Video Screencast Help

Infected with Bloodhound.Exploit.196

Created: 19 Jul 2009 • Updated: 21 May 2010 | 11 comments

Hi, I previously tried getting help on this topic, but I was told that it was likely harmless. Now my computer has constant reminders that I am low on disk space, and am actually at 0 MB of free space now. I'm not sure if this virus is copying itself over and over and taking up space on my hard drive, but that's what I'm guessing. I have an 87 GB hard drive and I know for sure I do not have that much information on it. I went ahead and cleaned up the folder where the files seem to be storing themselves to regain space.  The files are being found in the C:\Users\David\AppData\Local\Temp\ folder and then being quaratined.  Please advise if possible.

Thanks!

Comments 11 CommentsJump to latest comment

Grant_Hall's picture

Lets start off by getting a little info on your system. What OS are you running and more importantly what version of SEP are you running? Also it might be helpful if you could post the link to your previous post or your case number from when you experienced this issue previously. This is most likely a virus on your machine, and the first thing you should do is to start the machine up in safe mode (system restore off) and run a full scan. See if you can take care of the problem that way. For our full 5 step virus removal procedure please try the link below:

http://service1.symantec.com/SUPPORT/ent-security....

Cheers
Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Paul Mapacpac's picture

It looks like it has been installed accidentally or you have visited an infected website, can you post yor ie history?

david_wang@unc.edu's picture

Grant - I was using the forum on bleepingcomputer.com, here's the link to my postings: http://www.bleepingcomputer.com/forums/topic233626...

I have tried scanning running in safe mode, and that was not sufficient unfortunately. 
I am running Windows Vista and Symantec Antivirus version 10.2.0.322

I have tried following your instructions on this website, but that was not enough either.

Thanks.

Grant_Hall's picture

Ok that was just the first step. Since a full scan in safe mode system restore off did not take care of the virus, chances are that it is a new enough variation of this particular virus that Symantec does not have the means to take care of it yet. This is not an issue, and if you follow the steps below I am confident that we can get this worked out of your system. Overall this is going to involve you submitting your particular strain of the virus to symantec. Symantec will then add it to the next definition update. Then you will download the rapid release definitions for SAV and apply them. SAV should then detect and eradicate the virus (full scan in safe mode again). So here are the links to do what I just described.

1. Submit the virus to symantec:
http://service1.symantec.com/SUPPORT/ent-security....

2. Download and apply the latest rapid release:
http://service1.symantec.com/SUPPORT/ent-security....

Part 2 is technically a guide on what to do when you suspect your computer has a virus and SAV is not detecting it, so you might want to read it through. I was posting it though because of its section on applying rapid release definitions.

I also strongly suggest you take Paul's advice posted above and try to find out exactly how you obtained the virus in the first place. Might help to avoid further viruses in the future.

Cheers,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Paul Mapacpac's picture

Can you paste the exact alert from SAV or post Risk Log.

Nel Ramos's picture

Bloodhound.Exploit.196 is a heuristic detection for files attempting to exploit one of the following vulnerabilities:

Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.

Nel Ramos

david_wang@unc.edu's picture

I've submitted files in the past but have gotten no response from Symantec nor have any subsequent updates solved my problem.  I just submitted again but I'm guessing nothing will happen.

I'm not sure where I picked up this virus from, but it was several months ago and I've since deleted my browsing history mutliple times to free up space on my hard drive as I ran low. 

If files are being quarantined that means it's being detected correct?

Grant_Hall's picture

I am sorry you wern't able to get your problems solved in the past. If you could give me your case number I can make sure to follow up so you get an answer to your problem. You can post or PM me the info.

And yes if it is being quarantined it means it is being detected.

Cheers
Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

ben_cSEPticons_secured's picture

If you've already do the fullscan, I suggest to double check the size of your folders on "program files" from there you can verify where was that huge file came from and what it is...

Beppe's picture

Hi,

it seems there is a bit of confusion around this Bloodhound.Exploit.196. As Nel wrote, the Bloodhound.Exploit.196 is a heuristic detection, it means that SEP was able to detect a strange behavior of these files but they are not detected by the Antivirus engine! It means that Symantec does not know this virus and, of course, SEP cannot clean it because no body explained it how to do it. The suspicious files are quarantined in order to be in the safe-side.
Any file detected as Bloodhound.Exploit.196 has to be submitted to Symantec for the analysis and the writing of the proper definitions.
In case of troubles the Support should be called.

http://www.symantec.com/security_response/writeup....

Regards,

Regards,

Giuseppe