Solved Persistent Bloodhound.PDF.28 infections

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: RR
->Temp folder emptied: 144896 bytes
->Temporary Internet Files folder emptied: 16791273 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 6185643 bytes
->Flash cache emptied: 656 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66472 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 22.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Guest

User: Public

User: RR
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.24.1 log created on 06202011_205555

Files\Folders moved on Reboot...
C:\Users\RR\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\RR\AppData\Local\Temp\~DF07C4F7AD4692663C.TMP not found!
File\Folder C:\Users\RR\AppData\Local\Temp\~DF1C764073176B2D2B.TMP not found!
File\Folder C:\Users\RR\AppData\Local\Temp\~DF4B34F3755EF42D79.TMP not found!
File\Folder C:\Users\RR\AppData\Local\Temp\~DFD92BE73D70E3659C.TMP not found!
File\Folder C:\Users\RR\AppData\Local\Temp\~DFEE15C87C203BE971.TMP not found!
File\Folder C:\Users\RR\AppData\Local\Temp\~DFFE7C3B9C945E810A.TMP not found!
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T5ZT523B\ads[5].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T5ZT523B\like[1].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T5ZT523B\L[1].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF03DHWZ\99393-active-persistent-bloodhound-pdf-28-infections-2[1].html moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF03DHWZ\drts[1].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF03DHWZ\p-01-0VIaSjnOLg[1].gif moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8EXFLK0\ads[3].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8EXFLK0\audmeasure[1].gif moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8EXFLK0\audmeasure[2].gif moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8EXFLK0\download_foxit[2].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8EXFLK0\p-01-0VIaSjnOLg[1].gif moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8EXFLK0\sh44[1].html moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9CN342S\;ord=1229916983[1].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9CN342S\iframescript[1].htm moved successfully.
C:\Users\RR\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\windows\temp\hsperfdata_RR-PC$\2236 not found!

Registry entries deleted on Reboot...

 

Was able to delete Adobe reader. But even after opting out of most of the other garbage choices, installation of Foxit reader requires their toolbar. I don't see anyway out of it - and I don't want it. So I think I will just go with updated Adobe reader.

Should I remove Java Ra files? Security Check? These icons are still on my desktop.

I'm getting a message in Firefox: "1 new add on installed. Java console 6.0.26
Java console 6.0.22 - and next to the second one there are choices to disable and to (I think) uninstall. Should I do either?

 

The Foxit reader installation wizard box appears to have changed since your version. There is no choice on the bottom to decline; you can uncheck those two boxes, but it says beneath them if you click NEXT you are agreeing to install that toolbar.

 

FYI: The only one of the choice listed in your useful link that works is the softpedia one, then one must choose the softpedia mirror. Downloading from Foxit site doesn't impose the toolbar, but forces you to change your default search provider to Ask.com (yes I know it is easy to change it back, but...) BTW the installation wizard asks if you want to install PDF viewer (of course) and windows shells (or something like that). I checked only the PDF viewer. Is that correct?

 

Nope. I think that's it. Everything looks good, and the computer is also faster. I really appreciate your help. Thank you very much.

 

I thought everything was OK, but upon going online today, Norton is again picking up numerous Bloodhound.PDF.28 infected files, analyzing them, then quarantining them.

 

How can I copy the list of files from Symantec Endpoint Protection and paste them here? Highlighting them and copy and paste don't work. A typical file name is:

DWHT18.temp Bloodhound.PDF.28

They are all "DWHT.....tmp" files.

Location of all of these files:
C:\Users\RR\AppData\Local\Temp\

 

Original location of all of these files (before being quarantined by Symantec):
C:\Users\RR\AppData\Local\Temp\

Names of these files all start with DWH followed by some numbers and/or letters.tmp;

example name of one of the dozens of these files is: DWHA99.tmp

 

Is this something to worry about?

From reading some of the posts you suggested, it appears that Symantec scans the files in quarantine each time, which multiplies the number of "infected" files. So I deleted the quarantined files, even though I know that won't solve the problem.

Anything else can you suggest?

 

What about this:

http://www.symantec.com/connect/downloads/squash-symtmps-mikes-tool-set

According to the author, "This utility is really for MR4, RU5 or RU6 or machines that have been UPGRADED to RU6 MP1...if you have a fresh install of RU6 MP1 or later...then the problem should have already been resolved and this utility will do you no good. In fact, directories may have changed in later versions of SEP and you may actually break something. "

I have a fresh installation of Symantec Endpoint Protection 11.0.6005.562. Would that be one of the versions not suitable for this tool?