Bloodhound.Packed virus

[Bunny]

I recently ran Norton Antivirus for viruses. It finished and told me I had 3 files infected with the Bloodhound.Packed virus.

The files are:
fservice.exe
sservice.exe
winlogon.exe

I quarintined them but it couldn't repair them, so it says to delete them. I found fservice.exe and winlogon.exe in the system registry but i was unable to find sservice.exe.

How can I fix this?

When I turn my computer on (windows xp home) and it says windows is starting up, it stays on that screen for about 2 minutes instead of only a couple of seconds. That must be a side effect from the virus.

Please tell me how to fix it and whether or not I should delete those files.
Thanks

 

[EvileYe]

Hi Bunny,

It would probably be wise to do an online scan at this address http://www.pandasoftware.com/activescan/

Switch off your Nortons Anti Virus while running the Panda scan, then post back with the results and any further queries or problems you may be having.

 

[Bunny]

Well, I ran the online virus scan, and it found some trojans but nothing about the Blooudhound.Packed virus. I'm fairly sure I still have it so how should I get it rid of it - just delete the files? Or will it harm my computer if the above files are deleted?

Here's the report:


Incident Status Location

Virus:Trj/Downloader.L Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temp\Belt.exe

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\C94VWFON\opnste[1].exe

Virus:Trj/Downloader.FK Disinfected C:\Documents and
Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\DO0ZHLCH\stc[1].htm

Virus:Trj/Rameh.A No disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\EVUNMPUZ\mamc0m[1].cab[mamc0m.dll]

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\HH8NGSA0\opnste[1].exe

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\M9TY1MQO\opnste[1].exe

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\NJPJBTKS\opnste[1].exe

Virus:Trj/Downloader.FK Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\NJPJBTKS\stc[1].htm

Virus:Trj/Rameh.A Disinfected C:\WINDOWS\system32\benceed.dll

The *** are used to blank out the name of a folder

Thanks

 

[SacsTC]

Symantec antivirus products exclusively use the virus name Bloodhound.Packed when a potentially unknown virus is found using Symantec Bloodhound technology. Bloodhound technology consists of heuristic algorithms used to detect unknown viruses. The actual file detected under Bloodhound.Packed is likely to be infected with a new, packed, 32-bit Windows virus.

Bloodhound.Packed is detected only in Portable Executable (PE) files. Bloodhound.Packed can detect any threat within a packed file.

It may have been the files you have listed above.
Clear the Temporary Internet Files folder

 

[FinestRanger]

Please go to the link below and downloadHiJackThis by Merijn Bellekom:

***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

http://www.majorgeeks.com/download3155.html


Alternate download links:

http://www.spychecker.com/program/hijackthis.html

HiJackThis download link


Under "Official Downloads" HiJackThis. It's the 2nd one down.

Download and unzip to a permanent folder of your own creation.

Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "Edit" then "Select All".

Copy and paste the log back to this thread.

 

[Bunny]

Here you go, also, the only side effect I can see from this virus is when i start up the computer ans it loads Windows XP, it stays on the screen that says "windows is starting up" for about 2 minutes or so instead of a very short period of time.

Logfile of HijackThis v1.98.2
Scan saved at 7:05:17 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\3DNA\Resources\3dnasys.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3DNA\Resources\multicap3dna.exe
C:\Program Files\3DNA\3DNA_Desktop\3DNA_Desktop.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mozill~1\firefox.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\svhost.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [3DNADesktop] "C:\Program Files\3DNA\Resources\3dnasys.exe" -open
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

 

[Bunny]

Bump

Well I posted the results, can someone help me out with this?

 

[Bunny]

<Bump>

Sorry to keep bumping it to the top, but I've been waiting a while, can I get some help about what I should do with this virus?

Thanks

 

[bobol]

its ok with bumping up the thread
someone'll decipher the hjt log sooner than later.. just wait a li'l bit.

To delete that file/s in question,
try these instructions at symantec;
http://service1.symantec.com/SUPPOR...85256edd00465053?OpenDocument&src=bar_sch_nam

 

[Bunny]

Thanks, I deleted the Temporary Internet Files and I have all of the files from the temp folder sitting in the recycling bin. Should I permanently delete these?

 

[bobol]

yes....normally you're good to go, - no other proggies SHOULD have use for these files. You can leave them in for a day-see if nothing quirky happening upon next restart, just to overly err on the side of caution, but its ok to go ahead and delete if all things are normal.

Also stick around to get a reading of your hjt log.

Also run the tools below;adaware, spybot and spyware blaster[free at links below].
I've noticed Norton's FIND something while adaware scans, on a few occasions.

 

[Bunny]

Also stick around to get a reading of your hjt log.

Alright, sure thing, I'll let you know what happens with deleting that stuff.

Thanks

 

[bobol]

oops sorry ---read last post again[#11]... i just edited the end of it. Please tell us what the spytools find too.

 

[Bunny]

I already have ad aware and spybot but none of that fixed my problem. Also, deleting the temp folder files didn't work either. It still hangs on the "windows is starting up screen" for about 3 minutes - the same length of time everytime.

While my problem about this virus may seem small, it is really annoying too.
I'm just wondering if it is safe to delete winlogon.exe, fservice.exe, and sservice.exe.

 

[bobol]

wait for a deciphering of your hjt log before deleting anything first........ in the meantime, Have you tried Spyware Blaster- its fairly formidable. as is cw shredder http://www.majorgeeks.com/download4086.html