Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky Online Found 5 Infected Files


  • Please log in to reply
14 replies to this topic

#1 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 15 October 2006 - 05:23 PM

Last night/this morning, I did a scan with Kaspersky on-line which found "two viruses and 5 infected files." All files, apparently, were locked. They were not running.

I did other scans:

AVG AntiSpyware 7.5 Clean
SpyBot: Clean
Ad-Aware SE Plus: Clean
ZoneAlarm Privacy Suite: Clean
SuperAntiSpyware Free: Clean
Trend Micro HouseCall: Clean
eTrust Antivirus Web Scanner: Clean
http://safety.live.com/site/en-us/default.htm: Clean

I attempted to do a Panda Scan, but the scanning page won't stay open. It flashes closed almost immediately.

I have pasted in the Kaspersky log below. I replaced my name in the log with my BC user name, and I edited the portion with my computer ID, which I have highlighted in green. I have highlighted the infected files with blue. Otherwise, it is exactly as produced.

Are these false positives, or for real? How do I get rid of them? Might there be other bits hiding elsewhere? I could, if necessary, uninstall the two infected programs and reinstall them - I have the serial numbers I received at purchase. One last note: When I did a Kaspersky On-line scan back in August or September, it didn't find anything and I had Cyberscrub Privacy Suite then, and I believe I had also installed Essential NetTools by that time which are the programs that have the infected files.

Orange Blossom :thumbsup:

Sunday, October 15, 2006 1:41:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/10/2006
Kaspersky Anti-Virus database records: 231895
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 60535
Number of viruses found 2
Number of infected objects 5 / 0
Number of suspicious objects 0
Duration of the scan process 01:36:48

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Orange Blossom\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
C:\Documents and Settings\Orange Blossom\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\History\History.IE5\MSHist012006101420061015\index.dat Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\Temp\~DF6DCD.tmp Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\Temp\~DF76AD.tmp Object is locked skipped
C:\Documents and Settings\Orange Blossom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Orange Blossom\ntuser.dat Object is locked skipped
C:\Documents and Settings\Orange Blossom\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AnswersThatWork\Troubleshooter\ExeUpdate.atw Object is locked skipped
C:\Program Files\CyberScrub Privacy Suite\cybshell.dll Infected: not-a-virus:AdWare.Win32.Delf.k skipped
C:\Program Files\EssNetTools\Ent.exe Infected: Backdoor.Win32.Agent.rk skipped
C:\Program Files\EssNetTools\ent4.exe/WISE0014.BIN Infected: Backdoor.Win32.Agent.rk skipped
C:\Program Files\EssNetTools\ent4.exe WiseSFX: infected - 1 skipped
C:\Program Files\EssNetTools\ent4.exe WiseSFX Dropper: infected - 1 skipped

C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP955\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\Computer ID number.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Intel® 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_480.dat Object is locked skipped
C:\WINDOWS\TEMP\ZLT036d1.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT036e1.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 17 October 2006 - 11:57 AM

Update:

I've gotten the Panda Online scan to work. My Ad-Watch settings were blocking it. Panda came out clean.

A2 anti-malware free updated yesterday came out clean: normal mode
---------------------
I've searched for Win32.agent, but cannot find it on my computer. I've searched in program files in the specific programs that Kaspersky has identified as infected, but nothing jumps out at me. Looking at properties of a couple of the files fingered by Kaspersky doesn't show recent modifications, so I'm clueless here. Should I upload the suspect files to JottiScan?

Google searching the two infection names suggests that these are real bad news. As a safety precaution, I haven't opened or run either of the two infected programs in the hope that if I don't the infection won't spread.

I don't think there is anything strange happening on my computer, so I think - perhaps - I got a partial infection, but I don't know. I'd really like to know how to get rid of the infection - if indeed there is one - and be sure it is gone.
--------
I started to run the F-Secure Online scan last night, but I fell asleep and so I will have to start that one over as my dial-up connection disconnected while I was asleep.
-----------
I have rebooted into safe mode, used ATF cleaner by Attribune to clear out all temp files etc. and started a scan with Spybot in safe mode before I left home this morning. That is where things are at the moment. I'm planning on scanning with Ad-Aware, AVG Anti-Spyware 7.5, SuperAntiSpyware, ZA anti-virus and antispyware while I am still in safe mode. I don't think they will find anything, but maybe they will see something in safe mode they didn't find in normal mode. Then I will return to normal mode to run the F-Secure online scan.

I also thought I'd download the free trial of Counterspy by Sunbelt and see if it will find anything. Will post results of all scans.

Please let me know what else I should do.

Edit: I also ran Bit Defender on-line scan which also came out clean. I did this one before the Panda On-line scan.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 17 October 2006 - 11:59 AM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 17 October 2006 - 05:44 PM

Hello Orange Blossom

I find it odd that all your scans are coming up clean except for Kaspersky.

Try submitting those files to jotti's virusscan or virustotal.com
In the "File to upload & scan" box, browse to the location of the suspicious file and submit [upload] it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 18 October 2006 - 12:53 PM

Thanks for the reply Quietman7. I've been doing scans in safemode, otherwise I'd have seen it sooner.

Update first on safemode scans:

Spybot: clean
Ad-Aware: clean
SuperAntiSpyware Free edition: Clean
AVG Anti-Spyware 7.5: Clean
ZoneAlarm Pro. AV scan: I aborted after 15 hours and 45 minutes. It didn't get stuck, it was just extremely slow, and I had to finally check e-mail etc. It didn't find anything as far as it got.
-----------
I just uploaded and scanned Program Files\CyberScrub Privacy Suite\cybshell.dll on JottiScan:

Results:
File: cybshell.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 31b1518a20ef43aa86e60b2379b65e8a
Packers detected:
-
Scanner results
AntiVir Found Adware-Spyware/Delf.K.7 adware
ArcaVir Found Adware.Delf.K
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found Adware/Delf
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Delf.k
NOD32 Found nothing
Norman Virus Control Found W32/Delf.SPF
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Delf.k
-------------------------
Looking more closely at the Kaspersky log, it looks as though three different files are involved. I am currently in the process of uploading C:\Program Files\EssNetTools\ent4.exe to VirusTotal and C:\Program Files\EssNetTools\Ent.exe to JottiScan. I will post the results as soon as I have them. I'm on dial-up so it may take awhile.

Given the results on the Cyberscrub file, it does appear as though something is going on here.

Edited to add: I do not find the following file Kaspersky fingered: C:\Program Files\EssNetTools\ent4.exe/WISE0014.BIN. It is the part that I have bolded that I don't find in program files, maybe it is a part of the file? In which case, it will be uploaded with the ent4.exe

Orange Blossom :thumbsup:

Edited by Orange Blossom, 18 October 2006 - 01:18 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 18 October 2006 - 01:20 PM

Results for C:\Program Files\EssNetTools\Ent.exe on JottiScan
Note: I find it interesting that Kaspersky didn't find anything in this scan. I have made the entry bold face. I wonder whether I should do the Kaspersky Online scan again as it has been a few days now since I did it.

File: Ent.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 ce259027520abb925afd1452f60e1a54
Packers detected: PE_PATCH
Scanner results:

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
-------
Awaiting results on scans of ent4.exe on both VirusTotal and JottiScan

Orange Blossom :thumbsup:

Edited by Orange Blossom, 18 October 2006 - 01:22 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 18 October 2006 - 02:03 PM

The key to Ent.exe is "MIGHT BE INFECTED/MALWARE" and Kaspersky did not find it during the analysis.

cybshell.dll on the other hand was flagged by several vendors so I would be more concerned about it. I don't know anything about CyberScrub Privacy Suite other than what a google search would turn up. It is available at Tucows Downloads, zdnet and other popular download sites which normally do not host bad products. I would probably uninstall the program and contact the makers of CyberScrub about this file. There are reports from users having a tuff time deleting that .dll after uninstalling the product probably due to a registry entry.

I found a German site here with info on cybshell.dll but I cannot translate what the say about it.

Edited by quietman7, 18 October 2006 - 02:03 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 18 October 2006 - 04:42 PM

The JottiScan has just finished for the ent4.exe I have bolded something in the packers part that the original Kaspersky scan appeared to flag. Here are the results:

File: ent4.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 185c5f195d51214fdb80d1672e59d57a
Packers detected:
WISESFX DROPPER, PE_PATCH, ASPACK

Scanner results

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
--------------
And here are the VirusTotal results:

Complete scanning result of "ent4.exe", received in VirusTotal at 10.18.2006, 21:00:14 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.30 10.18.2006 no virus found
Authentium 4.93.8 10.18.2006 no virus found
Avast 4.7.892.0 10.18.2006 no virus found
AVG 386 10.18.2006 no virus found
BitDefender 7.2 10.18.2006 no virus found
CAT-QuickHeal 8.00 10.18.2006 no virus found
ClamAV devel-20060426 10.18.2006 no virus found
DrWeb 4.33 10.18.2006 no virus found
eTrust-InoculateIT 23.73.25 10.18.2006 no virus found
eTrust-Vet 30.3.3141 10.18.2006 no virus found
Ewido 4.0 10.18.2006 no virus found
Fortinet 2.82.0.0 10.18.2006 no virus found
F-Prot 3.16f 10.18.2006 no virus found
F-Prot4 4.2.1.29 10.17.2006 no virus found
Ikarus 0.2.65.0 10.18.2006 no virus found
Kaspersky 4.0.2.24 10.18.2006 no virus found
McAfee 4876 10.18.2006 no virus found
Microsoft 1.1603 10.18.2006 no virus found
NOD32v2 1.1809 10.18.2006 error - unknown compression method
Norman 5.90.23 10.18.2006 no virus found
Panda 9.0.0.4 10.18.2006 no virus found
Sophos 4.10.0 10.15.2006 no virus found
TheHacker 6.0.1.100 10.18.2006 no virus found
UNA 1.83 10.18.2006 no virus found
VBA32 3.11.1 10.18.2006 no virus found
VirusBuster 4.3.7:9 10.18.2006 no virus found

Aditional Information
File size: 3941440 bytes
MD5: 185c5f195d51214fdb80d1672e59d57a
SHA1: 09a02913e68065a37e0f87148702f9a8cccb4088
---------------------------------

I don't know anything about CyberScrub Privacy Suite other than what a google search would turn up. It is available at Tucows Downloads, zdnet and other popular download sites which normally do not host bad products. I would probably uninstall the program and contact the makers of CyberScrub about this file.


Hmm. I got the program directly from the Cyberscrub site itself after reading about it in PC Magazine. I cannot find the article now, but it had "Best Utilities" in the title and was in PC Magazine - Vol. 24 #9. Here is more information on the product from their own site: http://www.cyberscrub.com/products/privacysuite/index.php McAfee SiteAdvisor gives the Cyberscrub sites the green check mark. I installed the trial version in June 2005 and bought it - wow that was expensive - in September 2005 according to the dates on my e-mail correspondence from them. I have serious doubts that it is the Cyberscrub program itself that is at fault because I did a Kaspersky online scan on Aug. 22, 2006 and it came out clean at that time. Note: their antivirus program, which I trialed in 2005, uses the Kaspersky engines - at least they did then.

That said, I have no problems with uninstalling both programs suspected to be infected and reinstalling them, or at least reinstalling Cyberscrub. I've been looking for the reinstallation disk that I got from them, but thus far have been unsuccessful. The Essential Net Tools program is not essential to me, just interesting so if I uninstall it, I probably won't reinstall.

For what it's worth, the cybshell.dll file only shows up in the Cyberscrub program file folder, right where it belongs.

I think I will go ahead and do an additional Kaspersky Online scan and see if there are any changes from the previous one considering the JottiScan and VirusTotal scan results, and I will also do the F-Secure online scan. However, those will have to wait until I get back from my volunteer teaching tonight and I may not be able to do them until tomorrow.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 18 October 2006 - 04:57 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 18 October 2006 - 05:39 PM

Packers compress files in much the same way as compressor tools like Winzip. An executable file compressor is an application that compresses an executable. What makes executable file compressors a tool of Trojan users is that when a file is packed, the file itself is changed. When this happens the viral signature is destroyed and AV programs have to be able to unpack these file compressors to read the code.

I doubt if uninstall/reinstalling Cyberscrub will change anything. I would still contact the Cyberscrub folks and let them know about the file scan results. If Kaspersky did not detect it in Aug, that means its defintions were updated since that time to detect it. However, your now finding other AV vendors detecting that .dll as well so something appears to be wrong. If Cyberscrub is legit chances are they will want to investigate this further to avoid a negative label on their product.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 18 October 2006 - 09:59 PM

Okey-doke. I've just contacted Cyberscrub and told them about the scan results. I also provided a link to this thread in case they wanted to read the entire thing. I should be hearing from them in a day or two.

I'm also going to rescan with Kaspersky On-line, scan with F-Secure on-line, and perhaps check out the system with trial versions of Kaspersky AV, Cyberscrub AV, and Avast AV (I think this last one is a freebie). One at a time of course, uninstalling each one before installing the next - a pain, but perhaps worth it. I'll put in the Jettico Firewall while I'm doing that since I'll need to uninstall ZoneAlarm Pro. (I might decide to eliminate the ZA suite anyway as separate products can be of benefit especially in Safe Mode).

What I find very interesting about this is that Cyberscrub's own Anti-virus program

is powered by Kaspersky Lab.

http://cyberscrub.com/products/antivirus/faq.php? Unless they are producing their own AV definitions, it would seem their own AV product would flag that file if it were the culprit.

Depending on the results of the on-line scans, I may uninstall and delete both programs and reinstall Cyberscrub Privacy Suite and then see if there is any difference.

Will keep you posted.

Thanks,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 19 October 2006 - 12:28 PM

Just a quick update:

New online Kaspersky scan now finds only one infected file, the one associated with Cyberscrub. Hmm. I wonder if running ATF cleaner in safe mode got rid of the other infected stuff? Seems unlikely, but I did do that before the JottiScan and VirusTotal file submissions so it is possible I suppose.

Just finished F-Secure online scan which came out clean. Only two files were skipped in its scan: the pagefile, and the configuration file.

Haven't heard from Cyberscrub yet, probably too soon.
----------
I'm going to, temporarily anyway, uninstall my ZA suite and install the Kaspersky trial version of its AV and scan in safe mode to see if perhaps it will clean the infected file. I'll do all this off-line.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 20 October 2006 - 01:06 PM

Just a quick update:

One: I installed the trial version of Kaspersky AV: it could not disinfect the Cyberscrub file.

Two: I uninstalled and deleted everything to do with the cyberscrub program and flushed the system restore as Kaspersky was finding related 'infected' files there as well.

Three: I found my reinstallation disk for the program and reinstalled it. As you thought Quietman7, the updated definitions of Kaspersky AV are flagging the file itself - so now I know I didn't pick up an infection somewhere else, and I found that this particular one is quite easy to eliminate. From what I could see from the logs, there is code surrounding the file that sets off the Kaspersky adware alert.

Four: I sent a second message to Cyberscrub informing them of the flagged infection during installation

Five: Cyberscrub has since contacted me concerning the first message I sent. They have sent the information on to the development team where they will examine the file to find out what is wrong. Hopefully the problem will be resolved shortly.

Thanks for your wonderful advice Quietman7. Will post back when this is finally resolved. In the meantime, I'm experimenting with different firewalls and AV products to see which I'm most comfortable with and that does the best job for me.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 20 October 2006 - 01:14 PM

Your welcome. :thumbsup:

At least Cyberscrub replied and I'm curious as to what they have to say about all this.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 23 October 2006 - 11:46 AM

Update:

I've just been contacted by Cyberscrub. I'll quote the essential elements of what they wrote:

... This is a false positive that Kaspersky's antivirus is
producing. The function of the cybshell.dll file is describe by our
developers as:

" . . . The cybshell.dll file is the shell extension dll, it is a class that makes the connection between our program and the shell (right click) from Windows."

We will work with Kaspersky to figure out why this false positive is appearing now. . . . nothing in our program is ad-ware. . . .


Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 AM

Posted 23 October 2006 - 12:08 PM

It was a good move to contact Cyberscrub. It appears they had no idea their .dll file was being flagged as bad. So now it will depend on how long it takes dealing with Kaspersky to get the issue resolved.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 AM

Posted 23 October 2006 - 12:19 PM

Yes, it certainly was. They were most appreciative in my informing them about the flagged file. I'm certain they will be working as quickly as possible to resolve the issue.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users