Help! Virus!

[imported_Bartender]

UGH! I got the Bloodhound.Exploit.6 virus like 14 months ago and today as I am browsing I get Bloodhound.Exploit.20 ... Apperently they have updated it... I keep search the net trying to find a program to remove it but nothing is working :

Anyways last time I got this virus I came here and someone helped me... I'm hoping I can find the same help again. I have Norton Coporate Edition, it picked up the virus but it gave me this: Action taken: Quarantine failed : Delete failed : Access denied

So yay for it... Adaware didnt find it, nor did a bunch of other programs... I'm going to run a Hijackthis scan and post it in a few seconds... Any help would be greatly appriciated, thanks.

- mike


Oh yea not sure if its important but norton picked up 4 "viruses" which are all located in my temp internet folder...

File: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\WXYR8P2Z\index[1].ani
Location: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\WXYR8P2Z

File: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\274ZTQJI\index[1].ani
Location: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\274ZTQJI

File: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\C1UFC16J\index[1].ani
Location: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\C1UFC16J

File: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\274ZTQJI\index[1].ani
Location: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\274ZTQJI

 

[imported_Bartender]

Logfile of HijackThis v1.98.2
Scan saved at 5:40:58 AM, on 08/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Sfam\Oytxii.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Documents and Settings\Mike\Desktop\Virus Portection\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vnboards.ign.com/Board.aspx?brd=22523
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vnboards.ign.com/Board.aspx?brd=22523
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Uivzc] C:\Program Files\Sfam\Oytxii.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

 

[deathwalker]

Did you run your virus scan in the safe mode? If not..you should. That will sometimes get by the problem of not being able to quarsntien or delete a virus file. The 4 virus files in your internet temp folder are probably the same virus. A question, are you not running a active virus protection program when you are browsing the web?

 

[imported_Bartender]

Yes I AM running an active virus scan.. thats how I know its there... My active scan picked up the virus but couldnt delete it.

Afterwards I ran a normal virus scan on the entire comp and it didnt even pick them up... Do you think rebooting in safe mode would make any differense? (I havent rebooted since I picked up the virus)

 

[meltdown75]

Is Windows fully up to date? Run Windows Update until all critical updates are completed.

Update your Ad-Aware definitions and reboot in safe mode and run it.

After that, update your virus defs and run your anti-virus again.

If you still find viruses, you might want to search for specific fixes for the virus or whatever crap has infected your system.

The last option, and only 100% fullproof way of ridding your system of anything you don't want - is wiping the drive and reinstalling Windows.

 

[mechBgon]

I generally favor the Drop-The-Bomb-On-It? approach: run DBAN and then reinstall Windows, keeping it away from any network connections of any kind until it's got Service Pack 2 installed and a firewall running.

But if you want to try something, try this: http://www.omnicast.net/~tmcfadden/scan.txt except the download URL has changed, use http://vil.nai.com/vil/virus-4d.aspx instead of the one in the text file.

Follow the instructions exactly, including using Safe Mode With Command Prompt.


Also realize that the detection of a threat doesn't mean it's successfully infecting you. If I go to a website that's trying a JS/NoClose exploit, then sure, the antivirus software will detect it, but it's a toothless threat because my system is patched against it. Still, based on your HJT log, you got some housecleaning to do.

 

[mircea]

Whenever I get a virus that I can't clean or delete I save the log to a txt file and reboot in Safe mode and remove it manually, then rescan. In safe mode you can delete or modify any file, even ones unaccesable in normal boot.

 

[mechBgon]

Originally posted by: mircea
Whenever I get a virus that I can't clean or delete I save the log to a txt file and reboot in Safe mode and remove it manually, then rescan. In safe mode you can delete or modify any file, even ones unaccesable in normal boot.

Not necessarily, not in this age of rootkits. Check this out, I went up against this one on a co-worker's wife's computer recently:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.i.html

To remove this threat it is necessary to restart the computer and run the Windows Recovery Console. For full details on how to do this please read the Microsoft Knowledge Base article, How to install and use the Recovery Console in Windows XP.

• Insert the Windows XP CD-ROM into the CD-ROM drive.
• Restart the computer from the CD-ROM drive.
• Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
• Select the installation that you want to access from the Recovery Console.
• Enter the administrator password and press Enter.
• Delete the following files:
  • %System%\qo.dll
  • %System%\qo.sys
  • %System%\yvpp01.dll
  • %System%\yvpp01.sys
  • %System%\yvpp02.sys
  • %System%\redir.a3d
  • %System%\redir2.a3d
  • %System%\maskstt.a3d
  • %System%\tnstt.a3d
  • %System%\tn1sql.dat
  • %System%\lps.dat
  • %System%\klgcptini.dat

Type exit
Press Enter. The computer will now restart automatically.

The times, they are a-changin'...

 

[imported_Bartender]

K well problem #1 is that the company I bought this laptop from didnt give me the OS, therefore I cant wipe + reinstall.

my adaware is fully up to date, I'm going to rebootin safe mode and run it again see if it finds anything...


okay stupid question... How does one get into the options prompt on bootup in XP? So I can turn it to safemode. I thought it was F8 or F6 but neither are working.. haha

 

[mechBgon]

F8 is the one, and timing can be tricky on fast-booting systems, so experiment a little. Also, if you have to do something special to make the F-keys work as F-keys, then keep that in mind.

And run the scan I posted, it's very good stuff. PM me the output from the C:\report.html file if you want.

 

[imported_Bartender]

okay after many attempts at smashing f8 on reboot I got it to work, I had the program installed turned off the system restore and ran the program... It said it saved a log to my C:\ but I have a bunch of logs there, which one do I need to PM you?

 

[imported_Bartender]

okay so i ran through the process again... turns out its supposed to be an html file (which makes sense since thats what you asked for) however there is no html file on my C:

... I followed the instructions exactly, except that I extracted the zip to my desktop then cut + paste, but that wouldnt make a difference would it? Also for clarification the 2nd file it told me to download it said to stick in the mcafee folder, did it mean INSIDE the unzipped part or just in the same folder with it?

When i ran it in the dos prompt it says it will run the test and then close the window, asking me to hit any key to continue... I hit a key and some typing came up but then the box closed like half a second later so i didnt get to read it... It said it would close the box when it was done so I just figured it was done...

If you see any holes in any of this let me know and I'll correct them... This was all i could think of that I might be doing wrong.

 

[imported_Bartender]

I ran a search of my C drive for "C:\report.html" and it came up with a few things... Am I looking for the Microsoft Baseline Security Analyzer\report.html ?


I only ask because when I went to open it my virus scan came up with a security warning, so I want to be sure its the right thing before i pop the cork...

 

[mechBgon]

The problem is that you didn't follow the instructions. Use the folder name C:\McAfee, not your desktop. Put the contents from the Zip file into C:\McAfee. Download the scan.bat file to C:\McAfee, then reboot into Safe Mode With Command Prompt and try again.

The scanner would normally go for 20 minutes or more and disappears when it's done. If it finds Bad Stuff, it will give you a BEEP! on the system speaker as it exits. You'll find the report.html file in the C:\ directory afterwards.

 

[imported_Bartender]

no no, I did make that folder "C:\McAfee" and dled the scan.bat into that folder as well.

When i rebooted in safe mode I used the "C:\McAfee\scan.bat" and that wouldnt have worked at all had I not made the dirrectory... I followed all the instructions, I was just saying when I originally unpacked the zip file it unpacked to the desktop and then I moved it to the C:\McAfee folder I had created

 

[imported_Bartender]

okay so I ran it again in safemode through dos, the window closed immidately again, but this time I decided to give it some time incase it was running... Left it alone for 2 hours then rebooted but still no report.html file... So obviously something isnt working right... I'll try repeating all the steps from scratch when I get up in the morning.

Btw... Thanks to all for all the input/help, although I have accomplished nothing it means a lot, and hopefully I can get this sorted out tmr.

 

[mechBgon]

Ok, does your C:\McAfee folder look like this? http://pics.bbzzdd.com/users/mechBgon/McAfee.JPG Yes = good. The scanner doesn't disappear until it's done running, so if the command-line prompt vanishes, it either quit or was killed off.

 

[daveybrat]

CCleaner 1.28

download this program and install it. Make sure you do this in safe mode with networking support.

When you open the program, just hit the 'Run Cleaner' button and what it will do is delete all temporary files on your system. The viruses you describe are in your temporary internet folder, so this program will eliminate those and any others hiding in cached or temp folders.

 

[imported_Bartender]

okay I found out what the problem was... ran it again, took 2 hours lol... Anyways I PM'd you the results, it said it deleted two trojans and some adware. Any other way to make sure it got them all and that I'm clean?