Antivirus software being attacked

Nah,

Tried to install Spybot and got the same problem, a shortcut but no actual .exe file in the programs folder. My internet stopped working as well so I uninstalled it and got back online. Can't seem to see a resolution in the ZoneAlarm Forum either...

Thanks so much for your help, but it looks like this is beyond repair, I've got my other computer out of work and gonna get all the antivirus and firewall stuff up to date and transfer my files across and format this machine.

Thanks again and if you have any other ideas it would be great, but I sort of thought I would need to format the machine in the end.

Cheers,

Marty.
 
Hi Marty,

A reformat might be best in the long run as I'm not certain what damage this thing has done but I did think you might have gotten one of the newest Bagle variants with rootkit and it is designed to disable security software in the manner we might be seeing here.

Run this tool from F-Secure called Blacklight, and then we'll need to search for the files listed in this description.
Read here
Bagle.GE Trojan.rootkit
http://www.f-secure.com/v-descs/bagle_ge.shtml

Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file on your desktop near Blacklite. Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

!!Do not rename any files yet
 
Last edited:
Yes, hows things,

Cheers for getting back to us again. I set up my other machine and am installing all my software on it, but I do need to get my files across from this infected machine and I'm a bit wary of transfering anything across while this is still infected so it would be great to get it cleaned out.

I run that Blacklight and it found a few things... that ldr64 file is listed there...

04/01/06 02:18:36 [Info]: BlackLight Engine 1.0.33 initialized
04/01/06 02:18:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/06 02:18:37 [Note]: 7019 4
04/01/06 02:18:37 [Note]: 7005 0
04/01/06 02:18:47 [Note]: 7006 0
04/01/06 02:18:47 [Note]: 7011 1088
04/01/06 02:18:47 [Note]: 7024 3
04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe
04/01/06 02:18:48 [Note]: FSRAW library version 1.7.1015
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\m_hook.sys
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Note]: 10002 3
04/01/06 02:19:20 [Note]: 10002 3
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe
04/01/06 02:20:04 [Note]: 10002 2
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\ldr64.dll
04/01/06 02:20:04 [Note]: 10002 2
04/01/06 02:22:04 [Note]: 7007 0
 
Bingo!... about a week old, new variant of Bagle
Virus Profile: W32/Bagle.ea
http://forums.spybot.info/showthread.php?t=3355&goto=newpost

run blacklight again

when you get to the second phase of blacklight scan
highlight each item, select rename
then click finish and allow blacklight to reboot the computer

rename these:

04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe

04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe

04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\m_hook.sys

04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe

04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\ldr64.dll

after reboot

Delete all the renamed files listed above...they will have a new extension of .ren. For example

This file: C:\WINDOWS\system32\ldr64.dll will be:

C:\WINDOWS\system32\ldr64.dll.ren
 
Happy days!

I run that again and renamed all the files and deleted them.

Just to check though, one of the things you listed was a process:

04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe

Will I do anything about this? (I renamed everything that came up in Blacklight and deleted 4 files in total)

and should I delete the hidires folder altogether?

Do you think that this is it sorted? Do I need to do anything else apart from reinstall my Firewall and Antivirus software? Would you recommend that I reformat my machine anyway?

Cheers for all the help, really appreciated.

Thanks,

Marty.
 
Good catch, yes delete the enitre hidires folder (directory)

If you were able to rename and then delete the file:
C:\WINDOWS\system32\wintems.exe
It should be good!

Run Blacklight once more to produce a log and let's check?

Then please run Ewido and Panda Active scan. They may find more files that were previously hidden.

Post those logs and a fresh HijackThis log, along with the Blacklight (new) log.
 
Here is the Blacklight Log:

04/01/06 03:22:05 [Info]: BlackLight Engine 1.0.33 initialized
04/01/06 03:22:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/06 03:22:05 [Note]: 7019 4
04/01/06 03:22:05 [Note]: 7005 0
04/01/06 03:22:30 [Note]: 7006 0
04/01/06 03:22:30 [Note]: 7011 1140
04/01/06 03:22:30 [Note]: FSRAW library version 1.7.1015
04/01/06 03:23:57 [Note]: 7007 0

Now running Ewido and Panda, and then HJT will post the logs when done.

Cheers

M.
 
Blacklight log looks good :)

Will wait for the others - it may take a while.

I'm about to sign off for the night here (it's late). But will be checking back in here in the morning :)
 
Fingers crossed, its looking good so far...

Here is the log from Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:52:58, 01/04/2006
+ Report-Checksum: 68C4ABF6

+ Scan result:

No infected objects found.


::Report End

I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?

I'll run HJT after a-squared has finished and post the logs

Cheers,

Marty
 
Be careful with a-squared. Don't remove anything until we can see the logs as it has a tendancy for false positives and you could end up potentially deleting something you shouldn't with that program. It doesn't make backups either. I'd much prefer you use Ewido and make backups of deleted files, unless you know what you are doing.
 
martybelfast said:
I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?

I'll run HJT after a-squared has finished and post the logs

Cheers,

Marty
Click to expand...
No, don't install Panda again if you are going to use something else like AVG. Just be sure you have an Antivirus program. If that installs, updates and runs ok, then go for installing Spybot again and Zone Alarm. Let us know how that goes.

When all done, it wouldn't hurt to see a fresh HijackThis log too.
 
a-squared Report
Scan started: 01/04/2006 11:53:27
Scan finished: 01/04/2006 12:52:16
Scan duration: 0h 58min 48sec
Scanned files: 179430
Infected files: 2

Object Diagnosis
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch
C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse
 
HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 20:14:24, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
 
On the a-squared detections....

Ok to let it fix this one:
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch

Do NOT let it fix this one (that's part of Ewido) - it's a False Positive.
C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse

And please report that to them so they can fix their detection database, if you are a regular user of A-2

Now, I'll go look at your HijackThis log and let you know what I see there.
 
Hi CalamityJane,

Thanks for all the help before. If your about again I think I got this thing again or something else. I was able to install SpyBot and ZoneAlarm again. I then began to network my two machines so that I could format this machine. (The one that got the Bagel thing)

When I was networking my machines I kept having problems with ZoneAlarm so I uninstalled it while trying a few things. I found out what the problem was and tried to install ZoneAlarm again but had a few problems. The problems where ordinal 350 and I found some stuff on the internet about it.

My machine started crashing though and I run AdAware, SpyBot and Ewido and they found some stuff and fixed it. But I crashed a few times again and run F-Secure Blacklight to see...

Here is the log file

04/05/06 03:36:08 [Info]: BlackLight Engine 1.0.35 initialized
04/05/06 03:36:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/05/06 03:36:08 [Note]: 7019 4
04/05/06 03:36:08 [Note]: 7005 0
04/05/06 03:36:12 [Note]: 7006 0
04/05/06 03:36:12 [Note]: 7011 1188
04/05/06 03:36:12 [Note]: 7026 0
04/05/06 03:36:12 [Note]: 7026 0
04/05/06 03:36:12 [Note]: 7024 3
04/05/06 03:36:12 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
04/05/06 03:36:12 [Note]: FSRAW library version 1.7.1015
04/05/06 03:45:38 [Info]: Hidden file: C:\WINDOWS\system32\lipsfeog.dll
04/05/06 03:45:38 [Note]: 10002 1
04/05/06 03:45:46 [Info]: Hidden file: C:\WINDOWS\system32\drivers\lipsfeog.sys
04/05/06 03:45:46 [Note]: 10002 1
04/05/06 03:47:29 [Note]: 7007 0

Sorry to be such a pain, but should I do the same again and rename them and delete them?

Thanks,

Marty.
 
Rename and delete these two ONLY:

C:\WINDOWS\system32\lipsfeog.dll

C:\WINDOWS\system32\drivers\lipsfeog.sys

Then scan for infections.

Include an online AV scan (full system scan)
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Let me know how you make out
 
You must log in or register to reply here.
Back
Top