Bloodhound exploit. How do you rid of it?

[Nadril]

I recently found while restarting my pc, a message would pop up from norton that would say something along the lines of "bloodhound.w32.(forgot part)" everytime, and i couldn't delete it.

 

 

 

 

 

 

 

 

 

 

 

I did some research on it, and sites said that its just what norton says when it can't tell what the virus is and such, or other sites said its a virus made to get around norton.

 

 

 

 

 

 

 

Anyways, after some more searching, i located it to be named "msupdate" and there was something else I belive as well.

 

 

 

 

 

 

 

 

 

 

 

my question is, how would I rid of this? Norton can't find it, but then sometimes when i try and scan with something, such as housecall, it finds stuff, but can't delete it all. (I did manage to delete some stuff, probaly just spyware however)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Usualy i wouldn't be very alarmed about this, but also, just kind of as now (i think i've had this virus for a few days, just never much bothered with it) but my pc is acting quite laggy. I realy don't think its matched to the virus (although you never know) but i'm getting stuff mostly like:

 

 

 

 

 

 

 

- Just general laggyness. For example, the load times and just the lag in guild wars is rediculously huge. In counter strike source i realy even couldn't get onto a server. For Ventrillo (a voice chat program) it takes long to log in. I've tried restarting my pc, which usualy works, but i've restarted it quite a few times to no help.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Back to the virus problem, I also read somewhere that says it could be stuck in system restore. It talked about disabling than enabling system restore, to rid of it. But how exactly easy is that to do, and is it going to terribly screw up my system if i have used system restore in the past? (the site said no, but meh :P)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So any help is quite apreciated. I am probaly going to do another scan in HouseCall and norton tonight, just to see if I missed anything, and just hope i can get this thing(s) rid of.

 

 

 

 

 

 

 

 

 

 

 

Thank you in advance :)

 

 

 

 

 

 

 

~Nadril

[Rob_Gambino]

Post a complete hijackthis log.

[Nadril]

I'll get to it. Let me get that program again :)

[Nadril]

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 12:43:46 AM, on 6/1/2005

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\drivers\CDAC11BA[Caution: ExecutableFile]

 

 

 

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\CTSVCCDA[Caution: ExecutableFile]

 

 

 

c:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

 

 

 

c:\Program Files\Norton Personal Firewall\NISUM[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile]

 

 

 

C:\Program Files\Softex\OmniPass\Omniserv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\MsPMSPSv[Caution: ExecutableFile]

 

 

 

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService[Caution: ExecutableFile]

 

 

 

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2[Caution: ExecutableFile]

 

 

 

c:\Program Files\Norton Personal Firewall\ccPxySvc[Caution: ExecutableFile]

 

 

 

C:\Program Files\Softex\OmniPass\OPXPApp[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\wscntfy[Caution: ExecutableFile]

 

 

 

C:\windows\system\hpsysdrv[Caution: ExecutableFile]

 

 

 

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\HP\HP Software Update\HPWuSchd[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\hphmon05[Caution: ExecutableFile]

 

 

 

C:\HP\KBD\KBD[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]

 

 

 

C:\Program Files\Multimedia Card Reader\shwicon2k[Caution: ExecutableFile]

 

 

 

C:\Program Files\Creative\ShareDLL\CtNotify[Caution: ExecutableFile]

 

 

 

C:\Program Files\Java\j2re1.4.2_06\bin\jusched[Caution: ExecutableFile]

 

 

 

C:\Program Files\Creative\ShareDLL\MediaDet[Caution: ExecutableFile]

 

 

 

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa[Caution: ExecutableFile]

 

 

 

C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

c:\Program Files\Common Files\Symantec Shared\NMain[Caution: ExecutableFile]

 

 

 

c:\PROGRA~1\NORTON~1\navw32[Caution: ExecutableFile]

 

 

 

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

 

 

 

C:\DOWNLOADS\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.deviantart.com/

 

 

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

 

 

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

 

 

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

 

 

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

 

 

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

 

 

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

 

 

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll

 

 

 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

 

 

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

 

 

 

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched[Caution: ExecutableFile]" -osboot

 

 

 

O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

 

 

O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install

 

 

 

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray[Caution: ExecutableFile]" /r

 

 

 

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl[Caution: ExecutableFile] /run

 

 

 

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile] /Consumer

 

 

 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

 

 

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

 

 

 

O4 - Global Startup: Microsoft Windows.hta

 

 

 

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

 

 

 

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

 

 

 

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

 

 

 

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

 

 

 

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

 

 

 

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_41.cab

 

 

 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3449446687

 

 

 

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab

 

 

 

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab

 

 

 

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

 

 

 

O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

 

 

 

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

 

 

 

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA[Caution: ExecutableFile]

 

 

 

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM[Caution: ExecutableFile]

 

 

 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile]

 

 

 

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

 

 

 

O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService[Caution: ExecutableFile]" "WUSB54Gv2[Caution: ExecutableFile] (file missing)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

------------------

 

 

 

 

 

 

 

There we go :)

[RealKCD]

Check my PM

[Nadril]

Check my PM

 

 

 

 

 

 

 

What PM? :?

[Pyro]

Did you try running the virus scans in safe mode?

[Nadril]

Did you try running the virus scans in safe mode?

 

 

 

 

 

 

 

hmm... Actualy no I don't think i did.

 

 

 

 

 

 

 

 

 

 

 

I'm scanning my pc right now, and when i scaned the "my documents" folder i did find and delete 7 things.

 

 

 

 

 

 

 

I think i'm more or less alright though. But just currious, how does my hijackthis log look? If i do however notice that the virus is still on my pc, i will reboot in safe mode and scan my pc :)

[Mercifull]

Bloodhound is what Symantec calls something that is acting virus like or has virus like attributes that isnt in its virus defenitions. This could be a keylogger custom made or a modified virus of one already released.

 

 

 

You say it was called "bloodhound.w32.(forgot part)" the "forgot part" is probably the most important lol as it gives us some indication of what is causing it.

 

 

 

 

 

 

 

Scan in safemode with your anti virus. Scan with Ad-aware and Spybot S&D and clean up the following from your HJT log.

 

 

 

 

 

 

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

 

 

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

 

 

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

 

 

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Microsoft Windows.hta icky malware

 

 

 

O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService[Caution: ExecutableFile]" "WUSB54Gv2[Caution: ExecutableFile] (file missing)

[Nadril]

O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.e3e (CAUTION - executable file)" "WUSB54Gv2.e3e (CAUTION - executable file) (file missing)

 

 

 

 

 

 

 

 

 

 

 

are you sure i should get rid of that one? since it is for my wireless.

 

 

 

 

 

 

 

I'll get rid of the other ones though.

 

 

 

 

 

 

 

Also, I finished up my scan, and it found that viruse. I Quarantined it.

 

 

 

 

 

 

 

btw, it was called Bloodhound.W32.EP

 

 

 

 

 

 

 

I think i'm fine now, but i will get rid up of those from my HJT log.