Bloodhound.Packed virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
I recently ran Norton Antivirus for viruses. It finished and told me I had 3 files infected with the Bloodhound.Packed virus.

The files are:
fservice.exe
sservice.exe
winlogon.exe

I quarintined them but it couldn't repair them, so it says to delete them. I found fservice.exe and winlogon.exe in the system registry but i was unable to find sservice.exe.

How can I fix this?

When I turn my computer on (windows xp home) and it says windows is starting up, it stays on that screen for about 2 minutes instead of only a couple of seconds. That must be a side effect from the virus.

Please tell me how to fix it and whether or not I should delete those files.
Thanks
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
Well, I ran the online virus scan, and it found some trojans but nothing about the Blooudhound.Packed virus. I'm fairly sure I still have it so how should I get it rid of it - just delete the files? Or will it harm my computer if the above files are deleted?

Here's the report:


Incident Status Location

Virus:Trj/Downloader.L Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temp\Belt.exe

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\C94VWFON\opnste[1].exe

Virus:Trj/Downloader.FK Disinfected C:\Documents and
Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\DO0ZHLCH\stc[1].htm

Virus:Trj/Rameh.A No disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\EVUNMPUZ\mamc0m[1].cab[mamc0m.dll]

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\HH8NGSA0\opnste[1].exe

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\M9TY1MQO\opnste[1].exe

Virus:Trojan Horse Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\NJPJBTKS\opnste[1].exe

Virus:Trj/Downloader.FK Disinfected C:\Documents and Settings\******* * *****\Local Settings\Temporary Internet Files\Content.IE5\NJPJBTKS\stc[1].htm

Virus:Trj/Rameh.A Disinfected C:\WINDOWS\system32\benceed.dll

The *** are used to blank out the name of a folder

Thanks
 
Joined
Dec 30, 2003
Messages
1,647
Symantec antivirus products exclusively use the virus name Bloodhound.Packed when a potentially unknown virus is found using Symantec Bloodhound technology. Bloodhound technology consists of heuristic algorithms used to detect unknown viruses. The actual file detected under Bloodhound.Packed is likely to be infected with a new, packed, 32-bit Windows virus.

Bloodhound.Packed is detected only in Portable Executable (PE) files. Bloodhound.Packed can detect any threat within a packed file.

It may have been the files you have listed above.
Clear the Temporary Internet Files folder
 
Joined
Oct 13, 2003
Messages
2,367
Please go to the link below and downloadHiJackThis by Merijn Bellekom:

***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

http://www.majorgeeks.com/download3155.html


Alternate download links:

http://www.spychecker.com/program/hijackthis.html

HiJackThis download link


Under "Official Downloads" HiJackThis. It's the 2nd one down.

Download and unzip to a permanent folder of your own creation.

Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "Edit" then "Select All".

Copy and paste the log back to this thread.
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
Here you go, also, the only side effect I can see from this virus is when i start up the computer ans it loads Windows XP, it stays on the screen that says "windows is starting up" for about 2 minutes or so instead of a very short period of time.

Logfile of HijackThis v1.98.2
Scan saved at 7:05:17 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\3DNA\Resources\3dnasys.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3DNA\Resources\multicap3dna.exe
C:\Program Files\3DNA\3DNA_Desktop\3DNA_Desktop.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mozill~1\firefox.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\svhost.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [3DNADesktop] "C:\Program Files\3DNA\Resources\3dnasys.exe" -open
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
Bump

Well I posted the results, can someone help me out with this?
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
<Bump>

Sorry to keep bumping it to the top, but I've been waiting a while, can I get some help about what I should do with this virus?

Thanks
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
Thanks, I deleted the Temporary Internet Files and I have all of the files from the temp folder sitting in the recycling bin. Should I permanently delete these?
 
Joined
Jan 28, 2004
Messages
2,187
yes....normally you're good to go, - no other proggies SHOULD have use for these files. You can leave them in for a day-see if nothing quirky happening upon next restart, just to overly err on the side of caution, but its ok to go ahead and delete if all things are normal.

Also stick around to get a reading of your hjt log.

Also run the tools below;adaware, spybot and spyware blaster[free at links below].
I've noticed Norton's FIND something while adaware scans, on a few occasions.
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
bobol said:
Also stick around to get a reading of your hjt log.
Alright, sure thing, I'll let you know what happens with deleting that stuff.

Thanks
 
Joined
Jan 28, 2004
Messages
2,187
oops sorry ---read last post again[#11]... i just edited the end of it. Please tell us what the spytools find too.:)
 

Bunny

Thread Starter
Joined
Jul 26, 2004
Messages
101
I already have ad aware and spybot but none of that fixed my problem. Also, deleting the temp folder files didn't work either. It still hangs on the "windows is starting up screen" for about 3 minutes - the same length of time everytime.

While my problem about this virus may seem small, it is really annoying too.
I'm just wondering if it is safe to delete winlogon.exe, fservice.exe, and sservice.exe.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top