0

Dear group,
Got 'bit' real hard with :downloader32\Bloodhound.Packed\Trojan Agent J...depending on the anti-virus program I'm running..which really hurt my system..took days to get it sorted...I'm back on-line now but every time I restart the problem is back and installing itself into my HKLM..\Run & RunServices folder in the registry.
I traced it back to a file in Documents and Settings that was running a taskmger.exe and a winsrv.exe app/file and deleted it..seemed to work.

Then I tried reinstalling XP just to start again clean..BUT..I now get an error message that says Windows is protecting itself..asks me if I want to load an SCAI or RAID something or other and tels me to check for bad hardware or viruses..also that F parameter is missing..

I hit restart and then it lets me choose betweeen setup and XP home [my old XP]...
In all honesty I can live with my old XP so..can anyone tell me how to undo the second setup or remove it from the startup/boot protocol so it doesn't constantly pop-up when I start the computer? That's first.

And second..IMPORTANT...can anyone tell me what virus I may have gotten so I can kill it once and for all?
Every AV/NAV/Sygate/TrojanZapper and Trend-Micro fix I've tried tells me I'm clean and yet the problem keeps coming back.
Oh yes..I also had to get rid of CThelper.exe which seems to have its own taskmgr.....that came wirth my Dell [Audigy] sound card from Creative tech..
Thank you so much for the advice.
Sincerely
-Zohar :cry:

3
Contributors
10
Replies
11
Views
13 Years
Discussion Span
Last Post by clementine
0

I've been following this for a while, and it occurs to me you could very well have a yet 'unfound' bug. Meaning that perhaps it is a bug the AV companies haven't found yet. Especially if none of them are finding it on your system.

I don't know what Antivirus you are running, but you really should go to their support site and get help. For good reason: You may actually help them figure out a new virus, in turn helping ALL of us be protected.

Consider doing the same at one (or more) of the Spyware/Adware software sites, like:

http://www.lavasoftusa.com/

Just a thought. You've definitely been bitten hard, and it's really surprising that with all the great experts here you've not found the bugger and killed it. All the more reason to think perhaps you've got something in there few have seen, you know?

Good luck, Zohar, I feel your pain.

(p.s. I like your name, as Zohar, among other things, is a critical part of one of my favorite PS2 games, Xenosaga).

0

I've been following this for a while, and it occurs to me you could very well have a yet 'unfound' bug. Meaning that perhaps it is a bug the AV companies haven't found yet. Especially if none of them are finding it on your system.

I don't know what Antivirus you are running, but you really should go to their support site and get help. For good reason: You may actually help them figure out a new virus, in turn helping ALL of us be protected.

Consider doing the same at one (or more) of the Spyware/Adware software sites, like:

http://www.lavasoftusa.com/

Just a thought. You've definitely been bitten hard, and it's really surprising that with all the great experts here you've not found the bugger and killed it. All the more reason to think perhaps you've got something in there few have seen, you know?

Good luck, Zohar, I feel your pain.

(p.s. I like your name, as Zohar, among other things, is a critical part of one of my favorite PS2 games, Xenosaga).

Dear Xenosaga,

i think you may be right...let me list the symptoms as they occurred and maybe it wilkl narrow down what i can submit to the AV companies...
I am running two AV's..the main one is AVG6.0 [home]..the other is the new NAV which came with my Dell..[yes.first thing we did was update the pattern file from the Norton website via the NAV control window]
[Computer came on-line intitially on 11-08..like I said , it's brand new]
And once or twice a month I usually run a scan with Trend-micro's on-line virus scan.

So anyway my step-daughter fires it up on the 20th and opens an e-mail from her boyfriend that had a Dreamweaver upgrade on it..which she also opened.
It loaded into her documents and settings folder.

About two days later she noticed her web-browser slowing down..but everything else worked very very fast and , since she isn't much of a surfer, just a [Trillian] chatter she didn't pay attention to the browser slow-down thinking it might be an problem with our ADSL provider [we live in the country..no T1 cable]..this went on for about a week [!!!No she didn't inform me..]
Last saturday night the browser was so slow that she shut down the computer in 'restart'..when it powered up all seemed fine.She opened her browser, got her home page and then the browser froze. Then a pop-up window appeared from AVG saying that Trojan Agent J. had been discovered in one of the files and that she should run a full scan.She closed the browser and ran AVG6.0[deep scan]..BUT..the scan showed no virus[!?]
We ran Norton and it found Bloodhound.Packed but couldn't repair it..I looked for the file[pif] it gave in Documents and Settings\Standard and couldn't find it..like it was gone! I opened the open hidden files and fiolders option, still couldn't find it.
We opened the browser again and got the message that she was not connected to the internet..to check her connection, the URL and try again.
So the first thing we did was check the modem..an Ethernet ADSL multi-PC modem..doing both internal and external checks of the modem..running a modem test from both the hard drive and the provider's CD..modem worked fine..said we were connected and that we were buzzing along at 100mps..the cable connecters were flashing green..so the problem wasn't the modem. I plugged my old clone into it and was on-line in a flash..no problem.
So the problem is local to the PC.

Now then, I went on-line and downloaded AV scanners and Trojan Zappers
from lavasoft AdAware, Sygate, the one-time fix for Agent J. located on trend-micro-europe.com..I downloaded registry mechanic and Reg Cleaner..Hijack This..anytyhing I could find.
We ran the computer in safe mode and ran the AV's and the fixes..founbd a few bugs including something that was identified as malware by TrojanZapper and that was msbb. and with it a bunch of fiiles and cookies to @180solutions.
Deleted them...and still no browser capabitlity...once or twice after a scan we could get on-line..and immediately tried to run an on-line scan but the browser slowed to 2.0 kps and quit within a minute.
That's when we got onto this Forum looking for help...I weent to places suggested and was running back and forth between computers to download and burn programs from the Net onto CD and into the Dell...ran them all and hit Restart again....no virus alerts..again, everything seemed fine for about one minute....

So I looked in the taskmgr [Ctrl\Alt\Del] and saw the processes running..was very curious to see three suspicious looking files:CTHelper.exe
from System..a taskmger.exe routed from Documents & Settings...and another taskmger.exe routed to HKey_LocalMachine\Software\Microsoft\Windows\CurrentVersion\RunServices
loading in and with a different file size; the TASKMGR.EXE running from System uses 4 ,712kb and the RunServices taskmger.exe uses 5,414kb
NOTE: the difference in spelling..taskmger.exe and not taskmgr.exe.

When i opened the RunServices folder I found two entries: default [REG_SZ] and winsvr.exe..I deleted the winsvr.exe file and opened the browser..Voila! We were back on-line...and the browser was super-quick again.
Okay..so the problem is taskmger.exe and wnsvr.exe coming from anyplace but the SYSTEM file in the real TASKMGR.EXE.

I went into every folder on C drive and hunted down taskmger.exe and wnsvr.exe..found them in Documents &Settings..deleted the bunch..Ran reCleaner and deleted the pif file...
Then went looking for CTHelper and traced it to what I believ is a contributing factor; DELL! Standard with this [built to spec] PC was an Audigy Sound Card and it appears, according to my quick scan of the web that CTHelper.exe is an add on to Audigy allowing 3rd parties to update and tweak your original system config so that your Sound Card will work better [they say].
The CyberCops call it malware\spyware and recommend its immediate deletion.
So we deleted that, too....

We hit Restart..and again, same problem ..no internet..I opened the CTR\Alt\Del and there were those nasty files AGAIN!..taskmger.exe was back in RunServices and also in the Documents&Settings folder [!@! !]

We downloaded Registry Mechanic, ran it and it said there were 119 corrupted files in the registry..we ran TrojanZapper [who we found to be the most effective in showing us where bad files were..finding spyware adAware didn't]
and they both said we were clean.
At that point we decided to try to do a brand new Windows XP finstall rom the CD that came with DELL. It got about half-way through..said it had to restart the computer..and when it did an error message came up saying that for it's own protection windows couldn't continue setup because there was a problem..either new hardware was improperly configured or there was a virus in the system and we should run an AV.
Also we got a message asking us if we wanted to format an SCIA or RAID [and at that point the screen went blank and the computer refused to do anything.
So we removed the Cd from E;\Drive and tried to reboot..
When we did a black screen comes up and the display says that there is Windows XP Home and Windows XP Setup..[the Setup is highlighted] and that we have 5 seconds to choose one of these options or the computer will automatically startup in the highlighted mode.
[can anyone help us get rid of that problem..please?]

Bottom line..the only way to get on-line after a restart while this bug is alive is to open the CTRL\Alt|Del dialogue and kill the taskmger.exe out of RunServices and any other folder but SYSTEM...

For the record Bloodhound.Packed/Downloader32.\Agent J. are the names of viruses our scanners picked up but couldn't fix..one of them was in the C:\I386 folder ..a long bracketed set of numbers starting with a 4 and ending in .pif It was the only .pif file in the folder.
But cleaning it out did not stop the problem from occurring again at restart.

I wish I had kept a more accurate log ..I guess I was hoping for a quick fix..a magic-bullet...a solution..but this has got me [and my daughter] all kinds of concerned, not to mention frustrated...and the frustration will be growing, I'm sure in my wonderful wife who has been starved for attention this week as we wrestle with this silicon idol of ours, trying to restore her to health...

If anyone has seen symptoms like this..has a suggestion I haven't considered yet..a program not mentioned yet...a virus with similar properties [Not opera.tv, not My Doom, or anything in the top ten that we can find]..an on-line expert who would know what to look for...voodoo chants we can utter...by all means send them...we're at our wits' end with this.
-Sincerely
-Zohar

0

Okay, hold up a second, have you tried to remove the existing partition on the hard drive, and reformat it yet? It's sounding to me like you've been trying to re-install onto the same infected hard disk, if I understand correctly.

If you remove the existing partition(s), that will remove all data off the drive, and, well, that virus is data...

I'll provide a link for you here to complete instructions on how to do this: (courtesy of our resident Hero and Grampa, Catweazle!)

http://www.daniweb.com/techtalkforums/thread6632.html

Here's hoping you finally bite that bugger back! Good luck to you, Zohar.

(And a hearty thank you to Catweazle for saving me 2 tons of typing here heheh).

0

Okay, hold up a second, have you tried to remove the existing partition on the hard drive, and reformat it yet? It's sounding to me like you've been trying to re-install onto the same infected hard disk, if I understand correctly.

If you remove the existing partition(s), that will remove all data off the drive, and, well, that virus is data...

I'll provide a link for you here to complete instructions on how to do this: (courtesy of our resident Hero and Grampa, Catweazle!)

http://www.daniweb.com/techtalkforums/thread6632.html

Here's hoping you finally bite that bugger back! Good luck to you, Zohar.

(And a hearty thank you to Catweazle for saving me 2 tons of typing here heheh).

Dear Duncan,

Well..um..No we didn't exactly partition anything..I've re-installed on my clone before and everything went as easy as pie..all I had to do was insert the Cd and let the wizard do it...seemed to work on this one too until it started up in restart as part of the install process..then..like I said we got the rror message ..also we were asked to press F6 and choose SCSI or RAID...yada yada....we finally got a human on the line at Dell and [would you believe it] they recommended this site and one other; http://www.theeldergeek.com/ and told me to go to startup and shutdown issues..that it was a problem between the Cd and the computer and probably not the virus ...something about not recognizing the Dell was ACPI supported....
So..will try agin to finish the install and write over the bugger...

Do check my post in the "Security" part of this Forum..'new variant for Agobot?'...because that's what i think it is..an Agobot/Spybot variant that hijacks my computer, uses it as a server while blocking all my attempts to get on-line..crippling my browser and freezing me out of anti-virus websites, loading taskmger.exe and wnsvr.exe files all over my computer, infecting my Windows Prefetch files, CLSID files, Ci386 files, and Registry... and loading wauclt.exe into the startup processes....

Sheesh...almost makes me want to condone human torture for virus writers... i tell ya..
;-(

0

Sorry, but I stand by my recommendation to WIPE the drive completely by deleting the partition, then repartitioning it. The type of re-installation you're doing won't remove files that are there, including any virii. If you are continually getting reinfected, and none of the other standard fixes are fixing it, then your best bet is to absolutely remove anything that is infecting you. Repartitioning will do that. THen you'd just have to be sure to firewall yourself hard before you hit the net and quickly snag all the latest Windows Updates, my friend.

Just my 2 cents on it. Again, I feel your pain. Believe me.

0

Sorry, but I stand by my recommendation to WIPE the drive completely by deleting the partition, then repartitioning it. The type of re-installation you're doing won't remove files that are there, including any virii. If you are continually getting reinfected, and none of the other standard fixes are fixing it, then your best bet is to absolutely remove anything that is infecting you. Repartitioning will do that. THen you'd just have to be sure to firewall yourself hard before you hit the net and quickly snag all the latest Windows Updates, my friend.

Just my 2 cents on it. Again, I feel your pain. Believe me.

Dear Duncan,

I have every reason to agree with you....honest...I would very much like to write over and wipe out the bug..clean the machine and load programs in from virus free Cd's....
Right now I'm looking for a program to help with partitioning..which as you may have guessed I have zero experience with...and could use a few tips on that.

Thing is, I absolutely do not trust my anti-virus anymore...or any of them after this bout with the superbug.......they either can't find it or can't get rid of it if they do find it..and what's worse they don't even know what they find...[found out Bloodhound.Packed is a generic code for unrecognized Trojan/viral agent identified by heuristic scanning ...duh]

So, anyway...I appreciate the empathy..and your honesty.
Will let you know what happens..first I have to get this semi-installed XP off of the boot protocol, or get the CD [published 14 months ago] to recognize the [overly] fast Dell, built 6 weeks ago....I leave you with one of my favorite Bush-isms.."Don't misunderestimate me".
Not really sure if he said it but it does sound like him, don't it. ;-)

-Zohar

-

0

lol!

More than sounds like him, if he didn't say that, he probably thought it.

Did you peruse that article of Catweazle's I linked a few messages up? It has very specific and precise instructions for how to install XP, including how to completely wipe the hard drive by repartitioning. Catweazle's got a way with words, and his articles should leave you with no questions. Have a looksee, I think you'll find it's very straightforward, and simple.

Take care, let's hope you can put this puppy to rest. ;)

0

Hi,

So that this mean that we can't do anything about it? I found that my Aunt's PC has the same virus - Bloodhound.Packed and Powerscan.exe. I advised her to install spysweeper. So far she has managed to kill the spywares and adware. I am still checking if she still has the 2 files listed above. Any help/tips would be appreciated. Thanks.

0

Hi,

So that this mean that we can't do anything about it? I found that my Aunt's PC has the same virus - Bloodhound.Packed and Powerscan.exe. I advised her to install spysweeper. So far she has managed to kill the spywares and adware. I am still checking if she still has the 2 files listed above. Any help/tips would be appreciated. Thanks.

Dear Clementine,

The problem was all in the registry..and with a faulty registry no new XP installation would work due to the same error messages on start-up...the messages were saying that a driver couldn't be found and/or that i should run an anti-virus before attempting to install....I was afraid I would have to wipe or replace the registry and lose everything..but then I tried Panda's on-line trojan scanner and it deleted what the Bitdefender and TrojanZapper couldn't and isolated the bug within the restore drive [this bug replicates itself and inserts a new entry into the registry everytime you try to delete it ]
Once it was in the restore files I left it there and downloaded two freeware [!] programs Registry Protector and Registry Freeze both of which analyze your registry and notify you of any program which is attempting to change an entry...blocking it in the meantime..thus stopping trojans in their tracks.
It comes on at start-up and flashes when a virus or program wants to make a change. Took me about two weeks of me denying permission to these changes at start-up and then..one day 'Voila!' the bug died or became inert..and the next time I ran the on-line Panda scan it deleted every virus and gave my PC a clean bill of health...I ran two more scans [trend-micro..bitdefender]..and they gave me the thumbs up, too.

After which I immediately set a new 'restore point' ..downloaded XP SP2 again from microsoft's website..and got a clean install.
Then I went to the mozilla site and downloaded the new Firefox browser [firefox 1.0] and for the last few weeks I have been absolutely bug-free.
;-)
So again..4 simple steps which worked for me:
#1..use Panda on-line trojan virus scanner... [by far the best against these bugs]..
#2..Download and install Registry Protector or registry freeze [both excellent prog's]..then
#3 ..update XP service pack with SP2 if you haven't already
#4...when you are satisfied that your sysytem is as clean as you can make it set a new system restore point...and DO try Firefox which will eliminate a lot of ActiveX vulnerabilities while still giving you maximum browser capablility.

Hope this helps..
-Sincerely
-Zohar

0

Thanks Zohar,

I am getting "exhausted" from the tedious taks of analysing and removing this
nuisance!!!

Great information! Could not have done this without you guys. What I did was to install spysweeper and managed to clear all the silly trojans and traces! Lastly, I went to check the windows registry as suggested by someone else in the forum. The PC is working very well now!

Instead of using FireFox, I am using Maxthon (formerly myie2). Works great as well and has it's own ad-hunter and pop blocker!

Microsoft Internet Explorer sucks! No offence.

Dear Clementine,

The problem was all in the registry..and with a faulty registry no new XP installation would work due to the same error messages on start-up...the messages were saying that a driver couldn't be found and/or that i should run an anti-virus before attempting to install....I was afraid I would have to wipe or replace the registry and lose everything..but then I tried Panda's on-line trojan scanner and it deleted what the Bitdefender and TrojanZapper couldn't and isolated the bug within the restore drive [this bug replicates itself and inserts a new entry into the registry everytime you try to delete it ]
Once it was in the restore files I left it there and downloaded two freeware [!] programs Registry Protector and Registry Freeze both of which analyze your registry and notify you of any program which is attempting to change an entry...blocking it in the meantime..thus stopping trojans in their tracks.
It comes on at start-up and flashes when a virus or program wants to make a change. Took me about two weeks of me denying permission to these changes at start-up and then..one day 'Voila!' the bug died or became inert..and the next time I ran the on-line Panda scan it deleted every virus and gave my PC a clean bill of health...I ran two more scans [trend-micro..bitdefender]..and they gave me the thumbs up, too.

After which I immediately set a new 'restore point' ..downloaded XP SP2 again from microsoft's website..and got a clean install.
Then I went to the mozilla site and downloaded the new Firefox browser [firefox 1.0] and for the last few weeks I have been absolutely bug-free.
;-)
So again..4 simple steps which worked for me:
#1..use Panda on-line trojan virus scanner... [by far the best against these bugs]..
#2..Download and install Registry Protector or registry freeze [both excellent prog's]..then
#3 ..update XP service pack with SP2 if you haven't already
#4...when you are satisfied that your sysytem is as clean as you can make it set a new system restore point...and DO try Firefox which will eliminate a lot of ActiveX vulnerabilities while still giving you maximum browser capablility.

Hope this helps..
-Sincerely
-Zohar

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.