Page 4 of 4 FirstFirst 1234
Results 31 to 39 of 39

Thread: Antivirus software being attacked

  1. #31
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Quote Originally Posted by martybelfast
    I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?

    I'll run HJT after a-squared has finished and post the logs

    Cheers,

    Marty
    No, don't install Panda again if you are going to use something else like AVG. Just be sure you have an Antivirus program. If that installs, updates and runs ok, then go for installing Spybot again and Zone Alarm. Let us know how that goes.

    When all done, it wouldn't hurt to see a fresh HijackThis log too.
    Microsoft MVP 2003-2009
    Windows-Security

  2. #32
    Junior Member
    Join Date
    Mar 2006
    Posts
    20

    Default

    a-squared Report
    Scan started: 01/04/2006 11:53:27
    Scan finished: 01/04/2006 12:52:16
    Scan duration: 0h 58min 48sec
    Scanned files: 179430
    Infected files: 2

    Object Diagnosis
    Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch
    C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse

  3. #33
    Junior Member
    Join Date
    Mar 2006
    Posts
    20

    Default

    HJT Log

    Logfile of HijackThis v1.99.1
    Scan saved at 20:14:24, on 01/04/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HistoryKill\histkill.exe
    C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\HistoryKill\hkPopupKiller.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Virus\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
    O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Suitcase Startup.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095984890949
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/L...Installer2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

  4. #34
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    On the a-squared detections....

    Ok to let it fix this one:
    Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch

    Do NOT let it fix this one (that's part of Ewido) - it's a False Positive.
    C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse

    And please report that to them so they can fix their detection database, if you are a regular user of A-2

    Now, I'll go look at your HijackThis log and let you know what I see there.
    Microsoft MVP 2003-2009
    Windows-Security

  5. #35
    Junior Member
    Join Date
    Mar 2006
    Posts
    20

    Default

    Hi CalamityJane,

    Thanks for all the help before. If your about again I think I got this thing again or something else. I was able to install SpyBot and ZoneAlarm again. I then began to network my two machines so that I could format this machine. (The one that got the Bagel thing)

    When I was networking my machines I kept having problems with ZoneAlarm so I uninstalled it while trying a few things. I found out what the problem was and tried to install ZoneAlarm again but had a few problems. The problems where ordinal 350 and I found some stuff on the internet about it.

    My machine started crashing though and I run AdAware, SpyBot and Ewido and they found some stuff and fixed it. But I crashed a few times again and run F-Secure Blacklight to see...

    Here is the log file

    04/05/06 03:36:08 [Info]: BlackLight Engine 1.0.35 initialized
    04/05/06 03:36:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    04/05/06 03:36:08 [Note]: 7019 4
    04/05/06 03:36:08 [Note]: 7005 0
    04/05/06 03:36:12 [Note]: 7006 0
    04/05/06 03:36:12 [Note]: 7011 1188
    04/05/06 03:36:12 [Note]: 7026 0
    04/05/06 03:36:12 [Note]: 7026 0
    04/05/06 03:36:12 [Note]: 7024 3
    04/05/06 03:36:12 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
    04/05/06 03:36:12 [Note]: FSRAW library version 1.7.1015
    04/05/06 03:45:38 [Info]: Hidden file: C:\WINDOWS\system32\lipsfeog.dll
    04/05/06 03:45:38 [Note]: 10002 1
    04/05/06 03:45:46 [Info]: Hidden file: C:\WINDOWS\system32\drivers\lipsfeog.sys
    04/05/06 03:45:46 [Note]: 10002 1
    04/05/06 03:47:29 [Note]: 7007 0

    Sorry to be such a pain, but should I do the same again and rename them and delete them?

    Thanks,

    Marty.

  6. #36
    Junior Member
    Join Date
    Mar 2006
    Posts
    20

    Default

    Sorry,

    Should have also mentioned that I run TuneUp on my machine as well.

  7. #37
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Rename and delete these two ONLY:

    C:\WINDOWS\system32\lipsfeog.dll

    C:\WINDOWS\system32\drivers\lipsfeog.sys

    Then scan for infections.

    Include an online AV scan (full system scan)
    Trend Micro (PC-cillin) - Free on-line Scan
    http://housecall.antivirus.com

    Let me know how you make out
    Microsoft MVP 2003-2009
    Windows-Security

  8. #38
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    We would like to know how it's going martybelfast. :
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #39
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Closed topic.

    Thank you CalamityJane
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •