View Full Version : Antivirus software being attacked
martybelfast
2006-03-31, 00:05
Hi,
I posted a topic about my spybot not installing properly. Some sort of bug has deleted it and my firewall, is crashing my browsers and email software and is preventing me from installing any firewall or antivirus software. Don't know that much about this stuff, was told to download HJT... Here is the log file...
Logfile of HijackThis v1.99.1
Scan saved at 22:00:06, on 30/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Martin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
Again, help would be much appreciated,
Thanks,
Marty.
CalamityJane
2006-03-31, 01:03
Redo! I see it now...
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll
Let me go see what's invovled with this (it appears to be associated with a Bagle variant).
http://www.sarc.com/avcenter/venc/data/w32.beagle.dv.html#technicaldetails
CalamityJane
2006-03-31, 01:13
You should be able to scan with HijackThis and checkmark this entry, then press the *fix checked* button
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll
Then delete the file:
C:\WINDOWS\SYSTEM32\ldr64.dll
and reboot your PC
It looks like you are using Panda - are you trying d/l another AV program too? Or is it Panda you're trying to reinstall?
martybelfast
2006-03-31, 01:21
I'll do that now...
Was regularily running:
Spybot (once a week)
ZoneAlarm Free Firewall (on all the time)
AdAware (once a week)
Spywareblaster (once a week)
and occassionally used
Ewido (once a month)
A Squared (once a month)
Spybot and ZoneAlarm were wiped from my system and would not install properly. I used Ewido and A Squared and they found problems and fixed them and I thought that was it, but I still had problems re-installing ZoneAlarm and Spybot. It was then that I tried to download a few different Antivirus programs but none of them would install properly, Panda was one of them.
What is the best of the free Firewalls and Antivirus programs to use or should I really be purchasing some?
About to do what you said, what next?
Thankyou so much for the help...
martybelfast
2006-03-31, 01:26
I cannot see the file idr64.dll in the C:\WINDOWS\system32 folder... about to reboot anyway.
martybelfast
2006-03-31, 01:45
Hi,
ldr64 was not there. The computer is getting worse, has just crashed twice and threw up a blue screen and restarted. Not sure whats happening... Any ideas? Thanks.
CalamityJane
2006-03-31, 02:20
Please post a Fresh HijackThis log.
I think trying to install Panda on an infected machine may have complicated things. Can you uninstall that for now and we'll help you get some AV and firewall programs when we get you cleaned up and operating.
Let's see if this tool finds anything
Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
CalamityJane
2006-03-31, 02:41
After you have uninstall Panda
1. Get this free tool from Trend-Micro
Damage Cleanup Engine / Template
http://www.trendmicro.com/download/dcs.asp
Get the Sysclean Package for non-Trend customers.
2. Grab a copy of the instructions here:
please download the following files
http://www.trendmicro.com/ftp/products/tsc/readme.txt
NOTE:
For instructions on how to use this package, consult the "How to Use" section of the readme file, readme_sysclean.txt. This file also contains the description and the different features of this package.
Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package[b]
That's in the instruction under III Requirements - follow the directions.
3, DCT CONTROL RELEASE
[b]Download Latest DCT Control Release
http://www.trendmicro.com/download/pattern-dcs-disclaimer.asp
The Damage Cleanup Template (DCT) Control Release is a pre-release version of Damage Cleanup Template (DCT) and is updated by TrendLabs almost as often as new samples come in. Since it is designed to clean registries and system files from 'in-the-wild' malware infections, DCT Control release receives only preliminary testing. DCT Control Release also must be deployed manually to your product.
Click the link above for additional information and deployment instructions. Users are advised to read the succeeding disclaimer carefully before downloading the current DCT Control Release.
Note: This should be able to detect and clean the virus, but is not a permanent solution to the AV. We'll help you get a resident AV program as soon as we get the virus cleaned up. If this won't install for some reason, let me know.
..............................
Free Zone Alarm firewall
http://dl2.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_61_744_001_en.exe
martybelfast
2006-03-31, 02:52
Thanks for getting back to me...
I uninstalled Panda and run Look2Me and HJT here are the logs:
Look2Me
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 31/03/2006 00:39:03
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
HJT
Logfile of HijackThis v1.99.1
Scan saved at 00:47:21, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
Gonna do the rest of what you said now.
CalamityJane
2006-03-31, 03:13
Gonna do the rest of what you said now.
Ok, if Sysclean finds anything, please make careful note of the file names/ full path (exact location) and what virus name it was detected as. May be important to know.
martybelfast
2006-03-31, 05:12
Me again,
I finished running the Trend Micro thing. As far as I can make out it found nothing, no viruses. It does say that it detected some errors or could not set file for reading. Does any of this make any sense?
CalamityJane
2006-03-31, 05:20
How is your computer acting now? Are you still seeing problems?
martybelfast
2006-03-31, 05:22
No no problems, but there hasn't been since I said about the crashes last time. The telltale sign was when I could not install ZoneAlarm or SpyBot. Should I try to install them now?
CalamityJane
2006-03-31, 05:34
No no problems, but there hasn't been since I said about the crashes last time. The telltale sign was when I could not install ZoneAlarm or SpyBot. Should I try to install them now?
Yes, let's try that now :)
Let me know how that goes.
And some very good free Antivirus Programs to try...something to start with anyway :) Pick one that works well for you. (Don't run all 3 at once - just run one as your resident program)
AVG
http://www.grisoft.com/us/us_dwnl_free.php
Antivir
http://www.free-av.com/
Avast
http://www.avast.com/i_idt_226.html
martybelfast
2006-03-31, 05:40
Sorry, still getting the error when installing ZoneAlarm...
The file
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
could not be opened
will try SpyBot but got a feeling it will not work. The way it works is that it installs, but when I try to run it, it is missing the main .exe file, the shortcut comes up as an unrecognised file and when clicked cannot locate the original.
Will try to download and install AVG but this was also not working before
CalamityJane
2006-03-31, 06:01
Can you try this please?
http://support.microsoft.com/default.aspx?scid=555067
martybelfast
2006-03-31, 06:12
Sorry your head must be twisted with me...
Went through this and can't get it working, get the message:
The system cannot find the file specified and
The system cannot find the file regedit.com
martybelfast
2006-03-31, 06:25
Got regedit open by just searching for it. Followed the instructions but where it says to change the current value to data its already them same as whats there...
CalamityJane
2006-03-31, 15:57
How about Spybot, is it also giving you a problem on install?
CalamityJane
2006-03-31, 16:01
I found a similar problem described with Zone Alarm here:
http://forum.zonelabs.org/zonelabs/board/message?board.id=inst&message.id=42588
I'm not sure what the problem is, whether it is ZA itself or a result of the virus infection. You could try uninstalling/reinstalling SP2, which would essentially reinstall IE and put your security registry settings back to default.
Zone Labs has a forum for Installation problems here:
http://forum.zonelabs.org/zonelabs/board?board.id=inst
martybelfast
2006-03-31, 21:21
Nah,
Tried to install Spybot and got the same problem, a shortcut but no actual .exe file in the programs folder. My internet stopped working as well so I uninstalled it and got back online. Can't seem to see a resolution in the ZoneAlarm Forum either...
Thanks so much for your help, but it looks like this is beyond repair, I've got my other computer out of work and gonna get all the antivirus and firewall stuff up to date and transfer my files across and format this machine.
Thanks again and if you have any other ideas it would be great, but I sort of thought I would need to format the machine in the end.
Cheers,
Marty.
CalamityJane
2006-03-31, 22:44
Hi Marty,
A reformat might be best in the long run as I'm not certain what damage this thing has done but I did think you might have gotten one of the newest Bagle variants with rootkit and it is designed to disable security software in the manner we might be seeing here.
Run this tool from F-Secure called Blacklight, and then we'll need to search for the files listed in this description.
Read here
Bagle.GE Trojan.rootkit
http://www.f-secure.com/v-descs/bagle_ge.shtml
Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file on your desktop near Blacklite. Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet
martybelfast
2006-04-01, 04:26
Yes, hows things,
Cheers for getting back to us again. I set up my other machine and am installing all my software on it, but I do need to get my files across from this infected machine and I'm a bit wary of transfering anything across while this is still infected so it would be great to get it cleaned out.
I run that Blacklight and it found a few things... that ldr64 file is listed there...
04/01/06 02:18:36 [Info]: BlackLight Engine 1.0.33 initialized
04/01/06 02:18:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/06 02:18:37 [Note]: 7019 4
04/01/06 02:18:37 [Note]: 7005 0
04/01/06 02:18:47 [Note]: 7006 0
04/01/06 02:18:47 [Note]: 7011 1088
04/01/06 02:18:47 [Note]: 7024 3
04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe
04/01/06 02:18:48 [Note]: FSRAW library version 1.7.1015
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\m_hook.sys
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Note]: 10002 3
04/01/06 02:19:20 [Note]: 10002 3
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe
04/01/06 02:20:04 [Note]: 10002 2
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\ldr64.dll
04/01/06 02:20:04 [Note]: 10002 2
04/01/06 02:22:04 [Note]: 7007 0
CalamityJane
2006-04-01, 04:41
Bingo!... about a week old, new variant of Bagle
Virus Profile: W32/Bagle.ea
http://forums.spybot.info/showthread.php?t=3355&goto=newpost
run blacklight again
when you get to the second phase of blacklight scan
highlight each item, select rename
then click finish and allow blacklight to reboot the computer
rename these:
04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\m_hook.sys
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\ldr64.dll
after reboot
Delete all the renamed files listed above...they will have a new extension of .ren. For example
This file: C:\WINDOWS\system32\ldr64.dll will be:
C:\WINDOWS\system32\ldr64.dll.ren
martybelfast
2006-04-01, 05:04
Happy days!
I run that again and renamed all the files and deleted them.
Just to check though, one of the things you listed was a process:
04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe
Will I do anything about this? (I renamed everything that came up in Blacklight and deleted 4 files in total)
and should I delete the hidires folder altogether?
Do you think that this is it sorted? Do I need to do anything else apart from reinstall my Firewall and Antivirus software? Would you recommend that I reformat my machine anyway?
Cheers for all the help, really appreciated.
Thanks,
Marty.
CalamityJane
2006-04-01, 05:19
Good catch, yes delete the enitre hidires folder (directory)
If you were able to rename and then delete the file:
C:\WINDOWS\system32\wintems.exe
It should be good!
Run Blacklight once more to produce a log and let's check?
Then please run Ewido and Panda Active scan. They may find more files that were previously hidden.
Post those logs and a fresh HijackThis log, along with the Blacklight (new) log.
martybelfast
2006-04-01, 05:25
Here is the Blacklight Log:
04/01/06 03:22:05 [Info]: BlackLight Engine 1.0.33 initialized
04/01/06 03:22:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/06 03:22:05 [Note]: 7019 4
04/01/06 03:22:05 [Note]: 7005 0
04/01/06 03:22:30 [Note]: 7006 0
04/01/06 03:22:30 [Note]: 7011 1140
04/01/06 03:22:30 [Note]: FSRAW library version 1.7.1015
04/01/06 03:23:57 [Note]: 7007 0
Now running Ewido and Panda, and then HJT will post the logs when done.
Cheers
M.
CalamityJane
2006-04-01, 05:33
Blacklight log looks good :)
Will wait for the others - it may take a while.
I'm about to sign off for the night here (it's late). But will be checking back in here in the morning :)
martybelfast
2006-04-01, 14:01
Fingers crossed, its looking good so far...
Here is the log from Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 11:52:58, 01/04/2006
+ Report-Checksum: 68C4ABF6
+ Scan result:
No infected objects found.
::Report End
I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?
I'll run HJT after a-squared has finished and post the logs
Cheers,
Marty
CalamityJane
2006-04-01, 16:53
Be careful with a-squared. Don't remove anything until we can see the logs as it has a tendancy for false positives and you could end up potentially deleting something you shouldn't with that program. It doesn't make backups either. I'd much prefer you use Ewido and make backups of deleted files, unless you know what you are doing.
CalamityJane
2006-04-01, 16:56
I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?
I'll run HJT after a-squared has finished and post the logs
Cheers,
Marty
No, don't install Panda again if you are going to use something else like AVG. Just be sure you have an Antivirus program. If that installs, updates and runs ok, then go for installing Spybot again and Zone Alarm. Let us know how that goes.
When all done, it wouldn't hurt to see a fresh HijackThis log too.
martybelfast
2006-04-01, 22:13
a-squared Report
Scan started: 01/04/2006 11:53:27
Scan finished: 01/04/2006 12:52:16
Scan duration: 0h 58min 48sec
Scanned files: 179430
Infected files: 2
Object Diagnosis
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch
C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse
martybelfast
2006-04-01, 22:15
HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 20:14:24, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
CalamityJane
2006-04-02, 00:50
On the a-squared detections....
Ok to let it fix this one:
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch
Do NOT let it fix this one (that's part of Ewido) - it's a False Positive.
C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse
And please report that to them so they can fix their detection database, if you are a regular user of A-2
Now, I'll go look at your HijackThis log and let you know what I see there.
martybelfast
2006-04-05, 05:58
Hi CalamityJane,
Thanks for all the help before. If your about again I think I got this thing again or something else. I was able to install SpyBot and ZoneAlarm again. I then began to network my two machines so that I could format this machine. (The one that got the Bagel thing)
When I was networking my machines I kept having problems with ZoneAlarm so I uninstalled it while trying a few things. I found out what the problem was and tried to install ZoneAlarm again but had a few problems. The problems where ordinal 350 and I found some stuff on the internet about it.
My machine started crashing though and I run AdAware, SpyBot and Ewido and they found some stuff and fixed it. But I crashed a few times again and run F-Secure Blacklight to see...
Here is the log file
04/05/06 03:36:08 [Info]: BlackLight Engine 1.0.35 initialized
04/05/06 03:36:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/05/06 03:36:08 [Note]: 7019 4
04/05/06 03:36:08 [Note]: 7005 0
04/05/06 03:36:12 [Note]: 7006 0
04/05/06 03:36:12 [Note]: 7011 1188
04/05/06 03:36:12 [Note]: 7026 0
04/05/06 03:36:12 [Note]: 7026 0
04/05/06 03:36:12 [Note]: 7024 3
04/05/06 03:36:12 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
04/05/06 03:36:12 [Note]: FSRAW library version 1.7.1015
04/05/06 03:45:38 [Info]: Hidden file: C:\WINDOWS\system32\lipsfeog.dll
04/05/06 03:45:38 [Note]: 10002 1
04/05/06 03:45:46 [Info]: Hidden file: C:\WINDOWS\system32\drivers\lipsfeog.sys
04/05/06 03:45:46 [Note]: 10002 1
04/05/06 03:47:29 [Note]: 7007 0
Sorry to be such a pain, but should I do the same again and rename them and delete them?
Thanks,
Marty.
martybelfast
2006-04-05, 06:01
Sorry,
Should have also mentioned that I run TuneUp on my machine as well.
CalamityJane
2006-04-05, 06:19
Rename and delete these two ONLY:
C:\WINDOWS\system32\lipsfeog.dll
C:\WINDOWS\system32\drivers\lipsfeog.sys
Then scan for infections.
Include an online AV scan (full system scan)
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
Let me know how you make out
We would like to know how it's going martybelfast. :wink::
Closed topic.
Thank you CalamityJane