# Bloodhound virus.



## *aussie_blondie (Nov 29, 2002)

I've got the bloodhouse virus. Can't find anything on it using google. Can't load browser. Messenger services are okay. Have tried 2 browsers....Netscape and I.E. 
Message in browsers is 'can't connect to the net'
This is after I've quarantened the virus.

If anyone can help, please do asap, thank-you


----------



## Byteman (Jan 24, 2002)

Hiya If you could download this version of HJT and post your log that will provide a way for us to help you... Bloodhound is a pretty broad term for many virii. The log should show us what is going on...
If you are at another pc, you can download HJT to a disk and copy it to the affected pc and create the log that way, and copy the log to a disk to take to a good pc to post...we work that way in these situations. 
I know you have posted many times before, but not sure if you have done HJT logs so here are the copy and paste directions first::
http://tomcoyote.org/hjt/

and the place to get the download for HJT's newest version, 1.98.2:

http://www.majorgeeks.com/download3155.html

Paste the log into a reply right here in this thread, and do not fix anything with it yet....just Scan, save the log, and paste it.

Reading material<< what the term Bloodhound means and why we do not know exactly what variant you may have....

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.html


----------



## *aussie_blondie (Nov 29, 2002)

Thank-you. Will do.


----------



## *aussie_blondie (Nov 29, 2002)

Thank-you so much. I know it must be a pain to go through all of this.

Logfile of HijackThis v1.98.2
Scan saved at 10:46:14, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\ieplore32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\smsc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\isahza.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\videons32.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yldifoduqmqhzpvpy.com/XbdqAFI08xXD/dzWKYdp8I1MPmo4sdoax1E8K213UhU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.afcwruhezte.biz/XbdqAFI08xVrU4WPZhdtdUgmPZlA_f3WkQwE9yvxUo65YOI8qTmi34KHSHraMkwk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mxbstdcwfbotjge.com/XbdqAFI08xXD/dzWKYdp8HJlCgrNK8vRx1E8K213UhU.html"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\cjz4nxt6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\cjz4nxt6.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {48AF6759-EE44-7CE8-8724-64557CD12F6D} - C:\WINDOWS\System32\mzmkakgi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {767DBAE3-A52F-A0C9-2FE5-A806F9CFA2D7} - C:\PROGRA~1\MAILST~1\Team Part.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Internet Explorer] ieplore32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [jttgpqpa] C:\WINDOWS\System32\isahza.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [does the] C:\PROGRA~1\HIDELO~1\SETTINGSDEFAULTGRIM.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\rcjcs.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\flcir.exe
O4 - HKLM\..\Run: [idol lite seek program] C:\Documents and Settings\All Users\Application Data\meal style idol lite\size bend.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Internet Explorer] ieplore32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Chris\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EEADAF8-4B13-4DC7-8A03-F7DD36DED5FF}: NameServer = 194.74.65.69 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EEADAF8-4B13-4DC7-8A03-F7DD36DED5FF}: NameServer = 194.74.65.69 194.72.9.38


----------



## Byteman (Jan 24, 2002)

Hiya! Wow you did it this time  You have some of the LATEST worms out....

You should print all this info out!
You will have to get the downloads to disks to use them.

I don't know how much valuable data you may have on there...I would think you have rescued what you needed by now as it has been a day or so since you first posted..
This is a nasty bugger, and I will say that there is no guarantee that we will stop it easily...and you do risk 
loss of files> 
what is on there>
The worst one is W32/Gaobot.AZT---a network share aware worm, that also terminates security programs like Antivirus apps...
""Copies and executes itself as %System%\videons32.exe.""--- at least it is visible...here is what it does:

http://sarc.com/avcenter/venc/data/w32.gaobot.azt.html

You must remove the pc from any networks and disconnect it from the Internet totally....remove cable from modem if you have broadband service.
Remove network cable going to a router/hub/other pc>>UNLESS you have one using win95 or 98, they are usually not vulnerable to this, it says...XP /2000 are.
This worm can control the computer remotely and do anything the remote operator wishes pretty much.
If you go to www.paypal.com, the worm tries to steal PayPal login information by logging keystrokes.

Make sure you have Hidden Files and Folders Viewable
Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab. 
Under the "Hidden files and folders" heading, select Show hidden files and folders. 
UN-check the "Hide protected operating system files (recommended)" option. 
Then click Yes

Disable System Restore:

"" You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed""

Click Start > Programs > Accessories > Windows Explorer 
Right-click My Computer, and then click Properties. 
Click the System Restore tab. 
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box. If it will not let you for some reason, try it from Safe Mode. Use the F8 key at bootup, by tapping it several times, till the menu pops up for a choice, pick Safe Mode....then disable System Restore. That will flush the worms out of the Restore Points...all saved Restore Points are also deleted, but that is the price you pay I guess...you can create new ones after things are cleaned up.

DO::

Delete the contents only of ALL temporary folders such as (for example):
c:\temp
c:\windows\temp

(Delete contents only NOT the folders!)
In Internet Explorer go to Tools > Internet Options and delete all cookies, files and all offline content . You can start IE offline> just to run the cleanup from top of page>Tools>Internet Options...
Empty Recycle Bin...

NEXT---Want you to get some downloads, put them on floppy disks or whatever you can to bring to the infected pc (last I knew, you were not able to get on the Net with it, correct? 
Get this:

http://www.symantec.com/avcenter/FixQhost.exe
Download to desktop.
Double-click the FixQhost.exe file to start the removal tool. 
Click Start to begin the process, and then allow the tool to run. 
Restart the computer. 
Run the removal tool again to ensure that the system is clean. 
AND THIS:

http://members.aol.com/toadbee/hoster.zip
Boot to Safe Mode & Unzip the program, install it, and run it. Click on the "Restore Original Hosts" button, then click "OK".
Close Hoster.

Edit the Registry:

Click Start, and then click Run. (The Run dialog box appears.) 
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Also, check the RunServices key...and

In the right pane, delete the value:

"Windows Video Drivers" = "videons32.exe"
Close the Registry Editor.

NEXT:

These removal tools may help clear up some stuff....
http://vil.nai.com/vil/stinger/
Run it and check the Preferences setting to make sure that "Repair all infected files" is marked and scan for bugs with Stinger.

HijackThis fixing::
Here is what I come up with, to fix with HJT---be careful checking them when you run HJT , put checks into the right ones...some repeat and you must get them all.
You may not see them all, don't worry about that. 
I AM NOT SURE about this entry:
- BHO: (no name) - {767DBAE3-A52F-A0C9-2FE5-A806F9CFA2D7} - C:\PROGRA~1\MAILST~1\Team Part.exe
so if you recognize it and have had it awhile as a program...let it stay for now. If you recognize any others, that you are sure are OK, skip them...

C:\WINDOWS\System32\ieplore32.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\isahza.exe
C:\WINDOWS\System32\videons32.exe
C:\WINDOWS\System32\wuamgrd.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yldifoduqmqhzpvpy.com/Xb...1E8K213UhU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.afcwruhezte.biz/XbdqAFI0...4KHSHraMkwk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: (no name) - {48AF6759-EE44-7CE8-8724-64557CD12F6D} - C:\WINDOWS\System32\mzmkakgi.dll
O2 - BHO: (no name) - {767DBAE3-A52F-A0C9-2FE5-A806F9CFA2D7} - C:\PROGRA~1\MAILST~1\Team Part.exe
O4 - HKLM\..\Run: [Internet Explorer] ieplore32.exe
O4 - HKLM\..\Run: [jttgpqpa] C:\WINDOWS\System32\isahza.exe
O4 - HKLM\..\Run: [does the] C:\PROGRA~1\HIDELO~1\SETTINGSDEFAULTGRIM.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\rcjcs.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\flcir.exe
O4 - HKLM\..\Run: [idol lite seek program] C:\Documents and Settings\All Users\Application Data\meal style idol lite\size bend.exe>>>if you know this is OK leave it...
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\RunServices: [Internet Explorer] ieplore32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe

Do NOT reboot yet...find these files and delete them: if any resist deleting, look for a process running (CTRL+ALT+DEL keys) and try to shut that process down...

C:\Documents and Settings\All Users\Application Data\meal style idol lite\size bend.exe----if good, leave it.

C:\WINDOWS\System32\flcir.exe
C:\WINDOWS\System32\rcjcs.exe
C:\WINDOWS\System32\mzmkakgi.dll
C:\WINDOWS\System32\ieplore32.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\isahza.exe
C:\WINDOWS\System32\videons32.exe
C:\WINDOWS\System32\wuamgrd.exe
they may not be found- but look carefully.

>Send in a fresh HijackThis scanlog. I am holding my breath with this one!


----------



## *aussie_blondie (Nov 29, 2002)

This looks very very serious. Please would you stand by in case I need more help? How did I get all this stuff; do you have any idea?
Thanks for taking the trouble to do all that for me. Looks like I might have lost a whole lot od data if you hadn't.


----------



## Byteman (Jan 24, 2002)

Hi - Usually a virus that is not stopped by your antivirus program is a new variant or totally new thing...so you are basically defenseless if the code it contains is executed, by clicking on an attachment in email for one...or downloading something that appears in an Instant message or IRC chat window...for two. Or> downloading infected files through file sharing programs for #3...
Using infected floppy disks, but that is not too common...#4. The method of infection becoming most common these days is through online chat programs>
""W32.Gaobot.AZT is repacked variant of W32.Gaobot.WO. It attempts to spread through network shares that have weak passwords. It also allows attackers to access an infected computer through a predetermined IRC channel."" (that's from the link I put in my first reply, from the Symantec (Norton) antivirus site.)
You probably should change the passwords on the computer(s) you have....and change your logins at IRC and create STRONGER passwords...until the infection is cleared up, any passwords you have may be readable...ouch!

someone could have clicked on a profile link, or a website link that sent the pc to an infected website.

The malware we usually see classed as spyware or ad-based can simply install itself>> if the computer you reach an infected website with is NOT protected by patching the holes for example in: Internet Explorer, Windows Media Player, Instant Messaging programs like AIM, and so on...
The critical updates from Microsoft take care of issues they build patches or updates for...but sometimes there is a long lag before patches are available, so you can be infected even if you are up to date....
It's a matter of protecting the pc but being able to actually do what you want...but safely.
The protective tools we use such as Spywareblaster, SpywareGuard, IE-SPYAD, and others can help, as well there is some features such as the Immunize one that SpyBot Search and Destroy has that can help.
There are programs you can pay for as well...
SOME well advertised anti-spyware apps are NOT what they seem, cost money and actually create more problems than you had before you got them! 
There are many of these rogue programs around.

http://www.spywarewarrior.com/rogue_anti-spyware.htm
The virus you have attacks networks... it is designed to spread via other pcs through shared drives, to steal passwords, product keys for games, and a lot of things...
You probably have some security issues>> such as not using a firewall, that need attention. There are several good freeware firewalls available.
You cannot install one just now so wait on that...
You will have to try fixing things so you can get that pc online, get immediately patched ((you can be reinfected in less than a few minutes)) 
You will have to disconnect other pcs from it, and let the bad one have Internet access somehow to get the Windows Updates.... and the bad part> there might not be a patch that prevents this virus yet...
(I forgot to look for that info) 
Once you get Norton antivirus up to date and working OK, it should be able to deal with this infection. Are your subscriptions working....could you get updates regularly up until the problem occurred?


----------



## *aussie_blondie (Nov 29, 2002)

Edited.....Posted wrong hijackthis log.


----------



## dvk01 (Dec 14, 2002)

the strange named files that byteman wasn't sure about are LOP and until the files and their folders are removed the search will still be diverted 

once you post a new HJt log we can check


----------



## *aussie_blondie (Nov 29, 2002)

LOP?









Hi, thanks a lot for all your help, I did everything you suggested.
FixQHost didn't find any trojan Qhosts, but Stinger found the following:
Exploit - DcomRpc.gen trojan
w32/Sasser.worm!ftp
w32/kovgo.worm.q
w32/kovgo.worm.p
w32/kovgo.worm.v
w32/kovgo.worm.s
w32/kovgo.worm.g
w32/Sdbot.worm.gen
w32/Sdbot.worm.gen.j
I removed all the hijackthis lines i could find and removed smsc, isahza and videons32 from
system32 (the others weren't there and weren't hidden). Heres the new HijackThis scan, hope
things are looking better! Cheers again.

Logfile of HijackThis v1.98.2
Scan saved at 18:06:10, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yldifoduqmqhzpvpy.com/XbdqAFI08xXD/dzWKYdp8I1MPmo4sdoax1E8K213UhU.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jyltigdihhcuzitzpd.com/X...PZlA_f3WkQwE9yvxUo761vW3aXMj/YKHSHraMkwk.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mxbstdcwfbotjge.com/XbdqAFI08xXD/dzWKYdp8HJlCgrNK8vRx1E8K213UhU.html"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\cjz4nxt6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\cjz4nxt6.slt\prefs.js)
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Chris\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center


----------



## Byteman (Jan 24, 2002)

Hi, Looking lots better, still some work to do:

Fix all these with Hijackthis: Remember-have ALL other browser windows closed when you fix these.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yldifoduqmqhzpvpy.com/Xb...1E8K213UhU.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jyltigdihhcuzitzpd.com/X...KHSHraMkwk.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

. Check that you have these settings for Windows Explorer:



flrman1 said:


> Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
> Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
> 
> Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
> Click "Apply" then "OK"


 See if these files are still in C:\Windows\System32:: delete them if so

wuamgrd.exe
smsc.exe--------really don't think you will find any but look.

is there any way for you to download something to this pc?
Are you using it on the Internet now?
Adaware is about 2.85 Megs so it will NOT fit on a floppy, it will on ZIP disk, or of course a CD.

If want to take a chance, it might help if you could get some Windows Updates... if it says there are none>>good
BUT CHECK FOR THEM!!!
If you are able to connect::

Go and download AdAware SE personal edition here:

http://www.majorgeeks.com/download506.html

There are a few settings to check on after you install the program:


flrman1 said:


> Install the AdAware SE program and launch it.
> 
> First in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files.
> 
> ...


 If you get and run AdAware Se...or not, please post a new HJT logfile :up:


----------



## dvk01 (Dec 14, 2002)

Nute4260

I have split your post off to http://forums.techguy.org/showthread.php?t=267129 so post your log in your own thread please


----------



## Afinogenov (Jul 14, 2004)

you got sasser. thats bad


----------



## arol116 (Aug 29, 2004)

hey - i've also had the same problems with the bloodhound virus. i wasnt able to use an web browser and the norton anti-virus could not access the files the virus was in. the computer is only a month old so i didnt have anything important on it so i just used the recovery and applications cd that came with the computer to reinstall everything. It seemed to work ok and now when the computer is scanned, no viruses are detected. Is it any way possible that the virus could still be on my computer since i didnt use any official way of removing it?


----------



## Byteman (Jan 24, 2002)

Sounds like running that type of restore would flush all your saved Restore Points, which is probably where the infected files were being found and could not be "reached" by antivirus program>> Nothing can do anything with files in the System Restore area, you must disable System Restore to flush all saved Restore Points and that takes any infections away so they cannot be reinstated by performing a System Restore. 
{{You do not need to disable System Restore now....if something IS found, and IS located in the _RESTOR area, then you do need to disable SR}}

If nothing is being found, safe to assume the virus is gone....but check with some online scans to make sure--antivirus programs sometimes must have settings enabled such as "scan within compressed files" or they may not scan all files unless set to do so.
Set the AUTOCLEAN feature and make sure you are scanning the entire C: drive (all files).

http://housecall.antivirus.com/housecall/start_corp.asp

http://www.pandasoftware.com/activescan

You will also want to make sure you are up to date with Windows Updates, they patch the holes a lot of malware use to enter your computer.


----------



## dvk01 (Dec 14, 2002)

Just all be aware that "bloodhound" is Norton's way of detecting things heuristically and all heuristics are prone to false alarms som always double check any bloodhound alert with an online scan from one of the different antivirus coompanies


----------



## arol116 (Aug 29, 2004)

thanks a lot.. you're a huge help


----------



## Byteman (Jan 24, 2002)

Hi sona_c, I have split off your post into your own thread here in the Security forum, please reply to the same thread:

http://forums.techguy.org/showthread.php?p=2491815#post2491815


----------

