# Bloodhound.Exploit.196 Virus

Custom / CUSTOM
May 25, 2009 at 21:16:33
Specs: Windows XP Pro SP3

See More: Bloodhound.Exploit.196 Virus

#1
May 25, 2009 at 21:22:15
 Can you post you scan summary log with kaspersky.--------------------------------------------To Private Message me Click Here

Report •

#2
May 26, 2009 at 18:06:28
 I Scanned again last night, after restarting my pc due to it locking up, this is the latest report.KASPERSKY ONLINE SCANNER 7.0 REPORTTuesday, May 26, 2009Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner version: 7.0.26.13Program database last update: Tuesday, May 26, 2009 05:56:43Records in database: 2247815Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerA:\C:\D:\E:\F:\G:\H:\Scan statisticsFiles scanned 111202Threat name 1Infected objects 2Suspicious objects 0Duration of the scan 02:25:02File name Threat name Threats countC:\WINDOWS\system32\frmwrk32.exe Infected: Trojan-Downloader.Win32.FraudLoad.vyuu 1 C:\WINDOWS\system32\pm.exe Infected: Trojan-Downloader.Win32.FraudLoad.vyuu 1 The selected area was scanned.

Report •

#3
May 26, 2009 at 18:16:20
 Can you please post your Hijackthis and AVZ log:Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as AdministratorYou should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.begin ExecuteStdScr(3); RebootWindows(true); end. Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.Image Tutorial--------------------------------------------To Private Message me Click Here

Report •

Related Solutions

#4
May 26, 2009 at 18:42:11

Report •

#5
May 26, 2009 at 19:05:37
 Do you have your Windows installation CD you will need to replace userinit.exe via recovery console.

Report •

#6
May 26, 2009 at 19:35:41
 Yes I believe I do.Okay, so I just need to replace that one file, everything else is fine, or is there anything further as well?

Report •

#7
May 26, 2009 at 19:43:02
 No don't replace it yet. Follow these steps in order numbered:1) Run this script in AVZ like before you computer will reboot.begin SetAVZGuardStatus(True); SearchRootkit(true, true); QuarantineFile('C:\WINDOWS\System32\Drivers\a6s3c7ua.SYS',''); QuarantineFile('c:\windows\system32\userinit.exe',''); QuarantineFile('C:\DOCUME~1\Patrock\LOCALS~1\Temp\mousehook.dll',''); QuarantineFile('C:\WINDOWS\TEMP\ntdll64.dll',''); DeleteFile('C:\WINDOWS\TEMP\ntdll64.dll'); DeleteFile('C:\DOCUME~1\Patrock\LOCALS~1\Temp\mousehook.dll'); DeleteFile('c:\windows\system32\userinit.exe'); DeleteFile('C:\WINDOWS\System32\Drivers\a6s3c7ua.SYS'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end. 2) After reboot: Attach a Combofix log, please review and follow these instructions carefully.Download it here -> http://download.bleepingcomputer.co...Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.--------------------------------------------To Private Message me Click Here

Report •

#8
May 26, 2009 at 19:47:10
 Before or after 2) of Response Number 7 you might have to replace it. Steps to recover that file using windows recovery console:Click R to enter recovery consoleType the followingexpand d:\i386\userinit.ex_ c:\windows\system32click enterOnce it says 1 file copiedThen type exit and click enterSystem will rebootMake sure to remove winxp pro cd before it boots up and let it boot fullyWindows should start normallyIf not post with result --------------------------------------------To Private Message me Click Here

Report •

#9
May 26, 2009 at 21:03:56
 Okay I enter the prompt.I typed the following into the recovery console:expand d:\i386\userinit.ex_ c:\windows\system32Word for word, but I get this message stating - the system cannot find the file or directory specifiedI tried looking at the /? command and also on the action expand, and I'm not sure if I am missing something.

Report •

#10
May 26, 2009 at 21:11:27
 Its not letting you log in correct? Or you can still log in windows? What is your cd driver letter in recovery console? do command "dir" and paste me all the directories you see.--------------------------------------------To Private Message me Click Here

Report •

#11
May 26, 2009 at 21:20:20
 No, I can not log into windows, at all.The starting drive in recovery console is c:dir' gives me several pages, I'm not sure what you need specificly from those pages, I hope you don't need them all typed. I'm on a seperate computer in a different room.

Report •

#12
May 26, 2009 at 21:21:37

Report •

#13
May 26, 2009 at 21:24:49
 No, there is nothing.

Report •

#14
May 26, 2009 at 21:25:22

Report •

#15
May 26, 2009 at 21:34:02
 Okay, following response 12:I type in cd d:it still has me in drive C: and typing dir' is still no different.I did change over to drive D: (by typeing "D:" and then tried dir but there wasn't any i386 dir either)

Report •

#16
May 26, 2009 at 21:35:32
 Check your recovery CD on another computer and see what folders it has.--------------------------------------------To Private Message me Click Here

Report •

#17
May 26, 2009 at 21:37:28
 The cd does have an I386 folder.

Report •

#18
May 26, 2009 at 21:40:06
 Wait...if I'm trying to access the cd, then I wouldn't need drive D: I have two HDD's.I would need E: correct?

Report •

#19
May 26, 2009 at 21:42:28
 then D drive is not your CD drive. try to find your cd drive letter and then try expand command accordingly.--------------------------------------------To Private Message me Click Here

Report •

#20
May 26, 2009 at 21:49:16
 Type this command in recovery console. It will show you all the drives and their mapping --> "map arc" without ".--------------------------------------------To Private Message me Click Here

Report •

#21
May 26, 2009 at 21:56:38
 Okay, sorry I hadn't realized that sooner.Okay, the file expanded and I am now able to log onto windows again. Althrough It won't let me onto the internet, neither firefox nor IE.

Report •

#22
May 26, 2009 at 22:04:04
 Transfer it via usb and continue with Response Number 7.--------------------------------------------To Private Message me Click Here

Report •

#23
May 27, 2009 at 18:22:51

Report •

#24
May 27, 2009 at 18:27:42

Report •

#25
May 27, 2009 at 18:32:35
 It is. I have no idea why or how it came back.Also, I notice my web pages are all free from the 'virus' warnings and the other oddities that were occurring.

Report •

#26
May 27, 2009 at 18:35:23
 Follow these steps now in order numbered:1) Run this script in AVZ:begin CreateQurantineArchive('c:\quarantine.zip'); end. 2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. 3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.--------------------------------------------To Private Message me Click Here

Report •

#27
May 27, 2009 at 19:08:40
 Thanks for the files. Please follow these steps in order numbered and post summary log after each step.1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with http://www.eset.eu/online-scanner# Check the box next to YES, I accept the Terms of Use. # Click Start # When asked, allow the activex control to be installed. # Click Start # Check below options: * Remove found threats * Scan unwanted applications. # Click Scan # Wait for the scan to finish # When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt # Attach this logfile to your next message. Note: Turn system restore back on, if you wish; this to remove malware from system volume information files. 3) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.4) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.--------------------------------------------To Private Message me Click Here

Report •

#28
May 27, 2009 at 20:31:07
 Argh...I ran the program, though at the end, when it asks if I want to delete the quarantined files, which I did, it had another option to remove the program once its finished. I did click that as well, realizing afterward it took the log with it.

Report •

#29
May 27, 2009 at 20:35:48
 Should I continue with the next steps?

Report •

#30
May 27, 2009 at 20:57:23
 Log is located in C:\Program Files\EsetOnlineScanner\log.txt . Yes continue.--------------------------------------------To Private Message me Click Here

Report •

#31
May 27, 2009 at 21:41:37
 ESETSmartInstaller@High as downloader log:all ok# version=6# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.5863# api_version=3.0.2# EOSSerial=593ef7ebe22d664cb2f3910d1d129219# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2009-05-28 03:24:54# local_time=2009-05-27 09:24:54 (-0700, Mountain Daylight Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3# scanned=112630# found=0# cleaned=0# scan_time=1142-- Eset scan logalwarebytes' Anti-Malware 1.37Database version: 2186Windows 5.1.2600 Service Pack 35/27/2009 10:39:46 PMmbam-log-2009-05-27 (22-39-44).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 198671Time elapsed: 35 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)-- Malwarebytes log

Report •

#32
May 27, 2009 at 21:45:41
 Fix what it detects your malware free now. Does kaspersky detect anything now? Original problem solved?--------------------------------------------To Private Message me Click Here

Report •

#33
May 28, 2009 at 03:25:01
 Everything seems to be good, Kaspersky doesn't see anything else, other than the archived files, and there seem to be no other issues with my pc. That did it it.Thank you neoark, for your time, patience and helping me get rid of the problems!

Report •