Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bloodhound.Exploit.33 removal


  • Please log in to reply
4 replies to this topic

#1 Christechie

Christechie

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 30 September 2016 - 09:31 AM

My Dell OptiPlex 7010 with Win 7 has Symantec Endpoint Protection installed (work computer).  My default browser is Firefox and I spend most of my day on the Newsday (local newspaper) web site.  This week I've received a few SEP risk warnings with regards to Bloodhound.Exploit.33 when accessing certain hyperlinks on the Newsday web site.  I have written to Newsday to report this.

 

I received one of these risk warning yesterday 9/29/16 and here is the location and file name of this intruder:

C:\Users\cgietsch\AppData\Local\Mozilla\Firefox\Profiles\9kwdwxg6.default\cache2\entries\489A6AC571F7F3DD601E6E3A4DAE9048DBA33205

 

Now Firefox has become unstable.  For the most part Firefox behaves but then out of nowhere, browsing slows down to a crawl.  Earlier I minimized the Firefox window and when I tried to restore it, a blank white window displayed, even though I was currently on the Newsday site.

 

I ran a full SEP scan yesterday after this risk appeared and of course SEP quarantined the risk.  I'm not convinced that it's completely gone.  Any suggestions? 



BC AdBot (Login to Remove)

 


#2 The_Codesee

The_Codesee

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England, UK
  • Local time:10:12 AM

Posted 30 September 2016 - 09:34 AM

Hello! My name is The Codesee, nice to meet you   :)
 
Please follow the steps below:
 
:step1: Please download MiniToolBox to your desktop

  • Double click MiniToolBox
  • Select the items below and press go
  • Post the log in your next reply
    • List Installed Programs
    • List Restore Points
    • List last 10 Event Viewer log
    • Flush DNS

:step2: Please download Security Check to your desktop

  • Double click SecurityCheck and follow the on-screen instructions.
  • A log should open called checkup.txt.
  • Post the log in your next reply

:step3: Please download TFC (Temp File Cleaner) to your desktop

  • Close all open applications
  • Double click TFC
  • Click the start button and the program will run
  • When done, press OK to restart your computer

Logs I expect in your next reply:

  • MiniToolBox Log
  • Security Check Log


#3 Christechie

Christechie
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 12 October 2016 - 02:14 PM

MTB.txt:

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by cgietsch (administrator) on 11-10-2016 at 08:50:31
Running from "C:\Users\cgietsch\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X86)
Model: OptiPlex 7010 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/11/2016 08:29:52 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Bloodhound.Exploit.33 in File: C:\Users\cgietsch\AppData\Local\Mozilla\Firefox\Profiles\9kwdwxg6.default\cache2\entries\489A6AC571F7F3DD601E6E3A4DAE9048DBA33205 by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (10/07/2016 03:28:41 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (10/06/2016 03:35:26 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (10/04/2016 03:34:44 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
Error setsockopt (IP_DROP_MEMBERSHIP)

System Error: 10038
System Message: An operation was attempted on something that is not a socket.

 (srv 32 bit)

Error: (10/04/2016 03:34:14 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (10/03/2016 03:30:05 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
Error setsockopt (IP_DROP_MEMBERSHIP)

System Error: 10038
System Message: An operation was attempted on something that is not a socket.

 (srv 32 bit)

Error: (10/03/2016 03:29:34 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (09/30/2016 02:43:10 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (09/30/2016 02:28:44 PM) (Source: Application Error) (User: )
Description: Faulting application name: firefox.exe, version: 49.0.1.6109, time stamp: 0x57e43f21
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x34a5f8c4
Faulting process id: 0x674
Faulting application start time: 0xfirefox.exe0
Faulting application path: firefox.exe1
Faulting module path: firefox.exe2
Report Id: firefox.exe3

Error: (09/30/2016 01:34:45 PM) (Source: dwmrcs) (User: )
Description: Error:
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)


System errors:
=============
Error: (10/03/2016 10:19:41 AM) (Source: TermDD) (User: )
Description: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 127.0.0.1.

Error: (09/30/2016 01:01:34 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (09/30/2016 01:01:34 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (09/30/2016 01:01:08 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/30/2016 01:01:08 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (09/30/2016 01:01:06 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/30/2016 01:01:01 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (09/30/2016 01:00:41 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (09/30/2016 01:00:41 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (09/30/2016 01:00:41 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.



Microsoft Office Sessions:
=========================
Error: (10/11/2016 08:29:52 AM) (Source: Symantec AntiVirus)(User: )
Description: Security Risk Found!Bloodhound.Exploit.33 in File: C:\Users\cgietsch\AppData\Local\Mozilla\Firefox\Profiles\9kwdwxg6.default\cache2\entries\489A6AC571F7F3DD601E6E3A4DAE9048DBA33205 by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (10/07/2016 03:28:41 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (10/06/2016 03:35:26 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (10/04/2016 03:34:44 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
Error setsockopt (IP_DROP_MEMBERSHIP)

System Error: 10038
System Message: An operation was attempted on something that is not a socket.

 (srv 32 bit)

Error: (10/04/2016 03:34:14 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (10/03/2016 03:30:05 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
Error setsockopt (IP_DROP_MEMBERSHIP)

System Error: 10038
System Message: An operation was attempted on something that is not a socket.

 (srv 32 bit)

Error: (10/03/2016 03:29:34 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (09/30/2016 02:43:10 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)

Error: (09/30/2016 02:28:44 PM) (Source: Application Error)(User: )
Description: firefox.exe49.0.1.610957e43f21unknown0.0.0.000000000c000000534a5f8c467401d21b46a82d13ccC:\Program Files\Mozilla Firefox\firefox.exeunknownb79825e6-873b-11e6-bc85-90b11c99cdcc

Error: (09/30/2016 01:34:45 PM) (Source: dwmrcs)(User: )
Description: DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available (Local).

System Error: 0
System Message: The operation completed successfully.

 (srv 32 bit)


CodeIntegrity Errors:
===================================
  Date: 2013-12-04 11:55:41.477
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-22 09:36:20.667
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-19 15:11:51.012
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (HKLM\...\{284F4C1C-380D-4F10-88C8-1F9E386EFE98}) (Version: 17.1.1 - Hewlett-Packard) Hidden
Adobe Flash Player 21 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM\...\Adobe Shockwave Player) (Version: 12.2.3.183 - Adobe Systems, Inc.)
Altiris Application Metering Agent (HKLM\...\{40CFB46A-D130-432E-B77D-100E639CBA02}) (Version: 7.6.1655.0 - Symantec Corporation) Hidden
Altiris Inventory Agent (HKLM\...\{5A7FDA93-3437-4FB5-8BC2-D754BF31F66B}) (Version: 7.6.1655.0 - Symantec Corporation) Hidden
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AXIS Media Control Embedded (HKLM\...\AXIS Media Control Embedded) (Version:  - )
Bonjour (HKLM\...\{0CB9668D-F979-4F31-B8B8-67FE90F929F8}) (Version: 2.0.2.0 - Apple Inc.)
CameraHelperMsi (HKLM\...\{15634701-BACE-4449-8B25-1567DA8C9FD3}) (Version: 13.51.815.0 - Logitech) Hidden
Configuration Manager Client (HKLM\...\{70A48909-E2FD-4FE8-84B1-F5431AD143AF}) (Version: 5.00.8412.1000 - Microsoft Corporation) Hidden
CPIS v11.0.0 (HKLM\...\Case Processing_is1) (Version:  - Voyager Systems, Inc.)
DameWare Mini Remote Control (HKLM\...\{7695d7da-1988-4219-83b4-0729faf5e4a7}) (Version: 12.0.509.0 - SolarWinds)
Dell One Identity Secure Password Extension x86 (HKLM\...\{438D644C-B4A6-4F29-A00D-087AA29380E5}) (Version: 5.6.2.6903 - Dell Inc.)
Deployment Solution Agent (HKLM\...\{E5AB7EB9-5899-4E45-8DA6-AF57FFB85E52}) (Version: 7.6.1655.0 - Symantec) Hidden
Diskeeper 12 Professional (HKLM\...\{6855F1F0-0567-4EB1-A9C2-2CDF185D3B61}) (Version: 16.0.1017.32 - Condusiv Technologies)
DYMO Label v.8 (HKLM\...\DYMO Label v.8) (Version: 8.5.1.1814 - Sanford, L.P.)
DYMO Label v.8 SDK (HKLM\...\DYMO Label v.8 SDK) (Version: 8.3.1.487 - Sanford, L.P.)
erLT (HKLM\...\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}) (Version: 1.20.138.34 - Logitech, Inc.) Hidden
f.lux (HKCU\...\Flux) (Version:  - )
FBVLC (HKLM\...\{FDFD2D0E-1CC4-446A-8E36-65298CE711D5}) (Version: 0.1.5 - RSATom)
ffdshow [rev 2527] [2008-12-19] (HKLM\...\ffdshow_is1) (Version: 1.0 - )
FireBreathed VLC (HKLM\...\{A562F7F6-8578-45B9-8A5A-E3EF5A4BF473}) (Version: 0.0.4 - RSATom)
Foxit PhantomPDF Business (HKLM\...\{71809EF3-0674-4FBF-8DBB-CE9ABA80B640}) (Version: 7.2.2.929 - Foxit Software Inc.)
Google Drive (HKLM\...\{459CE109-4E46-4340-92BC-054642BC3BC2}) (Version: 1.31.2873.2758 - Google, Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.31.5 - Google Inc.) Hidden
HP Color LaserJet CP4520 Series PCL6,HP Color LaserJet CP4020 Series PCL6 [HP Color LaserJet CP4020 Series PCL6] (HKLM\...\HP Color LaserJet CP4520 Series PCL6,HP Color LaserJet CP4020 Series PCL6) (Version: 06/18/2009 61.091.12.102 - HP)
HP Color LaserJet CP4520-CP4020 Series Screen Fonts (HKLM\...\{D180CEC5-1492-4E90-9B46-F251C3831427}) (Version: 2.0.0.0 - Hewlett Packard, Co.)
HP Color LaserJet CP4520-CP4020 Series User Guide (HKLM\...\{8B79E313-F6DF-4DD7-A6F8-2C1BE47155DB}) (Version: 1.0.0.0 - Hewlett Packard, Co.)
HP Support Solutions Framework (HKLM\...\{FC3C2B77-6800-48C6-A15D-9D1031130C16}) (Version: 11.51.0049 - Hewlett-Packard Company)
Input Director v1.3 BETA (HKLM\...\Input Director) (Version: 1.3 - Imperative Software Pty Ltd)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 17.3 - Intel)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2867 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
J2SE Runtime Environment 5.0 Update 14 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0150140}) (Version: 1.5.0.140 - Sun Microsystems, Inc.)
Lexmark MX710 Series Uninstaller (HKLM\...\Lexmark MX710 Series) (Version:  - Lexmark International, Inc.)
LG Verizon United Drivers (HKLM\...\{4EBAC12E-B672-4682-BE44-8780E121CB61}) (Version: 2.4.0 - LG Electronics)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.96 - Symantec Corporation)
Logitech Webcam Software (HKLM\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
LWS Facebook (HKLM\...\{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}) (Version: 13.50.854.0 - Logitech) Hidden
LWS Gallery (HKLM\...\{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}) (Version: 13.51.827.0 - Logitech) Hidden
LWS Help_main (HKLM\...\{1651216E-E7AD-4250-92A1-FB8ED61391C9}) (Version: 13.51.828.0 - Logitech) Hidden
LWS Launcher (HKLM\...\{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}) (Version: 13.51.828.0 - Logitech) Hidden
LWS Motion Detection (HKLM\...\{71E66D3F-A009-44AB-8784-75E2819BA4BA}) (Version: 13.51.815.0 - Logitech) Hidden
LWS Pictures And Video (HKLM\...\{08610298-29AE-445B-B37D-EFBE05802967}) (Version: 13.51.815.0 - Logitech) Hidden
LWS Twitter (HKLM\...\{174A3B31-4C43-43DD-866F-73C9DB887B48}) (Version: 13.30.1346.0 - Logitech) Hidden
LWS Webcam Software (HKLM\...\{8937D274-C281-42E4-8CDB-A0B2DF979189}) (Version: 13.51.815.0 - Logitech) Hidden
LWS WLM Plugin (HKLM\...\{9DAEA76B-E50F-4272-A595-0124E826553D}) (Version: 1.30.1201.0 - Logitech) Hidden
LWS YouTube Plugin (HKLM\...\{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}) (Version: 13.31.1038.0 - Logitech) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Lync Web App Plug-in (HKLM\...\{EEA5F853-D315-42B0-8349-32FF06FBDF93}) (Version: 15.8.8658.0 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4859.1002 - Microsoft Corporation)
Microsoft Office XP Professional (HKLM\...\{90110409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.2627.01 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft Tool Web Package:NetDiag.exe (HKLM\...\{D8A07C06-2BD7-4486-9786-7365B2E9B589}) (Version: 1.0.0.1 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.40820 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (HKLM\...\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}) (Version: 3.0.5305.0 - Microsoft Corp.)
Mozilla Firefox 49.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 49.0.1 (x86 en-US)) (Version: 49.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 49.0.1 - Mozilla)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (HKLM\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4859.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-007E-0000-0000-0000000FF1CE}) (Version: 15.0.4859.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4859.1002 - Microsoft Corporation) Hidden
Patch Management Agent (HKLM\...\{66AF1A50-D4B1-46E1-ACCE-D023FDBF6579}) (Version: 7.6.1645.0 - Symantec) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5910 - Realtek Semiconductor Corp.)
Software Management Solution Plugin (HKLM\...\{21F0859D-BCB3-40C9-B83B-0BF049B7E82E}) (Version: 7.6.1423.0 - Altiris Inc.) Hidden
swMSM (HKLM\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{358ADFAB-4EA2-481E-8828-5AF10FB0FC8E}) (Version: 12.1.7004.6500 - Symantec Corporation)
Symantec Ghost Console and Standard Tools (HKLM\...\{BE8585BF-DC7A-4AE0-0A2E-000007493152}) (Version: 115.01.2266 - Symantec Corporation)
Symantec pcAnywhere (HKLM\...\{12518183-866A-11D3-97DF-0000F8D8F2E9}) (Version: 12.5.1 - Symantec Corporation)
Symantec Workspace Virtualization Agent (HKLM\...\{3FA49196-3E39-466C-AD7B-F64D141E0DBB}) (Version: 6.4.1346 - Symantec)
Symantec_pcAnywhere_plugin_installer (HKLM\...\{FF94AABD-1E3B-44B9-809E-84EDE72F80AC}) (Version: 12.5.177.0 - Symantec) Hidden
TERM v11.0.0 (HKLM\...\TERM 11g_is1) (Version:  - Voyager Systems, Inc.)
VNC Viewer 5.2.3 (HKLM\...\{F8E906E7-1077-4476-8CA2-57912B72B0A8}) (Version: 5.2.3 - RealVNC Ltd)
Windows NT Messaging (HKLM\...\WMS) (Version:  - )
WinZip 18.5 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E2}) (Version: 18.5.11111 - WinZip Computing, S.L. )
WordPerfect Office IFilter 32-bit (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.4 - Corel Corporation)
WordPerfect Office X6 - Common Files (HKLM\...\{315FE707-7A15-4B1B-8C5A-955428AAA01D}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Common Files English (HKLM\...\{E1AF3785-AA77-471E-ABC5-4C2B459B877A}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - IPM (HKLM\...\{230100D9-27B4-49A3-A30F-D44B51EF56AA}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files (HKLM\...\{440F51A9-8CA3-41D7-AFD5-F47820895949}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files English (HKLM\...\{C4D92146-95DE-415A-99CC-51FBFF7C10CF}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Oxford (HKLM\...\{8959569B-D9BA-43A9-972A-D509EE7D4BA9}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files (HKLM\...\{EAA5C699-6DB5-4508-BD64-B79EB9409C9D}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files English (HKLM\...\{86ACFB25-0FA5-4A01-96B5-EE8F229D456E}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files (HKLM\...\{069793F3-E123-47B9-88DB-5DE76FF32ADB}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files English (HKLM\...\{10FFE1D7-6A72-4483-9856-1A2FBBC5A425}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Setup Files (HKLM\...\{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - System Files (HKLM\...\{8270ABE3-53A5-4046-BF84-EB5FBB0F5B10}) (Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files (HKLM\...\{CCADD122-70A5-47A6-8722-1BD5267B85F5}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files English (HKLM\...\{CD29C36F-2C6D-4ED3-BC21-B20C8038E9A5}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WT (HKLM\...\{0F7A0D0F-6576-489E-B20B-B7C8F95BBCC3}) (Version: 16.1 -  Corel Corporation) Hidden
WordPerfect Office X6 (HKLM\...\_{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.0.0.428 - Corel Corporation)
WordPerfect Office X6 (HKLM\...\{F6582F6F-6CD1-4B62-8BC6-EACF98AF410F}) (Version: 16.0 - Corel Corporation) Hidden
X-Mouse Button Control 2.14 (HKLM\...\X-Mouse Button Control) (Version: 2.14 - Highresolution Enterprises)
========================= Restore Points ==================================

30-09-2016 16:40:28 Installed Microsoft Fix it 50194
07-10-2016 20:05:06 Scheduled Checkpoint

**** End of log ****
 

 

Checkup.txt:

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x86   
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Symantec Endpoint Protection   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player     21.0.0.242  
 Mozilla Firefox (49.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#4 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 20 October 2016 - 11:42 PM

Hello...

 

Based on Symantec's analysis: https://www.symantec.com/security_response/writeup.jsp?docid=2005-041215-1512-99&tabid=2

 

It seems to affect MSN Messenger. Could you take a look at the version and see if you can patch or remove it?



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:12 AM

Posted 22 October 2016 - 09:37 AM

According to Symantec, files that are detected as Bloodhound.Exploit.213 are a heuristic detection for files attempting to exploit the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability which may or may not be malicious. If Norton AV (NAV) is detecting "Bloodhound.Exploit.33", we need to look at WHAT is being flagged as it.

Please run these next

zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by boopme, 22 October 2016 - 09:39 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users