Bloodhound.packed.8>>help needed please!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tompiercingloos, Dec 19, 2006.

  1. tompiercingloos

    tompiercingloos Private E-2

    2 Days ago I was surfing the web and suddenly i got a report from Norton Antivirus 2005 that the Bloodhound.packed.8 virus was found, but it couldn't be repaired so i started scanning with norton, but meanwhile ALLOT of pop-ups came up saying the e-mail I was trying to send was blocked, filling the ENTIRE screen and also scanning messages came up, saying it was scanning my e-mails. But after Norton was finished scanning, it hadn't found anything:confused:
    And I was getting :mad: because of the pop-ups, which I couldn't disable. I just decided to disconnect my internet connection (LAN-connection), and the messages and pop-ups stopped. And I scanned with Norton again, and I did a cCleaner scan (also the problem fixes) hoping the problem was in the Temporary Internet Files, but helas.
    Then when I pressed CTRL+ALT+DEL to check if any unwanted program was running I suddenly saw something like; "gapqaaaa.exe", I never heared of it before, so I started searching for the file using Start, Search. Found nothing..
    Then I scanned my pc again using Norton. Nothing found again..
    I had to leave for school so I shut down my pc, without Internet Connection. At school I used google to find some information about Bloodhound.Packed.8 and gapqaaaa.exe, gapqaaaa.exe wasn't found, but I found allot of sites telling me that Bloodhound.Packed.8 wasn't a virus, but it was the name for a unknown virus found by Norton, orsomething like that.
    When I got back home I ran a scan in Safe Mode, nothing found again.
    Then returned to normal mode, hoping the virus was gone already, and pressed CTRL+ALT+DEL then I saw a file named: "sshbaaaa93845593.exe" again with the 4 a's, making me suspicious. I ran a search using start, search and this time I found this file, located it's source and I moved it to my trashcan, but did NOT clean it up, because I knew there was a small chance it wasn't a bad.exe. Then ran a scan again, found nothing again.
    Then I tuned Internet Connection on, at first no pop-ups appeared, so I quickly used google to find more information about Bloodhound.Packed.8
    and by doing so I found this website. Then I followed every step at the tutorial and used other scans aswell. I'll post the logs later.
    But while scanning for all these hours, the pop-ups and messages drove me crazy, then when I was scanning with CounterSpy it all suddenly stopped..
    I was hoping the virus was FINALLY gone, but while i'm writing here I alrdy have 48 pop-ups saying the e-mail that I was trying to send was blocked and I don't know howmany e-mail scans that are running.
    Hopefully you guys can help me get rid of this evil thing!
    (I'll post the logs now)
     
  2. tompiercingloos

    tompiercingloos Private E-2

    I'll upload all the logs I got, but they will not be in alphabetic ordre, sorry for that.
     

    Attached Files:

  3. tompiercingloos

    tompiercingloos Private E-2

    I'll post the CounterSpy report after this.
     

    Attached Files:

  4. tompiercingloos

    tompiercingloos Private E-2

    The only thing CounterSpy found was 1 cookie, "TribalFusion.com"
    (View end of this post please)


    Cookie: TribalFusion.com
    Type: Cookie (General)
    Level: Low
    Author: Tribal Fusion

    Description: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.

    Advice: This threat should be removed or quarantined from your computer.

    About Cookie (General):

    P.S. Running bitdefender didnt solve anything, not even found anything, so I didnt save a log of that. If needed, i'll run it again, to post that post again.
    P.S-2 I posted another thread by accident, it can be removed, because it's the very same thread as this one. Sorry for that!
     
    Last edited: Dec 19, 2006
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your problems may have begun with the below picked by Panda. Did you install this?
    Code:
    Adware:Adware/NewWeb Not disinfected C:\Documents and Settings\Michael\Bureaublad\Flyff\Aug\FlyFF Augmentation - Setup.exe[²ÜÇ\MD5Dll.dll] 
    Adware:Adware/NewWeb Not disinfected C:\Documents and Settings\Michael\Bureaublad\Flyff\Aug\FlyFF Augmentation.rar[FlyFF Augmentation - Setup.exe][²ÜÇ\MD5Dll.dll]
    I suggest uninstalling if you installed this and also delete the above Flyff folder. Also then delete the C:\Program Files\FlyFF Augmentation(2) folder.

    I also see the below service is running related to the above and they are calling it Apache 2.2????? Did you really install this??? What for?
    O23 - Service: Apache2.2 - Unknown owner - C:\Documents and Settings\Michael\Bureaublad\Flyff\Apache\bin\httpd.exe" -k runservice (file missing)


    What is the below Silkroad program? If you did not install it, uninstall it.
    Code:
    Possible Virus.  Not disinfected  C:\Program Files\Silkroad\GameGuard\NPSCAN.DES
    Based on your GetRunKey log you did not do step 2 of the READ ME, or you did it incorrectly, or malware stopped you from doing it properly in an attempt to keep you from seeing hidden & system files and folders and also extensions for all files.

    Also you did not set MSconfig to Normal Startup.

    Uninstall CounterSpy now since we are finished with it and also you have Yahoo's Antispyware installed.

    Also Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9

    Reboot after uninstall the old Sun Java versions.

    After reboot, install the current version of Sun Java from: Sun Java Runtime Environment


    In many instances Windows Search will not find files because it is not configured by default to look into ALL folders and will also not look for hidden or system files. (Another dumb Microsoft idea that malware creators use to their advantage to hide from you.) You should configure you Windows Search function as documented below for future use:

    Searching for Hidden Files on WinXP

    But note, even with the above configured, malware can still hide (another mistake by Microsoft).

    I will post fixes in my next message.
     
    Last edited: Dec 19, 2006
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Panda Process Protection Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below Service (if you do not find it or get any errors, just continue):
      • Boonty Games
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste PavPrSrv into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below Service (if you do not find it or get any errors, just continue):
      • Boonty Games
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Continue by downloading a tools we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6motq.dll (file missing)
    O2 - BHO: Macromedia Flash - {AD03571F-C182-D851-A69F-96C80BF4B23B} - C:\WINDOWS\system\dlgctl32.dll
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system\dlgctl32.dll
    C:\WINDOWS\system32\gapqaaaa.exe
    C:\WINDOWS\system32\glduaaaa.exe
    C:\WINDOWS\system32\sshbaaaa93845593.exe
    C:\WINDOWS\System32\ipv6motq.dll
    C:\WINDOWS\system32\snkiuort.exe
    C:\WINDOWS\system32\vhhqrhxe.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\WINDOWS\system32\i

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Documents and Settings\Michael\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  7. tompiercingloos

    tompiercingloos Private E-2

    Hi! All the steps went very well, except for the deletion of the Temp files, because I only had the files of today, so I'll see that as positive?
    Also I did not recieve any prompt rename message whatsoever after deletion with Killbox.
    And about the msconfig, indeed, shame on me, I had forgotten! And the show all hidden files, it was not the Malware who stopped me from doing that, but I have a Dutch version of windows XP, so I just couldn't find it, instead of unhidding all the files, I had accidently hidden my Start>Programs files.. Which is resolved now:)
    And I did not see any sign of the pesky Malware yet, i'll attach my logs to this very post!
    (Thanks for your help!!)
    P.S. I now have 2 files (were hidden once I guess, since they are see-trough) named Desktop and Thumbs on my desktop, what should I do with those, so that nothing can go wrong with them? Or will I hide the files later?
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like you may not have unchecked the option that said Hide extenstions for know file types. Otherwise the files would say Desktop.ini and Thumbs.db; however don't worry about changing the setting know because we are almost done. These are normal Windows files. If you don't like seeing these files on your Desktop you can just change the options back to defaults when we finish. Just be aware that doing so, also allows malware files to hide from your view again.

    You did not answer my previous 3 questions
    1. about the Flyff Augementation but I see you deleted the folder. But what was it?
    2. about O23 - Service: Apache2.2 that also mentions Flyff and is still present
    3. about Silkroad
    It appears that Windows Messenger came back, use the below to remove it:
    Disable/Remove Windows Messenger
     
  9. tompiercingloos

    tompiercingloos Private E-2

    Sorry for the late response!
    Still no sign of the malware!! And I have used that tool to remove msmsger and it hasnt come back yet!

    As for those 3 above; Flyff augmentation, was a tool for Flyff, but the augmentation could only work with Apache http server. I deleted both, but Flyff itself is a game I play.
    And Silkroad, I downloaded that game to test it out, but seeing my pc didn't work good enough, I never had the chance to test it out. So I deleted that also, same goes for everything I don't use anymore.
     
  10. tompiercingloos

    tompiercingloos Private E-2

    While I was looking through a NewFiles Log (just to be curious, never intended to take any actions) I found this:
    Now I See the No matches found, but as it said: the folder is being used by Trojan.FakeAlert.CX aka SmitFraud
    what should I do with that?
    (btw I just thought, I should upload the logs of runkeys, newfiles and HJT, perhaps this will be much better then just quoting)
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nothing! The No matches found means nothing was found. I'll have to reword the text being printed to make it more obvious. I thought that the no matches found string printed by the file locating tool would be more obvious than it is to some people.

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds