's not showing any infections even with viewtcp.exe in the temp folder. That alone seems very strange. Wouldn't ewido want to quarantine it again?

Chris, did you check to see if viewtcp.exe was in your temp folder?

It seems to me like I was never infected with anything, considering the tools you guys helped me out with using. At least it doesn't look as if I'm infected, my computer always seemed fine.

I still have the e-scan file ver. 6.0.2 if anyone wants to play around with it. I think it really stinks to have MW release this file. Needless to say I'll never use their scanner again.

For now I think I'll leave nod32beta and ewido on my computer. Thanks for letting me know ewido is not an AV, I though it was at first.

Thanks again

Jaws

 

Yep and it is not. Strange...

Thanks,

Chris

 

Well, at least I now know VX2 & 180solutions was a bogus infection.

I'm not sure what to make of viewtcp.exe. Or if I'm even infected with bsckdoor.hacdef.a or not. Chris, I wonder with all your protections you have if they would have allowed viewtcp.exe to be put in your temp folder.

Thank you, Topper and Chris for all your help. It's good to know people are willing to unselfishly devote time to help others.

Jaws

 

Jaws, to put your mind at rest over viewtcp.exe, you could always upload the file to Ewido and let them have a look at it:- http://www.ewido.net/en/malware/

 

If they didn't I would have still received an alert but I didn't

No problem at all. Just glad to able to try and help.

Thanks,

Chris

 

Just a follow up.

Surprise, suprise, e-scan is using a ViewPorts Button on there most recent on-demand scanner. When you click on ViewPorts, a port viewer window opens up. The name of the program is ViewTCP.exe.

Topper, I'll have to assume it was a false-positive from ewido, since I now know there is a legit program called ViewTCP.exe. And that I never had an infection as ewido suggested. I'll also assume it would show up as a rootkit with ewido because it never seen this program before.

Chris, very strange indeed since it should have showed up as a file in your temp folder.

I still don't understand how an on demand AV scanner would see VX2 or 180solutions?

EDIT:
I shouldn't have knocked this scanner without knowing all the facts. I've used it a few more times and all seems OK. The only thing when I do a scan with e-scan is I get a popup from Spybot S&D, - extension handler value changed - old data %1 - new data "%1"? I just click deny change.

Thanks

Jaws

 

Jaws, thanks for your update. The interesting thing is that ViewTCP.exe is now on Google! If you look here:- http://www.spywareinfoforum.com/lofiversion/index.php/t44152.html

you will see that the poster ran escan, then Ewido and the latter picked up ViewTCP.exe as Backdoor.HacDef.a !

To make it even more interesting, the poster was apparently infected with VX2 Spyware/Adware and 180Solutions Spyware/Adware.

Does this seem familiar - or what!

Edit - the plot thickens! This thread:- http://www.spywareinfoforum.com/lofiversion/index.php/t43961.html

has the following entry:-

"When I started MWAV Mcafee showed a pop-up
"A trojan has been detected
The file c:\...\Temp\viewtcp.exe is infected by the HackerDefender.sys Trojan and cannot be cleaned"

I deleted it."

So it is not just Ewido, McAfee gets in on the act as well - I wonder what KAV would make of it?

Again, this thread:- http://www.techsupportforum.com/computer/topic/46154-1.html

has this entry:-

"However..... this evening I inadvertantly opened up mva.exe while cleaning up my desktop. At that time, McAfee located a trojan named HackerDefender.sys The infected file is viewtcp.exe located in C:\Documents and Settings -> Local Settings -> Temp. Per McAfee, the infected file cannot be cleaned. I have deleted the file, but should I do anything else?"

 

.

Impressive the number of trojans those guys picked up. Looking at those Hijack This logs makes me crosseyed. No wonder he couldn't use his computer. Used to be that if e-scan found something, it would clean it up. Maybe not that many. Anyway that answers that about VX2 & 180solutions.

Both guys seem to be surfing the web with their pants down, figuratively & literally, where as I judiciously surf and know what I download. About the only thing I got was the hee-bee jee-bees from e-scan because their new program was being detected as a trojan.

I can run ewido with viewtcp.exe in my temp folder and it no longer flags it as an infection. Would you care to comment on e-scans port viewer if you happen to try it?

I'll be more closely monitoring my internet security in this more dangerous age.

Thanks,

Jaws

 

.

I took a look at Sysinternals, tcpview.exe program on their web site and viewtcp.exe looks to be the same thing, colors and all. So I kept it on my hard drive in its own folder and deleted the rest of my temp folder. To bad there's no logging in program.

Thanks,

Jaws