Bloodhound.Packed.10 Please Help!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Sardonyx, Feb 14, 2007.

  1. Sardonyx

    Sardonyx Private E-2

    I have followed all instructions in READ & RUN ME FIRST.

    Last weekend my inexperienced son opened an attachment in e-mail. It contained Bloodhound.Packed.10 and is now located at C:\WINDOWS\Web\printers\rulact.dll. Norton Antivirus found it but can do nothing to remove it or quarantine it. In the process of running all of the below, several trojans were removed but I'm not sure what else beyond cookies.

    I followed proceedures for Safe Mode.
    I ran CCLeaner.
    I ran Spybot Search & Destroy.
    I ran CounterSpy.
    I ran Bitdefender.
    I ran Panda ActiveScan.
    I have a runkeys file.
    I have a newfiles file.
    I have a HijackThis file.

    The computer is slow and Norton pops up every 2-5 seconds to tell me about Bloodhound.Packed.10. In Safe Mode, my desktop failed to show most of the time.

    Attached to this post are my CounterSpy log, the Bitdefender log, and the Panda ActiveScan log. I will "reply" in a moment with the other three logs.

    Thank you!
     

    Attached Files:

    Sardonyx, Feb 14, 2007
    #1
  2. Sardonyx

    Sardonyx Private E-2

    Here are the other three files from my scanning for Bloodhound.Packed.10

    Attached are my HijackThis log, my runkeys, and my newfiles.

    Thank you in advance for helping!
     

    Attached Files:

    Sardonyx, Feb 14, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall thru add/remove programs:
    VSAdd-in for Internet Explorer
    VSToolbar for Internet Explorer

    Now:

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * Click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
    Scan for Vundo button." when VundoFix appears at reboot.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    02 - BHO: (no name) - {2FFE2757-7610-41DC-B21C-605FDAFE6916} - C:\WINDOWS\Web\printers\rulact.dll G
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\iarxaaxv.dll (file missing)
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O20 - Winlogon Notify: rulact - C:\WINDOWS\Web\printers\rulact.dll

    After clicking Fix, exit HJT.

    Now attach the below logs and tell me how the above steps went.

    1. Combofix log
    2. VundoFix log
    3. new GetRunKey log
    4. new ShowNew log
    5. new HJT
     
    TimW, Feb 14, 2007
    #3
  4. Sardonyx

    Sardonyx Private E-2

    I'm a stickler for following directions.

    I am unable to uninstall VSAdd-in for Internet Explorer thru add/remove programs. When I click the change/remove button (after selecting VSAdd-in for Internet Explorer) I am ignored and the program remains in the list.

    VSToolbar for Internet Explorer does not show in the Add/Remove list.

    I wish to follow your directions. What am I doing wrong?
     
    Sardonyx, Feb 14, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download a tool we will need - Pocket KillBox


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\VSAdd-in for Internet Explorer.

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now finish the above.
     
    TimW, Feb 14, 2007
    #5
  6. Sardonyx

    Sardonyx Private E-2

    Thank you.

    I have run killbox.exe. I received the PendingFileRenameOperations promtp and, as directed, continued with my reboot and the rest of your instructions.

    I ran combofix.exe. I have attached the log.

    I ran VundoFix.exe. I have attached the log. ...I received a CopyFile Error:75.Path/File access error during this process.

    Upon reboot, Norton no longer pops up with the Bloodhound warning (which it started calling Trojan:Vundo this evening).

    I ran Hijack This. Only 4 of the 6 items you highlighted were in the list. I checked them and removed them. My new HijackThis log is attached.

    I will reply again in a moment with the new GetRunKey log and the new ShowNew log.
     

    Attached Files:

    Sardonyx, Feb 14, 2007
    #6
  7. Sardonyx

    Sardonyx Private E-2

    Here are my new GetRunKey and ShowNew files.

    VSAdd-in still shows in my add/remove programs list.

    The computer seems to be running much better and I don't have pop ups from Norton anymore. Is there anything else suspicious looking or that I should look into fixing? I get the feeling I'm not done with this yet.

    Your help is *greatly* appreciated!
     

    Attached Files:

    Sardonyx, Feb 14, 2007
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Right click start / explore and find the folder:
    C:\Program Files\VSAdd-in\ .....delete it.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Program Files\VSAdd-in\
    C:\WINDOWS\system32\rkofbker.dll
    C:\WINDOWS\system32\vmexpaur.exe
    C:\WINDOWS\system32\xswhtpcr.dll
    C:\WINDOWS\system32\wnirqsls.dll
    C:\WINDOWS\system32\ukbjixoa.dll
    C:\WINDOWS\system32\rmlqalqu.dll
    C:\WINDOWS\system32\pwehroad.dll
    C:\WINDOWS\system32\pmdfnvhm.dll
    C:\WINDOWS\system32\nrfcmjpe.dll
    C:\WINDOWS\system32\mrplbmxa.dll
    C:\WINDOWS\system32\lpwkagad.dll
    C:\WINDOWS\system32\lgudookm.dll
    C:\WINDOWS\system32\lacxafim.dll
    C:\WINDOWS\system32\kwcefjwy.dll
    C:\WINDOWS\system32\ddpabuce.dll
    C:\WINDOWS\system32\bgemgjnr.dll
    C:\WINDOWS\system32\acknxkmr.dll
    C:\WINDOWS\system32\dnsbochs.ini
    C:\WINDOWS\system32\ouuayppm.ini

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {41BEB18C-78EA-45EC-8954-3316912B9FD4} - C:\WINDOWS\Web\printers\rulact.dll (file missing)
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\iarxaaxv.dll (file missing)
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    After clicking Fix, exit HJT.
    Now uninstall (thru add/remove programs):
    Java 2 Runtime Environment, SE v1.4.2_03

    Reboot and install:
    Java Runtime 6
    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT

    Be sure to tell us how things are running.
     
    TimW, Feb 15, 2007
    #8
  9. Sardonyx

    Sardonyx Private E-2

    I was unable to delete C:\Program Files\VSAdd-in because it did not appear in the explorer list. It still shows in the Control Panel Add/Remove but not in Explorer.

    I ran Pocket Killbox again and did not get the PendingFileRenameOperations prompt this time.

    I Saved the highlighted text to my desktop and successfully merged it with my registry.

    I ran HijackThis and was only able to delete the first of the items on your list. The other four were not there.

    I successfully uninstalled Java 2 Runtime Environment and rebooted.

    I successfully installed Java Runtime 6.

    I have attached my HijackThis log, my new getrunkey log, and my new shownew log.

    The computer is running very slow. Operations that normally take 5 seconds at the most are currently taking 15 to 25 seconds. Example: When I click "File" to get the pull-down menu it takes from 15 to 25 seconds for that pull-down menu to actually pull down. Rebooting takes anywhere from 9 to 18 minutes.
     

    Attached Files:

    Sardonyx, Feb 15, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Boot into safe mode.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\acknxkmr.dll
    C:\WINDOWS\system32\bgemgjnr.dll
    C:\WINDOWS\system32\ddpabuce.dll
    C:\WINDOWS\system32\kwcefjwy.dll
    C:\WINDOWS\system32\lacxafim.dll
    C:\WINDOWS\system32\lgudookm.dll
    C:\WINDOWS\system32\lpwkagad.dll
    C:\WINDOWS\system32\mrplbmxa.dll
    C:\WINDOWS\system32\nrfcmjpe.dll
    C:\WINDOWS\system32\pmdfnvhm.dll
    C:\WINDOWS\system32\pwehroad.dll
    C:\WINDOWS\system32\rkofbker.dll
    C:\WINDOWS\system32\rmlqalqu.dll
    C:\WINDOWS\system32\ukbjixoa.dll
    C:\WINDOWS\system32\wnirqsls.dll
    C:\WINDOWS\system32\xswhtpcr.dll
    C:\WINDOWS\system32\vmexpaur.exe

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    If you get any error messages, let me know.

    Then run HJT and try to delete this item:

    O2 - BHO: (no name) - {41BEB18C-78EA-45EC-8954-3316912B9FD4} - C:\WINDOWS\Web\printers\rulact.dll (file missing)

    Click fix and exit HJT.

    Reboot into normal mode and attach a new:
    ShowNew log.

    How are things running now?
     
    TimW, Feb 15, 2007
    #10
  11. Sardonyx

    Sardonyx Private E-2

    I booted in Safe Mode.

    I ran Pocket Killbox. Not all files showed, as warned. I got the PendingFileRenameOperations prompt at the end this time.

    I rebooted with no further error messages. The reboot was significantly quicker.

    Still in Safe Mode, I ran HJT. I was unable to delete the listed item as it wasn't in the HJT list. I am attaching my HJT log just in case you need it.

    I rebooted again into Normal mode. Both of my sons watched the reboot this time and they both say that the computer seems to be running at normal speed now.

    I have attached a new ShowNew log.

    Even though I was unable to complete your steps, the computer is running much better now, not nearly as slow as it was earlier today.

    What is the next step?

    Your help is very greatly appreciated!
     

    Attached Files:

    Sardonyx, Feb 15, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your HJT log is clean. However the .dll's are still showing in the ShowNew log.

    Let's run Killbox again and this time go to file, paste from clipboard (all the below items that you have copied to the clipboard) and choose the box for unregister .dll's before deleting. Then click on processes and see if C:\WINDOWS\system32\vmexpaur.exe is showing. If it is, put a check mark next to it and click End Task. Click on delete on reboot and exit.
    Reboot and attach a new ShowNew log.


     
    TimW, Feb 16, 2007
    #12
  13. Sardonyx

    Sardonyx Private E-2

    Wow, these .dlls are stubborn!

    I ran Killbox again. I copy-and-pasted the list of .dll and checked the "unregister.dll's before deleting" selection. I checked the processes for vmexpaur.exe and did not find it. I clicked "delete on reboot" and exited.

    And realized something was wrong. I hadn't clicked the red and white delete button. I rebooted anyway.

    After reboot I ran ShowNew and looked at the log. All of the .dlls you asked me to delete were still there.

    I ran Killbox again following all the instructions but adding in the red and white delete button this time. I got the PendingFileRenameOperations prompt, clicked "yes", and exited.

    I rebooted.

    I got a new ShowNew log. It still shows the list of .dlls but you're the surgeon and I'm the curious rubber-necker at the scene of the accident. I don't know what I'm looking at.

    I've attached the latest ShowNew log and await your reply.
     

    Attached Files:

    Sardonyx, Feb 16, 2007
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just to put our minds at ease...

    Housecall

    Post the log.
     
    TimW, Feb 17, 2007
    #14
  15. Sardonyx

    Sardonyx Private E-2

    I don't see any directions for getting a log from Housecall, but the program reports "HouseCall did not find any potential threats on your computer."

    Are there any other logs I should post? Do we simply not worry about those .dlls that wouldn't delete?

    Both of my sons say the computer is running normally now. ...I think it's actually running faster/better than it did before this trojan.
     
    Sardonyx, Feb 18, 2007
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I think we have killed the bug, but the carcass still remains.
    Right click start / explore and scroll down and see if those folders are there and manually try to delete them.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Feb 18, 2007
    #16
  17. Sardonyx

    Sardonyx Private E-2

    This time I was able to delete all the "carcass" files manually. ...Except the vmexpaur.exe, which wasn't there.

    The computer is running better than it has in a long time. I think we cleaned up more than I expected.

    I followed the steps you listed for removing the programs and files we used. I turned off System Restore, rebooted, and turned System Restore back on.

    Now I'm off to look at the required reading. Hopefully the reading will help me teach my sons what to be on the look-out for in the future. I'm certain that they've learned not to open e-mail attachments without a scan first. I'm sure they're tired of me telling them how long many of those scans took!

    Thank you so kindly for your help! After my required reading, I need to find the Geek Shrine and worship for a while. ;-) You guys are the best! Thank you!
     
    Sardonyx, Feb 20, 2007
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your welcome.....watch those attachments!!
     
    TimW, Feb 20, 2007
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds