Bloodhound.pdf.1

[Kreon]

My computer is purchased from the school. With it comes a very basic edition of Symantec. I believe it's called Endpoint?

Anyways. It popped up earlier today telling me I was infected with Bloodhound.PDF.1, twice. So I deleted them with the Norton system. Thinking there might be more, I ran a full scan with Spybot, Ad-Aware, and BitDefender. None found anything related to it. I also deleted my temp files, since that is where the file path was.

Norton's site said it was very low risk, but I still can't get rid of it

Norton just popped up again telling me I'm infected again.

I searched for Bloodhound, and only found one unrelated result in security.

How can I make sure this is gone for good?

Link to Norton

Scroll down to see new/possibly related threat?

 

[cprince]

Originally posted by: Kreon
How can I make sure this is gone for good?

The only way to be sure is to format and reinstall Windows.

 

[Kreon]

How can I be relatively sure?

I have disabled system restore, updated and run everything listed above. They all come up clean with deep system scans. I have also manually deleted everything in the temp folder.
This was the method of removal suggested by Norton as well as a guy I live with who deals with computers a lot.

Does anyone know any other tricks of this bug?

 

[GaryJohnson]

Search your entire PC for *.PDF files (include hidden files and folders). What do you find? Any strange files? Maybe delete all of them or all but the ones you know are OK?

 

[Kreon]

trying that now, thanks

 

[mechBgon]

While you're at it, run the Secunia PSI utility and see if your Acrobat, Flash, and other exploitable stuffs are up-to-date or not: http://secunia.com/vulnerability_scanning/personal/

 

[Kreon]

Ok, so I thought I had killed it.

Apparently not. It has come back. I tried everything Symantec suggested, and then googled it to see if I could do more. Apparently bloodhound is a name that Norton gives to any unknown threat.

What I used to help me

I have, yet again, turned off system restore, deleted all temp files (both IE that I don't use and FF which I do).

Through my research, it appears that .pdf.1 is a specific variant. I have found ones number up to 9. I guess it's the least vicious of them, seeing as nothing really happens to my computer. According to Norton it's easy to remove. They lie.

I should point out here that a number if sites said that because bloodhound is found "heuristically" that it can casue false positives. Heuristic (fyi, I didn't know) means determined by an algorihm that looks for virus like patterns in things. This site about bloodhound.exploit.6 explains it, and the types of false positives it can produce

It works by "using encrypted Java Script" to fool anti-virus software to believe it's only a pdf. It exploits Adobe products, but I couldn't find how.

As of this posting, I have yet to actual remove the little ah heck, but hopefully Norton can fry it. Interesting how the program I had zero faith in (shown by the fact I bought my own protection above the school's meager attempt) was the only one to pick up the issue.

I hope that if/when someone else has this problem, this can help.

On another note:
I really like Secunia. The only issue I have is that I'm running Adobe Acrobat 8 (now fully patched), and it seems to tell me its not. I don't know if it wants me to upgrade to 9 or what. Any thoughts mechBgon? The same appears to happen with Adobe Flash player (for which it has 6 entries...)

 

[mechBgon]

Originally posted by: Kreon
I really like Secunia. The only issue I have is that I'm running Adobe Acrobat 8 (now fully patched), and it seems to tell me its not. I don't know if it wants me to upgrade to 9 or what. Any thoughts mechBgon? The same appears to happen with Adobe Flash player (for which it has 6 entries...)

In the case of Flash Player, I'd run the Flash Player Uninstaller from here to get rid of all the old Flash Player files for both families of browsers (IE and Mozilla/other), then reinstall the latest one.

For Adobe Reader 8, there are working attacks for even the latest, fully-patched version of it. What I would do, is

1) uninstall Adobe Reader 8

2) install the latest version of Adobe Reader 9 (download & run the 26MB installer from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/ )

3) in Adobe Reader 9, click Edit > Preferences, click "JavaScript" in the left panel, and uncheck the "Enable Acrobat JavaScript" checkbox. This is Adobe's recommended mitigation against the current exploits that work on the latest version of Adobe Reader.



In the bigger picture, you can take other steps to make your system harder to exploit, too. Full Data Execution Prevention, the SEHOP option on Vista, non-Admin accounts on Vista/XP/2000, and Software Restriction Policy are some options to look at, and I wrote up how-to info on this page if anyone's interested in those.

 

[balloonshark]

Kreon,

In the future you can disable javascript as an option in Adobe Reader which may help prevent some future infections. If possible use another reader other than Adobe and whatever you use keep it updated which the Secunia tool/site. Also, look through your browsers options and see if you can set them to prompt for a .pdf download rather than automatically running it.

You can get a .pdf infection just by surfing to the wrong place while running a vulnerable .pdf reader and/or not configuring it properly like I mentioned above.

So, are you still infected? I couldn't tell from your post.

Where are the locations for the Flash Player entries Secunia detected? I normally use the Flash Player Uninstaller to uninstall all previous versions and then install the new versions. If your running IE and Firefox then you would need to install each separately.

Here is a good thread about Flash Player. http://www.wilderssecurity.com/showthread.php?t=239894

 

[Kreon]

Originally posted by: balloonshark
So, are you still infected? I couldn't tell from your post.

I don't think so. No Norton "o shit" messages since I made the last post.

This time to get rid of it I
-Deleted temp files, all of them
-deleted/unchecked system restore
-Had Norton and Bitdefender do a thorough search
-Updated everything with Secunia (except for those I had issues with)
-Ran Spybot and AdAware

I will be doing what you guys (Balloonshark and mechBgon) suggested shortly, although maybe later as I need to get some work done for tomorrow first.

Thank you very much guys, especially for the how-to and direct links
In case you couldn't tell, I'm not particularly proficient with computers (especially security stuff).

 

[balloonshark]

Good the hear that you got rid of it and I'm glad to see your going to get updated.

Regards,
balloonshark

 

[Kreon]

I tried what you guys mentioned.

The flashpayer went down without any issues.

However, when I tried to mess with Adobe, issues came up. I have the whole Adobe suite, and am unable to find reader. Does acrobat function as a reader? is that why I'm unable to find it?
Also, one of my suitemates mentioned that because I have the whole Adobe suite, given by the school, I can't go mucking around in it. Does anyone have an experience in this kind of thing?

I haven't downloaded the 9 since I still have 8.


mechBgon, when it comes to TweakUI, what will disabling autoplay do? Will it screw with boot settings or anything, like by deselecting the C drive?

 

[BriGy86]

I like to use ccleaner to get rid of un-needed files
http://www.ccleaner.com/

If you have the whole adobe suite installed then I don't see a reason to install reader as acrobat can open PDF files. I would assume the school had the same idea.

 

[Kreon]

Yes, it will open them. However, I only have 8, not 9. Which is a problem

I have had another attack, SWP.exploit. I don't think it was related though. I quickly removed it from the cache and it appears to be gone for good.

Also, is there a list of what processes are? I know it's a longshot, but I'd like to know what different processes are.

 

[Kreon]

I lied, it is still there.
Bitdefender blocked it again, and am now trying to scan it out of my system.

The plot thickens:

full name:
Exploit.SWF.Gen
Path: dynamic2.anandtech.com/www/delivery/... (can't find the rest of it)

Is it trying to attack AT? I am very, very confused

 

[balloonshark]

The path looks to be an advertisement on anantech's site. I see I have it blocked with the adblockplus add-on in Firefox. I think you are ok IF your flash player is up to date.
See here: http://www.bitdefender.com/VIR...--Exploit.SWF.Gen.html

If bit defender blocked it, you should be fine. It's also very possible that it's a false positive.

Edit: I wonder if this is the rest of the path. /www/delivery/*$domain=~video.belga.be

I have no idea how to find the flash file to upload it for scanning.

 

[Kreon]

I have removed all of flash 9 and am installing flash 10 shortly.
I think that is the rest of the path. I deleted the quarantined file so I don't know for sure...

I don't believe the exploit succeed (as bitdefender stopped it) but I have scanned in safe mode and still come up with nothing.

Thank you very much for helping me