Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bloodhound.exploit.196 - Need help


  • This topic is locked This topic is locked
13 replies to this topic

#1 will2k

will2k

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 14 July 2009 - 04:43 PM

Greetings,

After trying everything possible (to me at least), I am asking for guidance from one of the more experienced members Posted Image

It's about the bloodhound exploit 196; It started like 2-3 weeks ago and every time I start or restart the system, i get a pop up message from Symantec antivirus 10.2 that it successfully quarantined the infected file. Afterwards, everything is normal: no more pop ups even after running the pc for 6-7 hours, cpu load is normal (1-3% at idling), no slowdowns, connection to internet is ok.

What i did:

turned off system restore, made sure SAV has the latest defs, rebooted in safe mode, ran full scan...nothing.
checked the registry for any suspicious entry in the run / run once keys...nothing

ran adaware 2008 scan...nothing

emptied the quarantine of SAV (manually deleting the files)

restart --> same pop up, file is quarantined again


ran malwarebytes quick scan-->zero infections

ran ATF cleaner to remove the temp files from the system
ran XoftspySE and SuperAntiSpyware in full scan --> no infections
ran Mcafee stinger --> no infections

yet this pop up from symantec still appears on each startup Posted Image

ran hijackthis and OTL and generated logs: i couldn't catch the suspicious parts and i could be very wrong in my interpretation (maybe false positive ??) and that's why i need help Posted Image

my system: Vista home premium SP2 32bit
Symantec antivirus 10.2.0.322
Firefox 3.5

thanking you in advance for your time, help and assistance.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 15 July 2009 - 10:45 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



What is the name of the file that Symantec keeps trying to quarantine and where is it's location?

Next

Let's submit the file to Virus Total so that it will scan it with multiple scanners to see if it is a False Positive.

To submit a file to Virus Total:

-Go to Virus Total
-Click the Browse button and then browse to the file's location. Once there, click the file and then press open.
-Then click Send File
-Please wait for the scanner to finish processing the file.
-Once done, please copy and paste the results on this page into your next post.
Computer Pro

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 15 July 2009 - 11:08 PM

Bloodhound.Exploit.196 is a heuristic detection for files attempting to exploit one of the following vulnerabilities:

Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)


Files that are detected as Bloodhound.Exploit.196 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.196. For instructions on how to do this using Scan and Deliver, read Submit Virus Samples.. So Also ,you should should also submit a sample to your Vendor.

Do you have the latest version of Adobe reader so it cannot be exploited. Adobe Reader 9.1
http://get.adobe.com/reader/

If you install this UN check the box at that page that says....
Also install:
Free Google Toolbar (optional)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 will2k

will2k
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 18 July 2009 - 03:34 PM

thank you for your replies and sorry for the delay, i was away for a couple of days.

I already tried something and it worked (before I had the chance to check this topic and read your replies)

As boopme mentioned, since Bloodhound.Exploit.196 is related to adobe acrobat, i uninstalled my copy of Acrobat pro 7.0 (a little outdated and vulnerable for vista maybe?) and then ran registry booster to clean the registry from any leftover keys.

guess what: i restarted and no more Bloodhound.Exploit.196 pop up at startup.

however the story does not end here :flowers:

another pop up took place:

Trojan.webkit!html

and now symantec is reporting that the file is cleaned by deletion (not quarantined) at each startup.

I turned off system restore, ran SAV in full scan in safe mode; it found like 4 instances of this webkit trojan in 4 files (all in content.IE5 folder) and deleted them. I restarted and the pop up emerged again :thumbsup:

now what???

thanks again for your help and time

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 18 July 2009 - 03:52 PM

Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#6 will2k

will2k
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 19 July 2009 - 10:12 AM

Malwarebytes 1.39 is already installed and updated on my system.
I already ran a full scan yesterday and found nothing; here's the log file:

Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 6.0.6002 Service Pack 2

7/18/2009 4:25:17 PM
mbam-log-2009-07-18 (16-25-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 391039
Time elapsed: 3 hour(s), 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


this full scan was done in safe mode while running the full scan with Symantec AV.

(P.S: do I still need to go thru the procedure you mentioned in your post about downloading and renaming the install file of mbam before installation??)

thanks

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 19 July 2009 - 12:30 PM

It's still a waste of time to run MBam yet.

Did you submit the files to Jotti/Virustotal and get a reply?

Find and delete the following files and folders:

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\pro-activellc[1].htm

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\index[1].htm

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\pro-activellc[1].htm

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Now scan with your SAV
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 will2k

will2k
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 19 July 2009 - 01:55 PM

boopme, i think the locations you mentioned belong to win xp. i use vista as mentioned in my 1st post :thumbsup:

the correct location(s) i think is
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\"username"\AppData\Local\Microsoft\Windows\Temporary Internet Files

I already used ATF cleaner several times to clean temp files as well as deleted them manually (in the above location).

I am starting a SAV scan now; will keep you posted
thanks

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 19 July 2009 - 02:49 PM

Ok yes, let's see if the new scan produces a good result.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 will2k

will2k
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 19 July 2009 - 05:23 PM

SAV full scan completed
408919 files scanned in 140 min --> zero infections

i restarted and ... same pop up
2 instances of Trojan.Webkit!html in 2 files:
C:\Users\"username"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WTE2WSG0\f2[1].html
C:\Users\"username"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WTE2WSG0\i1[1].html

both were cleaned by deletion by SAV

this is becoming confusing :thumbsup:

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 19 July 2009 - 07:17 PM

Ok
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

there is something making this reproduce and we will need to remove it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 will2k

will2k
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 20 July 2009 - 05:19 AM

alright
I'm at work right now but i will start a new topic in the HijackThis forum with an HJT log as soon as i get home tonight.
I'll include a link to this topic for further details

"Boopme" and "Computer Pro", thanks for your help and time

#13 will2k

will2k
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 20 July 2009 - 01:04 PM

here's the link to my newly created thread in the HJT forum

HJT thread

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 20 July 2009 - 01:09 PM

Ok,that looks good. They will straighten this out.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users