Avira reports Trojan

Hi,

This is my very first time with a message that I have an infected computer.
I am very careful about the sites I visit. I use Adaware, SpyBot, SpywareBlaster, Avast, and Avira. Tonight after using computer all day, Avira popped up and reported:

C:\Windows\unvise32qt.exe is TR/Agent/CFT/ I searched for the file and it is dated 11/11/1999.

When detection window comes up it gives me several choices from which to select: move to quarantine, delete, rename, ignore and Access deny (which is selected). I have selected Move to quarantine.

Any help will be appreciated.

 

I think you'll find that file is the uninstaller for QuickTime Player. Restore it from Quarantine and check it's properties for company/version info. If still in doubt, upload the file to jotti for analysis.

 

Hi,

I restored it but coul not select it and click properties. Avira won't let me. I tried to check ignore and then I checked Rename and was able to check Properties, but nothing other than C:\Windows was shown. Now the file is called unvise32qt.VIR.

I restored the file to my desktop so I could submit to Jotti. Jotti found nothing but the extension was changed so I don't know if it would find something. How can I change it back. Avira won't let me access it.

These files have been on my computer forever and I wonder why it is only now that Avira is reporting them. Even more strange is the fact that Avast is the active antivirus program on my computer. Avira is only used for scanning when I disable Avast. But last night while scanning with AdAware, Avira opened up to advise of the virus.

Ann

 

Apparently Avira has some realtime monitoring going on in the background. When scanning with Ad-aware, when that file was accessed, the monitor picked up on it. As for why it was flagged ........ I don't know. Likely a false positive in their latest definitions (or whenever you last updated it). I'll have to do some research on accessing the file once Avira had blocked it, but in the meantime, check this. Open any Windows Explorer window. Click Tools on the menu, then Folder options. Select the View tab, then locate the entry 'hide extensions for known file types'. Uncheck it if it's checked, then OK out. Look at the file again and see if you can rename it to it's original name.

 

This will be of interest to you.

http://forum.antivir-pe.de/thread.php?threadid=24803

 

Hi noahdfear,

Big sigh of relief! Good to know that is a false positive.

I did as you said - "unchecked hide extensions for known file types." However, still cannot access the file to rename it. This file was on computer when I purchased it and it should be in the C:\Windows directory. I will keep it in quarantine until a solution can be found.

Thanks,

Ann

 

Try turning off Avira's guard, then restore the file and try renaming it.

 

New virus definitions which address this problem were just installed.

 

noahdfear,

Walked away from computer for several hours. Apparently the new virus definitions allowed me to access the file once more. I searched for file and was able to rightclick on it and rename. Now, however, it shows an icon where none was before.

Right-click, properties shows Installer VISE uninstall 2.0.8.3
MINDVISION Software.

I can't find file with explore. The C:\Windows is the only path I have and can't find it under Windows\system 32. I would like to find the file's location. Any suggestions or do I just leave it alone.

Just tried double-clicking files and nothing happens. So the file is there but not working.

 

Click Start>Search
In the right pane, right click and select Details
You should see a column labeled In Folder. If not, right click any column header and select In Folder from the list.
Now a search for the file should show it's location. I would search for the name without the extension, eg; unvise32qt

Alternatively, you could open Quicktime player and check the version (usually on the Help>About), then re-install it. Older versions available here. Or, if you want to upgrade, new version here.

 

I was able to open the folder in which the file is and I found two such files, unvise32 and unvise32qt. Both have a sign like DO NOT circle with a diagonal line through the circle.

Okay, you are saying to install over the old one I have, right? that might be easier than restoring my last ghost image. Please confirm before I do this.

But I have also read that it can be an IBIS Toolbar trojan:

IBIS Toolbar
Type: Adware
Description: IBIS Toolbar is an Internet Explorer search redirector.
Files:
c:\windows\unvise32qt.exe

I never use IE, but this has me totally confused

If reinstalling QT does not work, I was thinking of restoring my last image of about one week ago. Will this put back the file in original condition?

Thanks so much.

Ann

 

You need to check the version of quicktime installed. If version 6, the unviseqt32 file is needed to uninstall it. Quicktime's associated unviseqt32 is made by Mindvision, which you already identified. No need to worry about it being the IBIS toolbar file.

You should have no problem just re-installing the same version of quicktime so that the file gets replaced. Rolling back to a previous image is an option regardless of what you do about the file at this point. Should a problem arise re-installing, do the image. Just remember to immediately update your AV definitions if you do roll back, so as not to have a recurrence.

Check the properties on unvise32.exe and let me know what you find. I'm finding very conflicting information on it. You can always scan it at jotti too. Just browse to it, select it then click submit and wait for the results.

 

Hi,

I have QT 6.5 and I checked the Target for the uninstall in Start, Programs, Quicktime, uninstall. It showed this.

C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QUICKT~1\UNINST~1.LOG

If anyone who has Version 6 could check their unvise32qt.exe to see if it shows the circle and diagonal line, it would be a great help. Maybe the file is ok as it is.

Properties for unvise32.exe shows "Uninstall application file, MindVision Software Version 3.6.1.0. "

I checked both files at jotti and nothing was found in either one.

One thing I've learned is to quarantine whatever is flagged as dangerous and leave it there until I am as sure as I can be that it is bad or not.

Thanks for your help.

 

If you try running the uninstaller via the start menu and it starts (you can cancel) then the uninstaller is fine. If it doesn't work, let me know. I have just harvested a copy for you .... and yes, the icon is as you described.

 

I followed your instructions and the uninstaller started ( I cancelled). The file seems to be working, Halelujah!

What do you mean you harvested a file for me? If it has the correct date 11/11/1999, I could substitute it for theo ne I have, unless you do not think that is necessary.

I thank you so much for your time and patience. A little good news is very much needed, as now I am having problems with my DSL modem.

Ann

 

I installed quicktime version 6.5 and grabbed the unvise32qt file for safe keeping. It's dated 11/10/1999 ......... close enough. However, I do not think it's necessary for you to replace it.

You're most welcome, Ann. Glad I could help.

What problem are you having with the modem?

 

The modem is no longer working. DSL and Internet lights do not go on. I called AT&T and was told by a tech that I should call their replacement department and have them send me a new modem. This modem is not even one month old.

After 2-1/2 hours of calling a wrong number given to me by the technician, (constant busy signal) I was able to get a Sales Rep on the phone. She gave me the correct number for replacement modems and after a couple of tries, I got through. Happy to report new modem is on the way. BUT, I am not too happy with the short life span of the one I have. However, I am getting a $5.00 credit.

Back on dial-up for now.

Ann

 

Slow line is better than no line, right?

been there, done that, got the t-shirt

 

Do I still need to worry about unvise32? Is the information I posted enough to accept it as a valid file? Jotti found nothing.

 

No worries ....... it's a valid file.