Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

blood hound virus

Started by jimfro , Nov 26 2004 02:20 PM

  • This topic is locked This topic is locked

#1
jimfro
Posted 26 November 2004 - 02:20 PM

jimfro

    Member

  • Member
  • PipPip
  • 13 posts
If anyone can help me with this it would be greatly appreciated. I can not open norton antivirus, any webpages such as symantec.com, or mcafee home page, if i try to download a possible fix for this i get a message saying, your security settings prevents you from downloading this program, i tried to run regedit but it opens for 2 seconds and shutsdown.I tried to use task mangers to shut down processes but it tels me it cant be shutdown. I can however run prescan and i get the following results....can someone please help me!!! I can't open hotmail either. And when i run adaware, i get more than 100 objects 3 times a day.

NOTE: Close this window to continue installing the product.
=========================================================
===============PRE-INSTALL SCANNER RESULTS===============
=========================================================
Summary:
Scan finished at 9:44:40 AM on 11/24/2004.
Number of Files Scanned: 30555
Number of Infections Found: 4
Number of Files Repaired: 0
Number of Files Deleted: 3
Number of Files Left Infected: 1
=========================================================
Details:
C:\WINNT\system32\winbdw32.exe is infected with Bloodhound.W32.EP. (REMAINS)
C:\WINNT\system32\bkmsf32.dat was infected with Bloodhound.W32.EP. (DELETED)
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L7ZO1Z6M\protector[1].exe was infected with Bloodhound.W32.EP. (DELETED)
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\U4DBZF7N\protector[1].exe was infected with Bloodhound.W32.EP. (DELETED)
=========================================================
NOTE: Close this window to continue installing the product.
=========================================================
===============PRE-INSTALL SCANNER RESULTS===============
=========================================================
Summary:
Scan finished at 11:03:32 AM on 11/24/2004.
Number of Files Scanned: 31248
Number of Infections Found: 7
Number of Files Repaired: 0
Number of Files Deleted: 7
Number of Files Left Infected: 0
=========================================================
Details:
C:\WINNT\system32\winbdw32.exe was infected with Bloodhound.W32.EP. (DELETED)
C:\Recycled\NPROTECT\00000000.dat was infected with Bloodhound.W32.EP. (DELETED)
C:\Recycled\NPROTECT\00000001.dat was infected with Bloodhound.W32.EP. (DELETED)
C:\Recycled\NPROTECT\00000002.dat was infected with Bloodhound.W32.EP. (DELETED)
C:\Recycled\NPROTECT\00000003.dat was infected with Bloodhound.W32.EP. (DELETED)
C:\Recycled\NPROTECT\00000004.dat was infected with Bloodhound.W32.EP. (DELETED)
C:\Recycled\NPROTECT\00000010.exe was infected with Bloodhound.W32.EP. (DELETED)
=========================================================
NOTE: Close this window to continue installing the product.
=========================================================
===============PRE-INSTALL SCANNER RESULTS===============
=========================================================
Summary:
Scan finished at 5:09:18 PM on 11/24/2004.
Number of Files Scanned: 29886
Number of Infections Found: 0
Number of Files Repaired: 0
Number of Files Deleted: 0
Number of Files Left Infected: 0
=========================================================
Details:
=========================================================
NOTE: Close this window to continue installing the product.
=========================================================
===============PRE-INSTALL SCANNER RESULTS===============
=========================================================
Summary:
Scan finished at 4:13:32 PM on 11/26/2004.
Number of Files Scanned: 29956
Number of Infections Found: 0
Number of Files Repaired: 0
Number of Files Deleted: 0
Number of Files Left Infected:
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 26 November 2004 - 02:26 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.
If you cannot do this, then boot into "safe mode" and try it.

Reboot.

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

-=jonnyrotten=- <_<
  • 0

#3
jimfro
Posted 26 November 2004 - 03:09 PM

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i tried to download hijack this but i can't because i when i click on the downlaod link i once again get the message" security alert, your current security settings do not allow this file to be downloaded".......any suggestions
  • 0

#4
-=jonnyrotten=-
Posted 26 November 2004 - 03:56 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
If you are using internet explorer click "Tools", "internet options", Click the "security" tab. Click "Custom Level" button at the bottom of window. Scroll down to "downloads" and make sure it is "enabled". Then download Hijack this.

-=jonnyrotten=- <_<
  • 0

#5
-=jonnyrotten=-
Posted 26 November 2004 - 05:52 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Sounds like you have a nasty little infection called Hacker Defender. Try this.

In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan....torv0[1].62.zip

If you are infected you can try the following: If your system drive (usually C is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.

If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.

You can read more on HackDefender here: http://bagpuss.swan....comms/hxdef.htm

-=jonnyrotten=-
  • 0

#6
-=jonnyrotten=-
Posted 26 November 2004 - 06:17 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Also here's some removal instructions here:

http://www.trendmicr...e=WORM_SDBOT.SK

Hopefully you can follow through with them or actually get to the page, if not let me know and I'll post them here.

Try this:
Please run a free online virus scan here (tick the "Auto Clean" checkbox): Needs to be run with Internet Explorer.
http://housecall.antivirus.com/

And a free trojan scan here: (you will have to download the 30 day trial of "The Cleaner" here)
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

-=jonnyrotten=-
  • 0

#7
jimfro
Posted 27 November 2004 - 09:20 AM

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi tried all of the suggestions you listed .....unfortunately I get the same ressults with these suggestions as I do with the others attempts I have made to fix this problem.
the link to the page for removal instructions can not be displayed ( I can view any pages that do not provide information about viruses or removal instructions)
As for the other options you suggested, I can install these programs but when Iattempt to run any of them they open for 2 seconds and shut down before i can start them.

If I reformat will this "virus" be delted because i have aso much work to do and i am growing frustrated......
  • 0

#8
jimfro
Posted 27 November 2004 - 11:21 AM

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i managed to run the hijackthis program in safe mode and this is the results.....

Logfile of HijackThis v1.98.2
Scan saved at 1:40:14 PM, on 11/27/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\The Cleaner\tca.exe
C:\WINNT\System32\ctfmon.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\ELITES~1\ELITES~1.DLL (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab

now where do i go ......
  • 0

#9
-=jonnyrotten=-
Posted 27 November 2004 - 12:26 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok good now we're getting somewhere. In safe mode run Hijack this and put checks in the boxes only next the following entries.

O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\ELITES~1\ELITES~1.DLL (file missing)
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe

Next find these files and delete them:

libsysmgr.exe
syslog32.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe

Please reboot and tell me if you can visit any of the websites, use hijack this, edit the registry etc... This should give us the start we need. If you can do anything like this I then run all the scans I have suggested and most importantly run the "Hacker Defender" program. If these don't work in normal mode try safe mode. Let me know exactly what you are able to do.
There's still hope! :D

-=jonnyrotten=- <_<
  • 0

#10
jimfro
Posted 27 November 2004 - 02:55 PM

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i tried to delete those files...but i could not delete them. It says the can not be delete because they are open,,, so i tried to end the processes through task mangaer but it woulndn't allow me to do so, i get the"access is denied" message. I did delte the file in symantec, but the other two , the lib file and the sys file could not be deleted. I could not open any of the pages or programs after i delted them through hjt.exe.....after reboot i got this meesage which i have been getting for a while, your copmutrer will be shut down in 50n seconds...."c:\winnt\system32\lsass.exe" terminated unexpectedly......" also when i tried to opoen nav i got the message the short cut for the file i was tild to delte was missing and the comp was searching for it......so i have , if it helps,included the hjt log below.....this was after i delted the items you told me to delete....

Logfile of HijackThis v1.98.2
Scan saved at 3:51:10 PM, on 11/27/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
  • 0

Advertisements

#11
-=jonnyrotten=-
Posted 27 November 2004 - 03:29 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
These files that need to be deleted are bad files. They are starting up with your pc, and running that is why you cannot delete them. They are also back in your hjt log too. A lot of times booting in safe mode keeps them from starting up, therefore you can delete them.

Are you able to run regedit in safe mode? There's registry entries we need to delete.

-=jonnyrotten=-
  • 0

#12
admin
Posted 27 November 2004 - 03:29 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINNT\System32\libsysmgr.exe
C:\WINNT\System32\syslog32.exe

Click 'Exit' when done.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.
  • 0

#13
jimfro
Posted 27 November 2004 - 03:40 PM

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i can run regedit in safe mode but i dont know what to delete....as for thekillbox.exe.....wheni click on the link to go to the page to downlaid it i get directed to a geekstogo page that says i don't have permissionto do this....
  • 0

#14
admin
Posted 27 November 2004 - 03:45 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

when i click on the link to go to the page to downlaid it i get directed to a geekstogo page that says i don't have permissionto do this

Strange, sounds like a cookie error. I've attached it to this post, just download, unzip, and run. <_<

Attached Files


  • 0

#15
jimfro
Posted 27 November 2004 - 03:50 PM

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
thanks for the quick reply, downlaoded the file, ran it but it says file can not be delted for the first file and it says the second file does not exist.
  • 0
Back to Windows XP, 2000, 2003, NT · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Windows XP, 2000, 2003, NT

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP