Bloodhound Exploit 196

Dell / INSPIRON 530S
May 27, 2009 at 21:44:22
Specs: Microsoft Windows Vista Home Premium, 1.8 GHz / 2036 MB
I read the http://www.computing.net/answers/secur
ity/bloodhound-exploit-196-
help/24051.html about
removing this trojan. Right now, my anti-virus
program has been putting them into
quarantine, but it is taking more and more time
each day to complete this process. I have d/l
the malware software and run the scans on
malware and hijackthis. I am not sure what to
do next. Can someone please help me? Thanks

See More: Bloodhound Exploit 196

Report •


#1
May 27, 2009 at 22:05:00
Hi,
Can you please post your Hijackthis and AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


Report •

#2
May 28, 2009 at 19:42:58
Sorry for the delayed response. I have not been home all day.
Thank you for your response.

Here is the link to the virusinfo file.
http://rapidshare.com/files/2383837...
ml

Here are the results of hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:51 PM, on 5/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Google\Google Desktop
Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec
Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\TiVo
Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Christina\AppData\Local\Google\Update\GoogleUpd
ate.exe
C:\Program Files\ScanSoft\PaperPort\PPWEBCAP.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LogitechDesktopMessenger.ex
e
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop
Search\GoogleDesktop.exe
C:\Program Files\Common
Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Users\Christina\AppData\Local\Google\Chrome\Application
\chrome.exe
C:\Users\Christina\AppData\Local\Google\Chrome\Application
\chrome.exe
C:\Users\Christina\AppData\Local\Google\Chrome\Application
\chrome.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Users\Christina\AppData\Local\Google\Chrome\Application
\chrome.exe
C:\Users\Christina\AppData\Local\Google\Chrome\Application
\chrome.exe
C:\Users\Christina\AppData\Local\Google\Chrome\Application
\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Christina\Documents\Downloads\HiJackThis (1).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = https://nawestra.watsonwyatt.com/dana-
na/auth/url_default/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window
Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-
C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-
4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft
Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-
D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-
44EC-93CA-9D7CD41CCDB6} - C:\Program
Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-
8333-CF10577473F7} - C:\Program Files\Google\Google
Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-
4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch -
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program
Files\Google\Google
Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-
31B7-401E-A518-A07C3DB8F777} - C:\Program
Files\Dell\BAE\BAE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-
C3BC82746CB0} - C:\Program Files\del.icio.us\Internet
Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - C:\Program Files\Google\Google
Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-
Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center]
%windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program
Files\Common Files\InstallShield\UpdateService\issch.exe" -
start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe"
/startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell
Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program
Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray]
C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]
C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]
C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell
Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [OneTouch Monitor]
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-
Aware\AAWTray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program
Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell
Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe]
C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common
Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry
/auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program
Files\TiVo\Desktop\TiVoNotify.exe" /service /registry
/auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program
Files\TiVo\Desktop\TiVoServer.exe" /service /registry
/auto:TivoServer
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update]
"C:\Users\Christina\AppData\Local\Google\Update\GoogleUpd
ate.exe" /c
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program
Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program
Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk =
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LogitechDesktopMessenger.ex
e
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program
Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos
Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-
8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-
7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button:
@C:\Windows\WindowsMobile\INetRepl.dll,-222 -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -
C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-
00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem:
@C:\Windows\WindowsMobile\INetRepl.dll,-223 -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} -
C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F}
(JuniperSetupClientControl Class) -
https://nawestra.watsonwyatt.com/dana-
cached/sc/JuniperSetupClient.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-
8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-
A375-3CB6248B04CD} - C:\Program Files\Microsoft
Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-
B719FE26E377} - C:\Program Files\Google\Google
Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs:
C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner -
C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245
(GoogleDesktopManager-061008-081103) - Google -
C:\Program Files\Google\Google Desktop
Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) -
Logitech, Inc. - C:\Program Files\Common
Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program
Files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) -
Sonic Solutions - C:\Program Files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec -
C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SupportSoft Sprocket Service
(dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft,
Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. -
C:\Program Files\Common Files\SureThing
Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. -
C:\Program Files\Common Files\TiVo
Shared\Beacon\TiVoBeacon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. -
C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11777 bytes


Report •

#3
May 28, 2009 at 20:06:03
You logs don't show anything may be norton took care of it. Try to run eset/bitdefender online scanner. Post scan result after.

-------------------------------------------------


Report •

Related Solutions

#4
May 28, 2009 at 21:54:46
I ran ESET, and no threats were found! For the first time
tonight, I didn't get any warnings from Symantec. I really hope
it's gone for good! Thanks.

Report •

#5
June 2, 2009 at 17:43:57
oh no! I'm getting a pop up msg from Symantec to quarantine
Bloodhound Exploit 196 again! There are too many to count!
Can someone please help me?

Report •

#6
June 2, 2009 at 17:51:43
Please post the screen shot of detected with filename and path visible.

-------------------------------------------------


Report •

#7
June 2, 2009 at 18:01:52
Here is a link to the screen shot. http://lh5.ggpht.com/_SXfUL8JO3_M/S...

Report •

#8
June 2, 2009 at 18:05:33
Those are dated 5/18. Where are the recent ones? Also follow this: http://www.symantec.com/security_re...

-------------------------------------------------


Report •


Ask Question