1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Bloodhound.Packed virus

Discussion in 'Virus & Other Malware Removal' started by Bunny, Sep 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    I recently ran Norton Antivirus for viruses. It finished and told me I had 3 files infected with the Bloodhound.Packed virus.

    The files are:
    fservice.exe
    sservice.exe
    winlogon.exe

    I quarintined them but it couldn't repair them, so it says to delete them. I found fservice.exe and winlogon.exe in the system registry but i was unable to find sservice.exe.

    How can I fix this?

    When I turn my computer on (windows xp home) and it says windows is starting up, it stays on that screen for about 2 minutes instead of only a couple of seconds. That must be a side effect from the virus.

    Please tell me how to fix it and whether or not I should delete those files.
    Thanks
     
  2. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Hi Bunny,

    It would probably be wise to do an online scan at this address http://www.pandasoftware.com/activescan/

    Switch off your Nortons Anti Virus while running the Panda scan, then post back with the results and any further queries or problems you may be having.
     
  3. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    Well, I ran the online virus scan, and it found some trojans but nothing about the Blooudhound.Packed virus. I'm fairly sure I still have it so how should I get it rid of it - just delete the files? Or will it harm my computer if the above files are deleted?

    Here's the report:


    Incident Status Location

    Virus:Trj/Downloader.L Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temp\Belt.exe

    Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\C94VWFON\opnste[1].exe

    Virus:Trj/Downloader.FK Disinfected C:\Documents and
    Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\DO0ZHLCH\stc[1].htm

    Virus:Trj/Rameh.A No disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\EVUNMPUZ\mamc0m[1].cab[mamc0m.dll]

    Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\HH8NGSA0\opnste[1].exe

    Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\M9TY1MQO\opnste[1].exe

    Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\NJPJBTKS\opnste[1].exe

    Virus:Trj/Downloader.FK Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\NJPJBTKS\stc[1].htm

    Virus:Trj/Rameh.A Disinfected C:\WINDOWS\system32\benceed.dll

    The *** are used to blank out the name of a folder

    Thanks
     
  4. SacsTC

    SacsTC

    Joined:
    Dec 30, 2003
    Messages:
    1,647
    Symantec antivirus products exclusively use the virus name Bloodhound.Packed when a potentially unknown virus is found using Symantec Bloodhound technology. Bloodhound technology consists of heuristic algorithms used to detect unknown viruses. The actual file detected under Bloodhound.Packed is likely to be infected with a new, packed, 32-bit Windows virus.

    Bloodhound.Packed is detected only in Portable Executable (PE) files. Bloodhound.Packed can detect any threat within a packed file.

    It may have been the files you have listed above.
    Clear the Temporary Internet Files folder
     
  5. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Please go to the link below and downloadHiJackThis by Merijn Bellekom:

    ***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

    http://www.majorgeeks.com/download3155.html


    Alternate download links:

    http://www.spychecker.com/program/hijackthis.html

    HiJackThis download link


    Under "Official Downloads" HiJackThis. It's the 2nd one down.

    Download and unzip to a permanent folder of your own creation.

    Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

    Save it to your permanent HiJackThis folder (or floppy disk if necessary).

    The log will open in Notepad. Click "Edit" then "Select All".

    Copy and paste the log back to this thread.
     
  6. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    Here you go, also, the only side effect I can see from this virus is when i start up the computer ans it loads Windows XP, it stays on the screen that says "windows is starting up" for about 2 minutes or so instead of a very short period of time.

    Logfile of HijackThis v1.98.2
    Scan saved at 7:05:17 AM, on 9/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\3DNA\Resources\3dnasys.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\3DNA\Resources\multicap3dna.exe
    C:\Program Files\3DNA\3DNA_Desktop\3DNA_Desktop.exe
    C:\WINDOWS\System32\wuauclt.exe
    c:\progra~1\mozill~1\firefox.exe
    C:\Hijack This\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
    O1 - Hosts: comments (such as these) may be inserted on individual
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\svhost.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [3DNADesktop] "C:\Program Files\3DNA\Resources\3dnasys.exe" -open
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
    O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  7. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    Bump

    Well I posted the results, can someone help me out with this?
     
  8. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    <Bump>

    Sorry to keep bumping it to the top, but I've been waiting a while, can I get some help about what I should do with this virus?

    Thanks
     
  9. bobol

    bobol

    Joined:
    Jan 28, 2004
    Messages:
    2,187
  10. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    Thanks, I deleted the Temporary Internet Files and I have all of the files from the temp folder sitting in the recycling bin. Should I permanently delete these?
     
  11. bobol

    bobol

    Joined:
    Jan 28, 2004
    Messages:
    2,187
    yes....normally you're good to go, - no other proggies SHOULD have use for these files. You can leave them in for a day-see if nothing quirky happening upon next restart, just to overly err on the side of caution, but its ok to go ahead and delete if all things are normal.

    Also stick around to get a reading of your hjt log.

    Also run the tools below;adaware, spybot and spyware blaster[free at links below].
    I've noticed Norton's FIND something while adaware scans, on a few occasions.
     
  12. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    Alright, sure thing, I'll let you know what happens with deleting that stuff.

    Thanks
     
  13. bobol

    bobol

    Joined:
    Jan 28, 2004
    Messages:
    2,187
    oops sorry ---read last post again[#11]... i just edited the end of it. Please tell us what the spytools find too.:)
     
  14. Bunny

    Bunny Thread Starter

    Joined:
    Jul 26, 2004
    Messages:
    101
    I already have ad aware and spybot but none of that fixed my problem. Also, deleting the temp folder files didn't work either. It still hangs on the "windows is starting up screen" for about 3 minutes - the same length of time everytime.

    While my problem about this virus may seem small, it is really annoying too.
    I'm just wondering if it is safe to delete winlogon.exe, fservice.exe, and sservice.exe.
     
  15. bobol

    bobol

    Joined:
    Jan 28, 2004
    Messages:
    2,187
    wait for a deciphering of your hjt log before deleting anything first........ in the meantime, Have you tried Spyware Blaster- its fairly formidable. as is cw shredder http://www.majorgeeks.com/download4086.html
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271142

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice