Bloodhound.Exploit.196 Virus

Custom / CUSTOM
May 25, 2009 at 21:16:33
Specs: Windows XP Pro SP3
Intel Core 2 Duo CPU
E6850 @ 3.00GHz, 3.25GB RAM

Today when I turned on my PC, Firefox stated that the previous session had crashed, and I declined to restore, starting a new session.

At the top of any of my browser tabs, I have alerts stating my pc is in danger and to download their software, or other times my page wouldn't load properly to reveal this:

ERROR! Connection was RESET by remote server.

This can be a reason for system faults, errors or critical data corruption. To prevent your critical data loss please do the full system scaning!

There is also a link connected with that page, again telling me to scan: http://antivirus-xppro2009.com/cgi-...

No one has searched any unsafe sites as far as I know, don't know how the app loaded itself.
Anyway. I couldn't load either Spybot or ad-aware.
I ran a Kaspersky scan, which revealed one infected file, being a: Exploit.JS.Pdfka.jr.

This is a Bloodhound.Exploit.196 virus, if I am correct. I have saved the scan report.

If someone can assist me in removing this virus and checking to make there are no further threats to my pc, I would be really appreciative!


See More: Bloodhound.Exploit.196 Virus

Report •


#1
May 25, 2009 at 21:22:15
Can you post you scan summary log with kaspersky.

--------------------------------------------
To Private Message me Click Here


Report •

#2
May 26, 2009 at 18:06:28
I Scanned again last night, after restarting my pc due to it locking up, this is the latest report.

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 26, 2009 05:56:43
Records in database: 2247815
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 111202
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 02:25:02

File name Threat name Threats count
C:\WINDOWS\system32\frmwrk32.exe Infected: Trojan-Downloader.Win32.FraudLoad.vyuu 1
C:\WINDOWS\system32\pm.exe Infected: Trojan-Downloader.Win32.FraudLoad.vyuu 1

The selected area was scanned.


Report •

#3
May 26, 2009 at 18:16:20
Can you please post your Hijackthis and AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


Report •

Related Solutions

#4
Report •

#5
May 26, 2009 at 19:05:37
Do you have your Windows installation CD you will need to replace userinit.exe via recovery console.

Report •

#6
May 26, 2009 at 19:35:41
Yes I believe I do.
Okay, so I just need to replace that one file, everything else is fine, or is there anything further as well?

Report •

#7
May 26, 2009 at 19:43:02
No don't replace it yet. Follow these steps in order numbered:

1) Run this script in AVZ like before you computer will reboot.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\System32\Drivers\a6s3c7ua.SYS','');
 QuarantineFile('c:\windows\system32\userinit.exe','');
 QuarantineFile('C:\DOCUME~1\Patrock\LOCALS~1\Temp\mousehook.dll','');
 QuarantineFile('C:\WINDOWS\TEMP\ntdll64.dll','');
 DeleteFile('C:\WINDOWS\TEMP\ntdll64.dll');
 DeleteFile('C:\DOCUME~1\Patrock\LOCALS~1\Temp\mousehook.dll');
 DeleteFile('c:\windows\system32\userinit.exe');
 DeleteFile('C:\WINDOWS\System32\Drivers\a6s3c7ua.SYS');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot: Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

--------------------------------------------
To Private Message me Click Here


Report •

#8
May 26, 2009 at 19:47:10
Before or after 2) of Response Number 7 you might have to replace it. Steps to recover that file using windows recovery console:

Click R to enter recovery console

Type the following

expand d:\i386\userinit.ex_ c:\windows\system32
click enter

Once it says 1 file copied
Then type exit and click enter
System will reboot
Make sure to remove winxp pro cd before it boots up and let it boot fully
Windows should start normally

If not post with result

--------------------------------------------
To Private Message me Click Here


Report •

#9
May 26, 2009 at 21:03:56
Okay I enter the prompt.
I typed the following into the recovery console:
expand d:\i386\userinit.ex_ c:\windows\system32

Word for word, but I get this message stating -
the system cannot find the file or directory specified

I tried looking at the /? command and also on the action expand, and I'm not sure if I am missing something.


Report •

#10
May 26, 2009 at 21:11:27
Its not letting you log in correct? Or you can still log in windows? What is your cd driver letter in recovery console? do command "dir" and paste me all the directories you see.

--------------------------------------------
To Private Message me Click Here


Report •

#11
May 26, 2009 at 21:20:20
No, I can not log into windows, at all.

The starting drive in recovery console is c:

dir' gives me several pages, I'm not sure what you need specificly from those pages, I hope you don't need them all typed. I'm on a seperate computer in a different room.


Report •

#12
May 26, 2009 at 21:21:37
Type this:
cd d:
dir

then follow expand command.

--------------------------------------------
To Private Message me Click Here


Report •

#13
May 26, 2009 at 21:24:49
No, there is nothing.

Report •

#14
May 26, 2009 at 21:25:22
follow Response Number 12 i changed it. What is your cd drive letter?

--------------------------------------------
To Private Message me Click Here


Report •

#15
May 26, 2009 at 21:34:02
Okay, following response 12:
I type in cd d:

it still has me in drive C:

and typing dir' is still no different.
I did change over to drive D: (by typeing "D:" and then tried dir but there wasn't any i386 dir either)


Report •

#16
May 26, 2009 at 21:35:32
Check your recovery CD on another computer and see what folders it has.

--------------------------------------------
To Private Message me Click Here


Report •

#17
May 26, 2009 at 21:37:28
The cd does have an I386 folder.

Report •

#18
May 26, 2009 at 21:40:06
Wait...if I'm trying to access the cd, then I wouldn't need drive D: I have two HDD's.

I would need E: correct?


Report •

#19
May 26, 2009 at 21:42:28
then D drive is not your CD drive. try to find your cd drive letter and then try expand command accordingly.

--------------------------------------------
To Private Message me Click Here


Report •

#20
May 26, 2009 at 21:49:16
Type this command in recovery console. It will show you all the drives and their mapping --> "map arc" without ".

--------------------------------------------
To Private Message me Click Here


Report •

#21
May 26, 2009 at 21:56:38
Okay, sorry I hadn't realized that sooner.

Okay, the file expanded and I am now able to log onto windows again. Althrough It won't let me onto the internet, neither firefox nor IE.


Report •

#22
May 26, 2009 at 22:04:04
Transfer it via usb and continue with Response Number 7.

--------------------------------------------
To Private Message me Click Here


Report •

#23
May 27, 2009 at 18:22:51
Link to the ComboFix

http://rapidshare.com/files/2380008...


Report •

#24
May 27, 2009 at 18:27:42
Is your internet working now?

--------------------------------------------
To Private Message me Click Here


Report •

#25
May 27, 2009 at 18:32:35
It is. I have no idea why or how it came back.
Also, I notice my web pages are all free from the 'virus' warnings and the other oddities that were occurring.

Report •

#26
May 27, 2009 at 18:35:23
Follow these steps now in order numbered:

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

--------------------------------------------
To Private Message me Click Here


Report •

#27
May 27, 2009 at 19:08:40
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with http://www.eset.eu/online-scanner

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan unwanted applications.

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

3) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

4) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

--------------------------------------------
To Private Message me Click Here


Report •

#28
May 27, 2009 at 20:31:07
Argh...I ran the program, though at the end, when it asks if I want to delete the quarantined files, which I did, it had another option to remove the program once its finished. I did click that as well, realizing afterward it took the log with it.

Report •

#29
May 27, 2009 at 20:35:48
Should I continue with the next steps?

Report •

#30
May 27, 2009 at 20:57:23
Log is located in C:\Program Files\EsetOnlineScanner\log.txt . Yes continue.

--------------------------------------------
To Private Message me Click Here


Report •

#31
May 27, 2009 at 21:41:37
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=593ef7ebe22d664cb2f3910d1d129219
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-28 03:24:54
# local_time=2009-05-27 09:24:54 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=112630
# found=0
# cleaned=0
# scan_time=1142

-- Eset scan log


alwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 3

5/27/2009 10:39:46 PM
mbam-log-2009-05-27 (22-39-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 198671
Time elapsed: 35 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-- Malwarebytes log


Report •

#32
May 27, 2009 at 21:45:41
Fix what it detects your malware free now. Does kaspersky detect anything now? Original problem solved?

--------------------------------------------
To Private Message me Click Here


Report •

#33
May 28, 2009 at 03:25:01
Everything seems to be good, Kaspersky doesn't see anything else, other than the archived files, and there seem to be no other issues with my pc. That did it it.

Thank you neoark, for your time, patience and helping me get rid of the problems!


Report •


Ask Question