eEye Digital Security

I installed Cybersitter on my computer (XP Home) some time ago to create a safer environment for my one son, now 9.

Since I installed Blink, I have gotten this log event:

Event ID:	BLINK-MAL-205
Severity:	High
Description:	Blink has found a malware application
MalwareID:	1138
Malware Description:	Cybersitter is a program designed to monitor user activity.
Item found:	HKEY_LOCAL_MACHINESystem\CurrentControlSet\co...\Net98EX01 HKEY_LOCAL_MACHINESystem\CurrentControlSet\cont...\NetOpt1 C:\WINDOWS\system32\bsnlst.dll C:\System Volume Information\_restore{A3BC...\A0078249.exe C:\Sy...
Action:	Repair
Alert:	Yes
Name:	Cybersitter
Second Action:	Quarantine
Category:	Surveillance

And then:

Event ID:	BLINK-MAL-205
Severity:	High
Description:	Blink has found a malware application
MalwareID:	1138
Malware Description:	Cybersitter is a program designed to monitor user activity.
Item found:	HKEY_LOCAL_MACHINESystem\CurrentControlSet\co...\Net98EX01 HKEY_LOCAL_MACHINESystem\CurrentControlSet\cont...\NetOpt1 C:\WINDOWS\system32\bsnlst.dll C:\System Volume Information\_restore{A3BC...\A0078249.exe C:\Sy...
Action:	Repair
Alert:	Yes
Name:	Cybersitter
Second Action:	Quarantine
Category:	Surveillance

I guess I didn't keep enough entries because I can't find anything, but Blink also seems to have deleted the main executable, cyb2k.exe.

Just to troubleshoot this issue, I tried to reinstall Cybersitter while Blink was running. I could reinstall it, but Blink will not allow cyb2k.exe to  run; therefore, I do not get it's monitoring ability. I believe that this has affected the other users on this computer from accessing the Internet at all.

Now I get:

Event ID:	BLINK-MAL-205
Severity:	High
Description:	Blink has found a malware application
MalwareID:	1138
Malware Description:	Cybersitter is a program designed to monitor user activity.
Item found:	HKEY_LOCAL_MACHINESystem\CurrentControlSet\co...\Net98EX01 HKEY_LOCAL_MACHINESystem\CurrentControlSet\cont...\NetOpt1 C:\WINDOWS\system32\bsnlst.dll C:\System Volume Information\_restore{A3BC...\A0078249.exe C:\Sy...
Action:	Repair
Alert:	Yes
Name:	Cybersitter
Second Action:	Quarantine
Category:	Surveillance

and:

Event ID:	BLINK-MAL-205
Severity:	High
Description:	Blink has found a malware application
MalwareID:	1138
Malware Description:	Cybersitter is a program designed to monitor user activity.
Item found:	HKEY_LOCAL_MACHINESystem\CurrentControlSet\co...\Net98EX01 HKEY_LOCAL_MACHINESystem\CurrentControlSet\cont...\NetOpt1 C:\WINDOWS\system32\bsnlst.dll C:\System Volume Information\_restore{A3BC...\A0078249.exe C:\Sy...
Action:	Repair
Alert:	Yes
Name:	Cybersitter
Second Action:	Quarantine
Category:	Surveillance

However, Cybersitter is not Quarantined, so I cannot tell Blink to trust the application.

Help! What can I do now? 

     Well first off I would recommend setting the "First Action" in the Virus and Spyware section to Quarantine and then the "If first action fails" one to Log only.  Atleast this way it will only Quarantine something and not delete it.  I have a feeling that Repair entails it either removing or deleting it to be honest, but I am not sure. 

     Second of all, before you reinstall Cybersitter, go to this post:  http://forums.eeye.com/forums/p/54/140.aspx#140

     Read about how to exclude your program from Blink's Application protection and see if that helps.  You could try to exclude the entire Cybersitter Program folder if you wanted to, to see if that helps.  Maybe try:

 If you do need to edit this file, apiex.ini in Blink/Config... edit it like so:

<----- snip ---->
##################################################
#Rules
##################################################
C:\Program Files\Cybersitter\*;;Kevlar;0

<---- end of file --->

Where the above "snip" and "end of file" lines are not included

 

NOTE:  Where the "Cybersitter is, you will have to verify what folder under Program Files it actually is and make sure that name is put in this location to be sure.

     Second thing you can try.  Go to the log alerts, can you right click on them and then select "Create rule"?  Maybe it will let you create a rule to exclude them, maybe it won't because it thinks they are malware also.

     Finally since some of the items you state above are registry keys this idea may not work, however you can try.  These are just ideas, you will have to try and see what works best for you.  Once you are done you will need to probably uninstall what is left of Cybersitter (if you can) an reinstall a fresh copy of it.  If you are unable to, then simply install over what you currently have.  If none of these ideas work, be sure to post and let us know.

 

 

Well, I's already thought of changing the First Action to 'Quarentine,' but nothing has been quarentined. It seems that there are 2 executables here: cyb2k.exe and C:\WINDOWS\system32\mslspc.exe. The latter monitors chat messages, and is the one continuously being seen as malware. However, Blink cannot repair or quarentine it; perhaps because of Cybersitter's attempts to thwart would-be hackers from bypassing the filter... ;-) So I plunged hardily onwards, and read the posts and other posts mentioned. All potential helpful. I edited apiex.ini and allowed both executables. I've restarted Blink, logged out, but no change visible to my poor eyes, at least. The second thing you mention makes sense. However, when I right click on the item in the log alerts, the options to "Create Rule" "Go To Rule" and "Ban IP" are all greyed out. I had already done a fresh installation of Cybersitter because Blink wasn't playing nice, and Cybersitter lost ... which is where I find myself. Cybersitter is freshly installed, but Blink prevents it from loading into memory. The chat monitoring program also cannot start. What are the next ideas? (Sorry for the bad formatting. My reply looks okay until I post or view it. Guess I have more to learn about forums, too!)

Continuing Saga:

After trying the suggestions, I went backwards, and tried again.

1. I totally uninstalled CyberSitter (CS)
2. Suspended Blink to reinstall CS
3. Installed CS - went fine. Able to reregister and reconfigure.
4. Edited apiex.ini  to ignore cyb2k.exe (just in case), lspcs.dll and mslspc.exe.
5. Turned on Blink -- whammo! Off went CS and Up came Alerts as to warnings.
   Items found:

   1. C:\WINDOWS\System32\mslspc.exe
   2. C:\WINDOWS\System32\lspcs.dll
6. Actions were set to Quarentine, then Log. Category: Surveillance.

However, these items were not  quarentined; perhaps because of some kind of protection to prevent unauthorized removal...

What also puzzles me is that when I right click on any of the items in the Event Log, the options to Create Rule, Go To Rule, and Ban IP are all grayed out. How can I access those functions???!!!

 Any suggestions as to how to proceed???

-L.

     Try editing your apiex.ini file to exclude the entire Program File folder and its contents for Cybersitter.  See if that does anything for you.

larryk:

What also puzzles me is that when I right click on any of the items in the Event Log, the options to Create Rule, Go To Rule, and Ban IP are all grayed out. How can I access those functions???!!!

 

     This is normal, some things do not allow you to create an exception rule for them, I have had a few things do that to me too.

   

Blue1978:

Try editing your apiex.ini file to exclude the entire Program File folder and its contents for Cybersitter.  See if that does anything for you.

That sounds like a good idea ... except that Cybersitter isn't installed in it's own filter. It's programs and dll's are primarily in the Windows folder.

-L.