Author Topic: [Resolved] Possible Bloodhound.Exploit.213  (Read 2159 times)

Offline adf1962

  • Bronze Member
  • Posts: 67
[Resolved] Possible Bloodhound.Exploit.213
« on: June 29, 2010, 09:22:01 PM »
My unit is a bit sluggish these days especially my browser.  Symantec popped a few days ago stating there was an infected file in my C:\Windows\temp folder and that it was due to the Bloodhound.Exploit.213.  So . . I'm going to need your help once again in verifying and cleaning any malware.

Here is my HJT log . . .thanks in advance for your guidance . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:48 PM, on 6/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Rosina')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-1007\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Rosina')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Rosina')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-1007\..\Run: [A00F3AEF026.exe] C:\DOCUME~1\Rosina\LOCALS~1\Temp\_A00F3AEF026.exe (User 'Rosina')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-1007\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Rosina')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-1007\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Rosina')
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} (IBM Lotus iNotes 8.5 Control) - https://webmail.us.publicisgroupe.net/dwa85W.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://webmail.us.publicisgroupe.net/dwa8W.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.us-resources.com/dwa7W.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{9541D7A2-AEB9-4B63-8C25-CD1FB2433AF1}: NameServer = 192.168.2.1
O20 - AppInit_DLLs:  
O23 - Service: AbelService - Unknown owner - C:\Program Files\AbelCam\AbelService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (roxliveshare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: sasrfc Service (sasrfcService) - Unknown owner - C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 14073 bytes
« Last Edit: June 30, 2010, 05:42:28 AM by 1972vet »

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #1 on: June 30, 2010, 05:48:15 AM »
Greetings adf1962 and Welcome back to the forum,

As I see you have had an issue with this very same matter once before, I might point out that Symantec has had an issue with it as well. See if This Article applies to your situation.

On your next reply, please advise us of the following:
1) Is your Symantec product fully licensed and up to date?
2) Have you at any time within the last year, performed a system restore?
3) Has Windows Defender complained of this?

As well as answering those questions for us, please do the following:
Disable your on board protective software, then...Scan with ESET Here. Check the "I Agree" box and click Next. When prompted, install the needed software to perform the scan . When it finishes with the install, click the Start button to initialize the scanner. When it's ready, you'll get a screen with two boxes unchecked by default along with the Scan button. Check Both boxes, then click the Scan button. When it completes, use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log with your next reply, along with the answers to those three questions above, and a description of any remaining problems. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #2 on: June 30, 2010, 08:49:43 PM »
Greetings 1972vet,

Thanks for taking my case.

The Symantec article does seem to apply here,  there are DWHxxx.tmp files created.

To answer your questions:

1. My Symantec product is fully licensed through my work and this particular version is a few years old (2006).  I need to download the latest Symantec Endpoint Protection which is available but I will only do it when you tell me I can. Thanks for bringing it to my attention.

2. As far as I can tell, I don't think I did a System Restore in the last year. I'm a bit wary as I think a previous alert might have indicated malware.

3.  I don't think Defend complained of this.


I followed the instructions for ESET but I don't think I'm doing something right.  It started to scan and then it got stuck after 20 files.  There was a file called C:\DesktopNew.html that it was stuck on for a long time.  So I stopped the scanner and deleted that file . . .reran the ESET . . got stuck again on dell.sdk. It stayed there for a number of minutes . . so I stopped it after 5 minutes because I was seeing no activity.

I disabled my Symantec protection to run ESET.  Since I couldn't get ESET to work, I have turned the Symantec Protection back on.

Am I doing this right?  Should I have let it continue to run?

Anyway, I'm including the log below just the same.

What can I try next?

Thanks,

 ADF





ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25917c878d48144f9c34313232dc9105
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-01 02:16:01
# local_time=2010-06-30 10:16:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 39413813 39413813 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=21
# found=0
# cleaned=0
# scan_time=368
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25917c878d48144f9c34313232dc9105
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-01 02:18:18
# local_time=2010-06-30 10:18:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 39413950 39413950 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=21
# found=0
# cleaned=0
# scan_time=23
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25917c878d48144f9c34313232dc9105
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-01 02:26:09
# local_time=2010-06-30 10:26:09 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 39414421 39414421 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=20
# found=0
# cleaned=0
# scan_time=421




Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #3 on: July 01, 2010, 04:03:18 AM »
You should most definitely install the most recent and up to date security software...always. Anytime you receive notice from you security vendor of an update, the first thing you should do is click to allow the download.

Once you complete that, run the eset scan with Windows Defender and Symantec disabled. Wait for the scan to complete and post back the log. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #4 on: July 02, 2010, 12:16:09 AM »
thanks again Vet . . .

Ok, i updated my Symantec product  . . .disabled it and disabled Windows Defender.  I ran the ESET scan but the same thing happened . . .it got stuck in the same spot.

It says Scan in Progress . . . it is stuck at 1% and has been there for 10 minutes.  The file showing is C:\dell.sdr

I uninstalled the product . . then installed it again. I checked off boxes for Remove Found Threats and Scan archives.

Same thing happened.

Should I wait it out?  Am I doing this right?

ADF

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #5 on: July 02, 2010, 02:45:22 AM »
Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #6 on: July 02, 2010, 09:35:38 PM »
Logfile results from ComboFix . . .


ComboFix 10-07-01.02 - Tony 07/02/2010  23:18:46.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.360 [GMT -4:00]
Running from: c:\software\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
C:\Thumbs.db
c:\windows\system32\al.txt
c:\windows\system32\dz1.txt
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
(((((((((((((((((((((((((   Files Created from 2010-06-03 to 2010-07-03  )))))))))))))))))))))))))))))))
.

2010-07-03 03:24 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\proquota.exe
2010-07-03 03:24 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
2010-07-03 03:24 . 2008-04-14 00:12   39424   ----a-w-   c:\windows\system32\grpconv.exe
2010-07-03 03:24 . 2008-04-14 00:12   39424   ----a-w-   c:\windows\system32\dllcache\grpconv.exe
2010-07-02 05:39 . 2010-07-02 05:39   60808   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2010-07-02 05:39 . 2010-07-02 05:39   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-01 02:07 . 2010-07-01 02:07   --------   d-----w-   c:\program files\ESET
2010-06-24 22:14 . 2010-06-24 22:14   501936   ----a-w-   c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb15B.tmp.exe
2010-06-09 08:06 . 2010-06-09 08:06   976832   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06   70584   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06   331176   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06   331176   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\AcrobatUpdater.exe
2010-06-04 06:43 . 2010-06-04 06:43   61440   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-12247637-n\decora-sse.dll
2010-06-04 06:43 . 2010-06-04 06:43   503808   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1b1beb25-n\msvcp71.dll
2010-06-04 06:43 . 2010-06-04 06:43   499712   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1b1beb25-n\jmc.dll
2010-06-04 06:43 . 2010-06-04 06:43   348160   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1b1beb25-n\msvcr71.dll
2010-06-04 06:43 . 2010-06-04 06:43   12800   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-12247637-n\decora-d3d.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 21:29 . 2008-06-05 05:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-07-02 05:41 . 2009-04-14 05:16   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-07-02 05:40 . 2009-04-14 05:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2010-07-02 05:39 . 2009-04-14 05:16   --------   d-----w-   c:\program files\Symantec
2010-07-02 05:39 . 2010-07-02 05:39   806   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-07-02 05:39 . 2010-07-02 05:39   7456   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-02 05:34 . 2008-10-15 22:37   --------   d-----w-   c:\program files\Symantec AntiVirus
2010-07-02 04:21 . 2010-03-29 02:16   --------   d-----w-   c:\documents and settings\Rosina\Application Data\HPAppData
2010-06-27 10:53 . 2007-03-02 03:44   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-05-26 03:36 . 2008-11-09 05:05   256   ----a-w-   c:\windows\system32\pool.bin
2010-05-24 03:51 . 2010-05-24 03:50   503808   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5937bc31-n\msvcp71.dll
2010-05-24 03:50 . 2010-05-24 03:50   499712   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5937bc31-n\jmc.dll
2010-05-24 03:50 . 2010-05-24 03:50   348160   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5937bc31-n\msvcr71.dll
2010-05-24 03:50 . 2010-05-24 03:50   12800   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3ba2aa6b-n\decora-d3d.dll
2010-05-24 03:50 . 2010-05-24 03:50   61440   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3ba2aa6b-n\decora-sse.dll
2010-05-21 18:14 . 2009-10-03 00:07   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-20 00:29 . 2010-04-14 05:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-05-19 04:51 . 2010-05-19 04:51   1956656   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-05-19 04:40 . 2010-05-19 04:40   --------   d-----w-   c:\program files\Common Files\Java
2010-05-19 04:40 . 2010-05-19 04:24   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-19 04:34 . 2010-05-19 04:33   1924976   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-05-19 04:31 . 2007-10-25 21:53   --------   d-----w-   c:\program files\Juice
2010-05-19 04:24 . 2006-02-12 23:13   --------   d-----w-   c:\program files\Java
2010-05-13 05:23 . 2006-02-12 23:17   --------   d-----w-   c:\program files\Google
2010-05-11 16:35 . 2009-09-13 01:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-04 17:20 . 2004-08-11 23:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-11 23:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-11 23:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-11 23:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-09-13 01:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-09-13 01:37   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-11 23:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-10 03:33 . 2010-04-10 03:33   10134   ----a-r-   c:\documents and settings\Tony\Application Data\Microsoft\Installer\{451BB54C-8B23-4455-8BDC-14FC7D43E056}\ARPPRODUCTICON.exe
2010-04-05 07:53 . 2010-04-05 07:53   503808   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1659d9f1-n\msvcp71.dll
2010-04-05 07:53 . 2010-04-05 07:53   499712   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1659d9f1-n\jmc.dll
2010-04-05 07:53 . 2010-04-05 07:53   61440   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-392bd560-n\decora-sse.dll
2010-04-05 07:53 . 2010-04-05 07:53   348160   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1659d9f1-n\msvcr71.dll
2010-04-05 07:53 . 2010-04-05 07:53   12800   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-392bd560-n\decora-d3d.dll
2010-04-04 05:52 . 2010-04-20 00:33   208760   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-04-04 05:34 . 2010-04-04 05:34   503808   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1900d5b0-n\msvcp71.dll
2010-04-04 05:34 . 2010-04-04 05:34   499712   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1900d5b0-n\jmc.dll
2010-04-04 05:34 . 2010-04-04 05:34   348160   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1900d5b0-n\msvcr71.dll
2010-04-04 05:34 . 2010-04-04 05:34   61440   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1375bb22-n\decora-sse.dll
2010-04-04 05:34 . 2010-04-04 05:34   12800   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1375bb22-n\decora-d3d.dll
2005-02-16 20:25 . 2006-02-19 00:38   46592   ----a-w-   c:\program files\R3vfy32.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2008-01-22 00:40   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2008-01-22 00:40   31232   --sha-r-   c:\windows\system32\msfDX.dll
2007-12-17 13:43 . 2008-01-22 00:40   27648   --sha-w-   c:\windows\system32\Smab0.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2009-03-09 104696]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-8-30 25896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"lphc3nvj0eca3"=c:\windows\system32\lphc3nvj0eca3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
"c:\\Program Files\\Alchemy Mindworks\\GIF Construction Set Professional\\ALCHUDDL.EXE"=
"c:\\Program Files\\Software AG\\Entire Connection\\v431\\PccServer.exe"=
"c:\\Program Files\\LogiSphere\\LogiSphere.exe"=
"c:\\Program Files\\Look@LAN\\LookAtHost.exe"=
"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=
"c:\\Program Files\\AbelCam\\AbelCam.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/13/2008 7:19 PM 28544]
R0 VirtualK;VirtaulK;c:\windows\system32\drivers\VirtualK.sys [8/15/2009 12:57 AM 3968]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [2/18/2006 5:32 PM 40832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/2/2010 1:43 AM 102448]
R3 GMFilter;GMFilter HID Filter Driver;c:\windows\system32\drivers\GMFilter.sys [8/15/2009 12:57 AM 21760]
R3 skbusenum;SKBus Enumerator;c:\windows\system32\drivers\SKBusEnum.sys [8/15/2009 12:57 AM 10880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 2:05 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 AbelService;AbelService;c:\program files\AbelCam\AbelService.exe [2/25/2007 12:53 AM 81920]
S3 ENDETECT;ENDETECT;c:\progra~1\Bell\ACCESS~1\app\ENDETECT.SYS [2/18/2006 5:32 PM 7752]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S3 NTSTPL1;NTSTPL1;c:\progra~1\Bell\ACCESS~1\app\NTSTPL1.SYS [2/18/2006 5:32 PM 16160]
S3 NTSTPL2;NTSTPL2;c:\progra~1\Bell\ACCESS~1\app\NTSTPL2.SYS [5/24/2007 8:31 PM 16160]
S3 RAWESR;RAWESR;c:\progra~1\Bell\ACCESS~1\app\RAWESR.SYS [2/18/2006 5:32 PM 16256]
S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [2/18/2006 8:08 PM 41984]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [6/23/2004 9:54 PM 23552]
S3 TAPBIND;TAPBIND;c:\progra~1\Bell\ACCESS~1\app\TAPBIND1.SYS [2/18/2006 5:32 PM 44736]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NAVENG
*NewlyCreated* - NAVEX15
*NewlyCreated* - SPBBCDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService   REG_MULTI_SZ      HPSLPSVC
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-05 05:30]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:04]

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:04]

2010-01-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2010-07-03 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-10-15 19:31]

2009-05-03 c:\windows\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-10-15 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: {9541D7A2-AEB9-4B63-8C25-CD1FB2433AF1} = 192.168.2.1
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://webmail.us.publicisgroupe.net/dwa85W.cab
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\29uyp94q.default\
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -

Notify-navlogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-Bridge Building Game - c:\program files\Bridge Building Game\uninstall.exe
AddRemove-GIF Construction Set Professional - c:\windows\ALCHUNIN.EXE
AddRemove-Look@LAN_1.0 - c:\windows\iun6002.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 23:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-02  23:29:04
ComboFix-quarantined-files.txt  2010-07-03 03:29

Pre-Run: 43,484,893,184 bytes free
Post-Run: 44,775,157,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 49BBCAAB46BD7DD53299E697334A0F69

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #7 on: July 02, 2010, 10:26:49 PM »
Please uninstall these:
Azureus
BitTornado

You've had this file present at least since 2008:
c:\windows\system32\lphc3nvj0eca3.exe
...do you know what it is or what it is used for? I don't...and neither does google. It seems that a search result concludes that you are the only one on the planet that has that file on board. Not good. I suspect it is a remnant of an old Vundo infection not properly removed. Let's see what the scan engines have to say.

Please visit This Web Site...and upload that file for a free scan. When the scan completes, please scroll to the bottom and click the Copy to clipboard button.  On your reply, just right-click in the reply window and select Paste.

Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #8 on: July 03, 2010, 12:11:59 PM »
i uninstalled Azureus and BitTornado.

Unable to locate c:\windows\system32\lphc3nvj0eca3.exe for virus scan.

adf

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #9 on: July 03, 2010, 06:25:21 PM »
Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

Folder::
c:\Program Files\Azureus
c:\Program Files\BitTornado

Rootkit::
c:\windows\system32\lphc3nvj0eca3.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"lphc3nvj0eca3"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=-
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #10 on: July 03, 2010, 11:31:54 PM »
alrightee then . . here's the latest ComboFix log.  note that when i ran it, i was told that there was a newer version and asked if i wanted to update it . . .i said no (hope that's not a problem).

thanks,

ADF


ComboFix 10-07-01.02 - Tony 07/04/2010   0:59.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.619 [GMT -4:00]
Running from: c:\software\ComboFix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Azureus
c:\program files\Azureus\plugins\azplugins\azplugins_2.1.3.jar
c:\program files\Azureus\plugins\azrating\azrating_1.3.1.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
c:\program files\Azureus\plugins\azupdater\plugin.properties
c:\program files\Azureus\plugins\azupdater\Updater.jar
c:\program files\Azureus\Uninstall.exe

.
(((((((((((((((((((((((((   Files Created from 2010-06-04 to 2010-07-04  )))))))))))))))))))))))))))))))
.

2010-07-03 03:24 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\proquota.exe
2010-07-03 03:24 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
2010-07-03 03:24 . 2008-04-14 00:12   39424   ----a-w-   c:\windows\system32\grpconv.exe
2010-07-03 03:24 . 2008-04-14 00:12   39424   ----a-w-   c:\windows\system32\dllcache\grpconv.exe
2010-07-02 05:39 . 2010-07-02 05:39   60808   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2010-07-02 05:39 . 2010-07-02 05:39   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-01 02:07 . 2010-07-01 02:07   --------   d-----w-   c:\program files\ESET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 22:30 . 2008-06-05 05:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-07-03 21:03 . 2010-03-29 02:16   --------   d-----w-   c:\documents and settings\Rosina\Application Data\HPAppData
2010-07-02 05:41 . 2009-04-14 05:16   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-07-02 05:40 . 2009-04-14 05:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2010-07-02 05:39 . 2009-04-14 05:16   --------   d-----w-   c:\program files\Symantec
2010-07-02 05:39 . 2010-07-02 05:39   806   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-07-02 05:39 . 2010-07-02 05:39   7456   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-02 05:34 . 2008-10-15 22:37   --------   d-----w-   c:\program files\Symantec AntiVirus
2010-06-27 10:53 . 2007-03-02 03:44   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-06-24 22:14 . 2010-06-24 22:14   501936   ----a-w-   c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb15B.tmp.exe
2010-06-09 08:06 . 2010-06-09 08:06   976832   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06   70584   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06   331176   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06   331176   ----a-w-   c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11565\AcrobatUpdater.exe
2010-06-04 06:43 . 2010-06-04 06:43   61440   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-12247637-n\decora-sse.dll
2010-06-04 06:43 . 2010-06-04 06:43   503808   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1b1beb25-n\msvcp71.dll
2010-06-04 06:43 . 2010-06-04 06:43   499712   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1b1beb25-n\jmc.dll
2010-06-04 06:43 . 2010-06-04 06:43   348160   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1b1beb25-n\msvcr71.dll
2010-06-04 06:43 . 2010-06-04 06:43   12800   ----a-w-   c:\documents and settings\Tony\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-12247637-n\decora-d3d.dll
2010-05-26 03:36 . 2008-11-09 05:05   256   ----a-w-   c:\windows\system32\pool.bin
2010-05-24 03:51 . 2010-05-24 03:50   503808   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5937bc31-n\msvcp71.dll
2010-05-24 03:50 . 2010-05-24 03:50   499712   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5937bc31-n\jmc.dll
2010-05-24 03:50 . 2010-05-24 03:50   348160   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5937bc31-n\msvcr71.dll
2010-05-24 03:50 . 2010-05-24 03:50   12800   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3ba2aa6b-n\decora-d3d.dll
2010-05-24 03:50 . 2010-05-24 03:50   61440   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3ba2aa6b-n\decora-sse.dll
2010-05-21 18:14 . 2009-10-03 00:07   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-20 00:29 . 2010-04-14 05:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-05-19 04:51 . 2010-05-19 04:51   1956656   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-05-19 04:40 . 2010-05-19 04:40   --------   d-----w-   c:\program files\Common Files\Java
2010-05-19 04:40 . 2010-05-19 04:24   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-19 04:34 . 2010-05-19 04:33   1924976   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-05-19 04:31 . 2007-10-25 21:53   --------   d-----w-   c:\program files\Juice
2010-05-19 04:24 . 2006-02-12 23:13   --------   d-----w-   c:\program files\Java
2010-05-13 05:23 . 2006-02-12 23:17   --------   d-----w-   c:\program files\Google
2010-05-11 16:35 . 2009-09-13 01:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-04 17:20 . 2004-08-11 23:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-11 23:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-11 23:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-11 23:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-09-13 01:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-09-13 01:37   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-11 23:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-10 03:33 . 2010-04-10 03:33   10134   ----a-r-   c:\documents and settings\Tony\Application Data\Microsoft\Installer\{451BB54C-8B23-4455-8BDC-14FC7D43E056}\ARPPRODUCTICON.exe
2010-04-05 07:53 . 2010-04-05 07:53   503808   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1659d9f1-n\msvcp71.dll
2010-04-05 07:53 . 2010-04-05 07:53   499712   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1659d9f1-n\jmc.dll
2010-04-05 07:53 . 2010-04-05 07:53   61440   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-392bd560-n\decora-sse.dll
2010-04-05 07:53 . 2010-04-05 07:53   348160   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1659d9f1-n\msvcr71.dll
2010-04-05 07:53 . 2010-04-05 07:53   12800   ----a-w-   c:\documents and settings\Rosina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-392bd560-n\decora-d3d.dll
2005-02-16 20:25 . 2006-02-19 00:38   46592   ----a-w-   c:\program files\R3vfy32.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2008-01-22 00:40   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2008-01-22 00:40   31232   --sha-r-   c:\windows\system32\msfDX.dll
2007-12-17 13:43 . 2008-01-22 00:40   27648   --sha-w-   c:\windows\system32\Smab0.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2009-03-09 104696]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-8-30 25896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
"c:\\Program Files\\Alchemy Mindworks\\GIF Construction Set Professional\\ALCHUDDL.EXE"=
"c:\\Program Files\\Software AG\\Entire Connection\\v431\\PccServer.exe"=
"c:\\Program Files\\LogiSphere\\LogiSphere.exe"=
"c:\\Program Files\\Look@LAN\\LookAtHost.exe"=
"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=
"c:\\Program Files\\AbelCam\\AbelCam.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/13/2008 7:19 PM 28544]
R0 VirtualK;VirtaulK;c:\windows\system32\drivers\VirtualK.sys [8/15/2009 12:57 AM 3968]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [2/18/2006 5:32 PM 40832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/2/2010 1:43 AM 102448]
R3 GMFilter;GMFilter HID Filter Driver;c:\windows\system32\drivers\GMFilter.sys [8/15/2009 12:57 AM 21760]
R3 skbusenum;SKBus Enumerator;c:\windows\system32\drivers\SKBusEnum.sys [8/15/2009 12:57 AM 10880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 2:05 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 AbelService;AbelService;c:\program files\AbelCam\AbelService.exe [2/25/2007 12:53 AM 81920]
S3 ENDETECT;ENDETECT;c:\progra~1\Bell\ACCESS~1\app\ENDETECT.SYS [2/18/2006 5:32 PM 7752]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S3 NTSTPL1;NTSTPL1;c:\progra~1\Bell\ACCESS~1\app\NTSTPL1.SYS [2/18/2006 5:32 PM 16160]
S3 NTSTPL2;NTSTPL2;c:\progra~1\Bell\ACCESS~1\app\NTSTPL2.SYS [5/24/2007 8:31 PM 16160]
S3 RAWESR;RAWESR;c:\progra~1\Bell\ACCESS~1\app\RAWESR.SYS [2/18/2006 5:32 PM 16256]
S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [2/18/2006 8:08 PM 41984]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [6/23/2004 9:54 PM 23552]
S3 TAPBIND;TAPBIND;c:\progra~1\Bell\ACCESS~1\app\TAPBIND1.SYS [2/18/2006 5:32 PM 44736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService   REG_MULTI_SZ      HPSLPSVC
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-05 05:30]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:04]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:04]

2010-01-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2010-07-03 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-10-15 19:31]

2009-05-03 c:\windows\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-10-15 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: {9541D7A2-AEB9-4B63-8C25-CD1FB2433AF1} = 192.168.2.1
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://webmail.us.publicisgroupe.net/dwa85W.cab
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\29uyp94q.default\
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-04 01:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\SQLLIB\BIN\db2jds.exe
c:\program files\IBM\SQLLIB\BIN\db2sec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-04  01:24:11 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-04 05:24
ComboFix2.txt  2010-07-03 03:29

Pre-Run: 44,813,967,360 bytes free
Post-Run: 44,803,256,320 bytes free

- - End Of File - - E89E8DE870E0829A12F994FC758C3274

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #11 on: July 04, 2010, 03:05:56 AM »
How's it running now? The log seems to indicate there should not be any more issues.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #12 on: July 04, 2010, 10:13:17 PM »
it does sound and feel a lot better.  i don't hear the hard drive crunching away while waiting for it to launch a whole bunch of stuff.  surfing appears less demanding.

i'm happy with the results thus far.

thanks Vet, nice work.

adf1962

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #13 on: July 05, 2010, 07:33:33 AM »
Excellent! You did good work adf1962.

Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of malicious software intrusion and infections:

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been completely satisfied from having tested and used each one of those at one time or another.

Although my personal preference is Avira Antivir, one should not rely just on one person's anecdotal account of the effectivness or efficiency of any one in particular but should determine which best suits their own needs.

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall

Zone Alarm Beware This download includes the Ask Toolbar...The ZoneAlarm Spy Blocker toolbar is powered by "Ask.com". The "Ask" search engine will cause "targeted" ads to be presented to you based upon the content of the web pages you visit, any personally identifiable information you have provided to "Ask.com", or keywords appearing in your search queries. Many security experts consider this type of behavior offensive...Windows 2k/XP/Vista

Outpost Free

Comodo Beware This download includes the HopSurf toolbar...If YOU DONT WANT THIS TOOLBAR be sure to remove the check from the box when presented during the installation. By installing the HopSurf toolbar, you grant Comodo permission to collect information about your Internet usage. Read the HopSurf EULA. Don't be too alarmed by this caveat...I highly recommend this firewall, but it may just be best suited for advanced users.

Keep your software updated...make it easier on yourself and install the free security tool "Secunia PSI"

It helps in the background to protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software that it finds AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from  your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup:
("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [In Progress] Possible Bloodhound.Exploit.213
« Reply #14 on: July 05, 2010, 07:34:59 AM »
This issue appears resolved and the thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven