Infected with Bloodhound.Exploit.196

Hi, I am running Windows Vista and have been infected with Bloodhound.Exploit.196 as well I believe. My Symantec constantly brings up that it has found and quarantined files. I have followed the steps of running ATF cleaner and also completed a scan with SUPERAntiSpyware.

Here is the log from SUPER as asked for in a previous post.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/10/2009 at 06:49 AM

Application Version : 4.25.1014

Core Rules Database Version : 3790
Trace Rules Database Version: 1746

Scan type : Complete Scan
Total Scan Time : 00:25:15

Memory items scanned : 371
Memory threats detected : 0
Registry items scanned : 8675
Registry threats detected : 0
File items scanned : 26454
File threats detected : 63

Adware.Tracking Cookie
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\david@ad.yieldmanager[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\david@content.yieldmanager[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\david@content.yieldmanager.edgesuite[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\david@atdmt[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\david@doubleclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.yieldmanager[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ar.atwola[4].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@at.atwola[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ar.atwola[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@at.atwola[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ar.atwola[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.yieldmanager[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@tacoda[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@trafficmp[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@trafficmp[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@tacoda[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@edge.ru4[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@dynamic.media.adrevolver[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adopt.specificclick[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@revsci[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@revsci[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@statse.webtrendslive[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@statcounter[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ads.pointroll[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adrevolver[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atdmt[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@edge.ru4[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@realmedia[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atdmt[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@realmedia[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@fastclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@imrworldwide[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@fastclick[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atwola[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atwola[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@apmebf[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@www.googleadservices[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@specificclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@mediaplex[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@specificclick[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@www.internationalsexguide[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@msnbc.112.2o7[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@advertising[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@247realmedia[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adopt.euroclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@casalemedia[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adopt.euroclick[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@zedo[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@msnportal.112.2o7[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@serving-sys[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@insightexpressai[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@bs.serving-sys[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adlegend[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@bluestreak[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@questionmarket[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@interclick[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@media6degrees[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@media.adrevolver[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@doubleclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@media6degrees[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@doubleclick[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@advertising[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@questionmarket[2].txt


Thanks for the help in advance!

Let's also try a Mbam log
-------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Thanks for the quick response. Here is the log report from MBAM.

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 6.0.6001 Service Pack 1

3/10/2009 8:03:37 PM
mbam-log-2009-03-10 (20-03-37).txt

Scan type: Quick Scan
Objects scanned: 66724
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

NAV has the ability to detect unknown viruses of various types using heuristic algorithms known as Bloodhound Technology. An example of such a detection is shown here. According to Symantec, files that are detected as Bloodhound or Bloodhound.Exploit.196 may or may not be malicious. Symantec asks that you Submit Virus Samples detected as Bloodhould.Exploit to the Symantec Security Response Team.

Symantec's technology uses an expert system to analyze the cataloged behaviors and assess the likelihood of viral infection. Bloodhound is not the name of a virus, but a message displayed by NAV when it thinks it may have found a new virus which is categorized as Exploit, Packed variants in their defintion files.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" if virus detection technology (AutoProtect Settings) are set to High for Bloodhound and the heuristic analysis flags a file as suspicious or infected that contains no malware. You may want to Reset Bloodhound to default settings and try scanning again.

NAV is doing its job when alerting to a Bloodhound exploit but from personal experience and testing, I have found some of these alerts to be a false positive. You need to investigate further if you continue to get them and follow Symantec's instructions for submitting samples.

The NAV version I'm using doesn't give me any options to change the Bloodhound protection levels. I'm using version 10.2, and can't find anything online about how to change it back to default levels. I am continuously getting detections while I am on my computer...a new file gets detected about once every 20 minutes. They are always .tmp files. Am I pretty much just stuck having these detections constantly, or is there something else that can be done?

Thanks.

I don't use NAV and I can't find any instructions when doing a search on the net. There should be an NAV User Guide on the installation CD in .pdf format or you can contact and ask Symantec Tech/Customer Support. You still need to send them a sample.

You should also get a second opinion on the detected files. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

Each time I try to upload one of the files, it says that I don't have permission to open the file. I was able to send it to Symantec directly from the quarantine, though I'm not sure if they'll be able to give me file analysis that you are requesting. Even if it is just harmless, is the only way to stop the messages from coming up to change the Bloodhound protection levels? I never went in there and changed it myself, so I'm not sure why they wouldn't be at the default setting already.