Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


W32.Downadup.B and Bloodhound.Exploit.343 Daily Removal

  • This topic is locked This topic is locked
2 replies to this topic

#1 arabronx


  • Members
  • 2 posts
  • Local time:04:46 PM

Posted 25 November 2011 - 01:45 PM

This computer was used by another prior to my use of it. I don't know what programs he installed.

I still have the GMER scan running - 3 hours later... The following is the DDS report.

Thank you for your help!

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by HWHITENA at 8:45:44 on 2011-11-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1160 [GMT -5:00]
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Websense\WDC\WDC.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Websense\WDC\WsUIMgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\hwhitena\Local Settings\Temporary Internet Files\Content.IE5\GOTOR804\HijackThis[1].exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by ARAMARK
uDefault_Page_URL = hxxp://www.aramark.net/
mDefault_Page_URL = hxxp://www.aramark.net/
mStart Page = hxxp://www.aramark.net/
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: System=c:\program files\novell\zenworks\bin\preboot\ZISWIN.EXE
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WsUiMgr] c:\program files\websense\wdc\WsUIMgr.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [ZenNotifyIcon] c:\program files\novell\zenworks\bin\ZenNotifyIcon.exe
mRun: [NalView] c:\program files\novell\zenworks\bin\nalview.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [DameWare MRC Agent] c:\windows\dwrcs\DWRCST.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\mapit.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starback.lnk - c:\program files\star pc backup\StarBack.exe
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236608663479
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236608708870
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://kronos.bronxleb.org/wfcstatic/plugins/jre-1_5_0_09-windows-i586-p.exe
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aramark.webex.com/client/T26LSP49EP5/nbr/ieatgpc.cab
TCP: DhcpNameServer =
TCP: Interfaces\{A8E704C2-5A1C-49C7-9BA4-3E287DCB8648} : DhcpNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: MRCNotify - c:\windows\dwrcs\DWRCWXL.dll
Notify: nzrNotifier - nzrNotifier.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ZENworks Adaptive Agent: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\bin\NalShell.dll
============= SERVICES / DRIVERS ===============
R0 WsFsF;WsFsF;c:\windows\system32\drivers\wsfsfxp.sys [2008-5-30 48768]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 wscam6300;wscam6300;c:\windows\system32\drivers\wscam6300.sys [2008-5-30 35072]
R1 wstdi;wstdi;c:\windows\system32\drivers\wstdixp.sys [2008-5-30 35584]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2009-3-23 155648]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-18 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-18 108456]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2008-9-14 87416]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2010-8-30 139264]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\landesk\ldclient\amtmon.exe [2010-8-30 1044480]
R2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;c:\program files\novell\zenworks\bin\ZenworksWindowsService.exe [2008-8-2 28672]
R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\program files\novell\zenworks\bin\nzrWinVNC.exe [2008-7-23 2379776]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\softmon.exe [2010-8-30 385024]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-8-18 1839888]
R2 WebsenseDesktopClient;Websense Desktop Client;c:\program files\websense\wdc\WDC.exe [2008-5-30 479232]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-9-29 9176]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2008-7-2 31896]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-11 106104]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2009-4-27 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2009-4-27 3712]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111124.036\NAVENG.SYS [2011-11-25 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111124.036\NAVEX15.SYS [2011-11-25 1576312]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-12 136176]
S2 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [2009-9-29 172032]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-4-24 23888]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-12 136176]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2009-4-27 11904]
S3 SWI32;SWI32;c:\program files\landesk\ldclient\tvsuhd32.sys [2010-8-30 72256]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2010-10-1 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2010-10-1 24192]
=============== Created Last 30 ================
2011-11-24 19:00:29 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-11-24 18:59:06 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-11-24 18:59:06 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-11-16 19:30:42 -------- d-----w- c:\documents and settings\hwhitena\local settings\application data\ApplicationHistory
2011-11-15 18:36:11 -------- d-----w- c:\windows\system32\ESUG
2011-11-03 20:14:58 -------- d-sh--w- C:\found.002
2011-11-03 12:58:04 -------- d-----w- c:\documents and settings\hwhitena\local settings\application data\Mozilla
2011-11-03 12:57:35 -------- d-----w- c:\documents and settings\hwhitena\local settings\application data\Mozilla Firefox
==================== Find3M ====================
2011-01-19 19:30:01 331292744 ----a-w- c:\program files\OJJ4600_Full_13.exe
============= FINISH: 8:46:21.75 ===============

Attached Files

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,730 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:46 PM

Posted 30 November 2011 - 10:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nothing suspicious was found on your logs.

W32.Downadup.B and Bloodhound.Exploit.343 Daily Removal

Some Symantec articles on the identified malware.

Unless you have some difficulties with this computer it may be just a false/positive.

Lets try a few things.

HijackThis is running from your Internet Explorer temporaty files.
C:\Documents and Settings\hwhitena\Local Settings\Temporary Internet Files\Content.IE5\GOTOR804\HijackThis[1].exe
Stop that process.
I would also remove the program via the Add/Remove Programs list.
The DDS tool is a much better tool to report registry entries.

Have you added these startup recently or have they been around for some time?
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\mapit.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starback.lnk - c:\program files\star pc backup\StarBack.exe

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Please post the logs and let me know if the problem persists.

#3 nasdaq


  • Malware Response Team
  • 40,730 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:46 PM

Posted 05 December 2011 - 10:30 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users