RE: Bloodhound.exploit.6 Trojan

From: pauly [MSFT] (pauly_at_online.microsoft.com)
Date: 08/23/04 

Date: Mon, 23 Aug 2004 20:07:22 GMT

Hi Lon,

Thanks for your post. Regarding your questions:

Q1. From what I have said above, can someone tell me if I no longer have
this bloodhound.exploit.6 virus? And how can I tell if it is gone or not?
And if it is gone how did I get rid of it when I didn't delete anything?

A1: It is not clear to me that you have removed this virus. Even though a
new scan does not show the virus, you should run a new scan using an online
virus scanner such as Housecall from Trend Micro. I will give you a list
of links to various online virus scanners at the end of this thread.

Q2. What does it mean when it said in Regedit Default REG_SZ no value set
A2: Each and every key in the registry (thousands) has a single default
value that is 'not set'. This is normal - it would be a problem if you did
not see this. Most keys also have numerous other values called something
other than Default - and these have various values other than 'Not Set'.

Q3. How can I get my computer to go into safe mode? When I boot up it says
to go to the BIOS click F1 but doesn't list safe mode.
A3: Instead of pressing F1 at boot time, press F8.
   F1=BIOS
   F8=Boot Menu.

Q4. Do I need to run full scan again in safe mode (once found) and go to
Regedit again in safe mode?
A4: Your locally installed AV product is great, but as a sanity check I
recommend that you run a scan using a different AV Scanner. This is most
easily accomplished using an online scanner. Also, please do not use
Regedit. If your scanning program recommends that you edit the registry,
please call Microsoft Product Support for assistance before going into the
registry.

MORE INFORMATION:

Trend Micro House Call:
http://housecall.trendmicro.com/
 
Panda ActiveScan;
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

McAfee FreeScan:
http://us.mcafee.com/root/mfs/default.asp

Kaspersky Labs On-line Virus Checker:
http://www.kaspersky.com/remoteviruschk.html

BitDefender Online Scan:
http://www.bitdefender.com/scan/licence.php

Downloadable McAfee AVERT Stinger:
http://vil.nai.com/vil/stinger/

Here are some additional steps you can take:

1. Check for Spyware that may be installed on your computer using one or
more of these tools:

Spybot-S&D
   http://www.safer-networking.org/

Ad-Aware
   http://www.netsecurity.about.com/library/blfreespyware.htm

HijackThis
   http://www.spychecker.com/program/hijackthis.html

Web Shredder
   http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

2) Install a Firewall:

 a. http://www.vicomsoft.com/knowledge/reference/firewalls1.html

 b. http://firewalls.surferbeware.com/firewalls-basics.htm

 c. http://www.techonline.com/community/related_content/14208

=========

This posting is provided "AS IS" with no warranties, and confers no rights.

MBSA Homepage:
http://www.microsoft.com/MBSA

Windows XP Security Homepage:
http://www.microsoft.com/windowsxp/security/default.asp

Windows 2000 Security Homepage:
http://www.microsoft.com/windows2000/security/default.asp

Top 10 Windows Newsgroups Security Questions:
http://www.microsoft.com/technet/newsgroups/default.asp?url=/technet/newsgro
ups/nodepages/sectop10.asp

=========
Paul Hayes, MCSE
Product Support Services
Microsoft Corporation
pauly@online.microsoft.com

--------------------
| From: "Lon" <anonymous@discussions.microsoft.com>
| Subject: Bloodhound.exploit.6 Trojan
| Date: Sat, 21 Aug 2004 21:24:00 -0700
|
| I am using Windows XP Pro sp1 with IE6.0 and NSW2003 with
| NAV and Yahoo Anti-spy and spyblocker. Today my NAV
| program informed me I had a virus on my computer called
| Bloodhound.exploit.6 that they could not fix. I found the
| site
| www.symantec.com/avcenter/venc/data/pf/trojan.trunlow.html
| for the removal procedures, printed them off and
| followed the steps given. This is what I did:
| 1. Disabled System restore
| 2. Updated my NAV definitions by running live update
| 3. Ran a full system virus scan to check for
| Trojan.Trunlow files and found none. (was told if any
| trojan/trudlow files found to delete and if not to delete
| value in registry)
| 4. Went off line and then backed up the entire registry
| and placed it on my desktop
| 5. went to start/run/type regedit and steps told me to
| search for key
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
| on\Run and on the right side panel to delete the
| value "Microsoft Eventlog"-"%Windir%\Winupdate.exe"
| ........I got to this step but when I went into
| start/run/type regedit I found the HKEY_LOCAL_MACHINE
| folder on left side and on the right side the only thing
| it said was Default REG_SZ value not set. I didn't do
| anything or find anything just
| 6. Exited registry, rebooted computer, and then enabled
| system restore.
| 7. Ran Hijackthis and analyzed log and there were no red
| items found and couldn't find anything with Trojan in it.
| I also wanted to run full scan again in safe mode and
| check regedit again, but I couldn't get my computer to go
| into safe mode. Mine says to hit F1 but when I did there
| was no selection for safe mode.
| Questions:
| a. From what I have said above, can someone tell me if I
| no longer have this bloodhound.exploit.6 virus? And how
| can I tell if it is gone or not? And if it is gone how
| did I get rid of it when I didn't delete anything?
| b. What does it mean when it said in regedit Default
| REG_SZ no value set
| c. How can I get my computer to go into safe mode? When I
| boot up it says to go to the BIOS click F1 but doesn't
| list safe mode.
| d. Do I need to run full scan again in safe mode (once
| found) and go to regedit again in safe mode?
| Didn't mean this to be so long, but have never tried to
| get rid of a virus before and just wanted someone to let
| me know if steps I took were correct and if there is
| something else I need to do. I just want to know if it is
| gone and what I can do to make sure it doesn't come
| back. Any advice or help with this would be greatly
| appreciated.
|
|

Relevant Pages

  • Re: Windows Update Error (0x80070002) - SOLUTION FOUND
    ... for "fystemroot" in regedit, and replaced with "systemroot". ... "xwing" wrote: ... I believe this was a result of a virus I contracted last weekend. ... significant damage to my registry remains. ...
    (microsoft.public.windowsupdate)
  • Re: Please Help! Network Hijacked!
    ... You state "Multiple posting creates fewer problems than cross posting." ... I downloaded Symantec virus ... >>> manually inspected the Registry key: ... >>> The good news is that Safe Mode prevents the queues from ...
    (microsoft.public.security.virus)
  • Bloodhound.exploit.6 Trojan
    ... NAV and Yahoo Anti-spy and spyblocker. ... program informed me I had a virus on my computer called ... start/run/type regedit I found the HKEY_LOCAL_MACHINE ... into safe mode. ...
    (microsoft.public.security.virus)
  • Re: Bloodhound.exploit.6 Trojan
    ... >the steps as you did virus disappear... ... Disabled System restore ... >> I also wanted to run full scan again in safe mode ... What does it mean when it said in regedit Default ...
    (microsoft.public.security.virus)
  • Regedit will not open
    ... unable to update some software due to regedit being locked. ... "Registry editing has been disabled by your administrator." ... How do I get access to the Registry again? ... I need to re-register my Virus program. ...
    (microsoft.public.windowsxp.security_admin)