YET ANOTHER PACKED.MONDER VIRUS

YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 7:06 pm

av been reading through the forum about this particular virus and noticed alot of ppl got theres repaired but was diffrent for everyone. so i am hoping someone can help me as i am about to throw my pc out of the window strap it to the quadbike and drag it offroad.

i have AVG internet sercurity 9.0 (just updated from 8.0) as soon as it installed i got warnings, about force removing kept hitting yes but i must of clicked 150 times asked for a restset once but started all again the virus vault had loads of the same virus thing in, called packed.monder virus file was a gasfk[string of letters].sys.

before i updated i was getting an image error (globalroot\systemroot\system32\gasfk[string of letters].dll is either not designed to run on windows or it contains an error) from the second the computer fired up any program wanting to open sent this pop up bad image file and was closely named gaskf[string of letters](last four diffrent).DLL. i still get it now.

i also get issues when downloading stuff and sometimes i dnt get the internet at all on my pc. laptop works fine.

i have no restore points its a relitivly new pc, so thats out of the question and AVG is trying to get rid of it but making no diffrence. so if anyone could help me i would be very gratefull. just post up what u want me todo or if u need any other info i will try to get it.

windows vista ultimate 32bit
AVG internet security 9.0
did have norton 360 but was crap so it was removed (or partly as some just dnt want to go)
windows firewall

thanks in advance

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 7:47 pm

Please download the current version of HijackThis from HERE

Double click and run the installer.
It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
After installing, you should get the user agreement, press accept and Hijack This will run.
Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 8:19 pm

will do that now thanks

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 8:29 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:16, on 24/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Lexmark 1500 Series\lxdgmon.exe
C:\Program Files\Lexmark 1500 Series\lxdgamon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PEAK Multimedia\DVB-T Digital PCI Utilities\AFRCtl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\DEFAULT.ABC_RANGE-1\AppData\Local\TVersity\Media Server\web\admin\TVersity.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\Windows\System32\dvmurl.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [lxdgmon.exe] "C:\Program Files\Lexmark 1500 Series\lxdgmon.exe"
O4 - HKLM\..\Run: [lxdgamon] "C:\Program Files\Lexmark 1500 Series\lxdgamon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Center Agent] C:\Program Files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Remote Control.lnk = C:\Program Files\PEAK Multimedia\DVB-T Digital PCI Utilities\AFRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdgCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdgserv.exe
O23 - Service: lxdg_device - - C:\Windows\system32\lxdgcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\DEFAULT.ABC_RANGE-1\AppData\Local\TVersity\Media Server\MediaServer.exe

--
End of file - 9213 bytes

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 8:48 pm

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

YET ANOTHER PACKED.MONDER VIRUS CF_download_FF

YET ANOTHER PACKED.MONDER VIRUS CF_download_FF

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

See HERE for how to disable your AV.
Double click on svchost.exe.
Follow the prompts. NOTE:
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:10 pm

launched it as stated above, then the boxes came with bad image i kept going through the boxes clicking ok then came up error and wanted to close. more boxes apeared clicked ok error came up and then more boxes kept hitting ok and then computer went black and started to shut down

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:12 pm

Will it boot ok? we can go the long way around.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:15 pm

computer restarted no diffrent but svchost has gone from the desktop

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:16 pm

Download the GMER rootkit scan from here: GMER

Unzip it and start GMER.
Click the >>> tab and then click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:57 pm

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-24 22:54:51
Windows 6.0.6001 Service Pack 1
Running: svchost1.exe; Driver: C:\Users\DEFAUL~1.ABC\AppData\Local\Temp\kxldypoc.sys

---- System - GMER 1.0.15 ----

Code 8815C520 ZwEnumerateKey
Code 87FC22F0 ZwFlushInstructionCache
Code 87F423FE ZwSaveKey
Code 880B9A1E ZwSaveKeyEx
Code 87FEE40D IofCallDriver
Code 87DDDFD6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 83247FE2 5 Bytes JMP 87DDDFDB
.text ntkrnlpa.exe!IofCallDriver 832C9F6F 5 Bytes JMP 87FEE412
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 833C030B 5 Bytes JMP 87FC22F4
PAGE ntkrnlpa.exe!ZwEnumerateKey 83415BAC 5 Bytes JMP 8815C524
PAGE ntkrnlpa.exe!ZwSaveKey 83463573 5 Bytes JMP 87F42402
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8346367A 5 Bytes JMP 880B9A22

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\GameSpy\Comrade\Comrade.exe[3268] KERNEL32.dll!LoadLibraryExW 76EB30C3 7 Bytes JMP 10005230 C:\Program Files\GameSpy\Comrade\rscoree.dll (rscoree/Remotesoft, Inc.)
.text C:\Program Files\GameSpy\Comrade\Comrade.exe[3268] USER32.dll!ShowWindow 7563D80A 5 Bytes JMP 0AE62880 C:\Program Files\GameSpy\Comrade\wpffix.dll
.text C:\Program Files\GameSpy\Comrade\Comrade.exe[3268] WS2_32.dll!sendto 757667C5 5 Bytes JMP 064733C0 C:\Program Files\GameSpy\Comrade\DetectLib.dll
.text C:\Program Files\GameSpy\Comrade\Comrade.exe[3268] WS2_32.dll!WSASendTo 7577A474 5 Bytes JMP 06473400 C:\Program Files\GameSpy\Comrade\DetectLib.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library C:\Users\Public\svchost1.exe (*** hȋdden *** ) @ C:\Users\Public\svchost1.exe [3948] 0x00400000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gasfkymxtcrqpu.sys (*** hȋdden *** ) [SYSTEM] gasfkymdpuspsx <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00158315a318 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a318
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main\injector@svchost.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkymdpuspsx\modules@gasfkywsp8p.dll \systemroot\system32\gasfkypwqvbqie.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main\injector@svchost.exe
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx\modules@gasfkywsp8p.dll \systemroot\system32\gasfkypwqvbqie.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main\injector@svchost.exe
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx\modules@gasfkywsp8p.dll \systemroot\system32\gasfkypwqvbqie.dll
Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\00158315a318 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx@imagepath \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main@aid 10149
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main\injector@svchost.exe
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkymxtcrqpu.sys
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfkycmd.dll \systemroot\system32\gasfkycgksorqr.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfkylog.dat \systemroot\system32\gasfkyiexedupr.dat
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfkywsp.dll \systemroot\system32\gasfkymycvetyb.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfky.dat \systemroot\system32\gasfkynfumcfjw.dat
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfkywsp8.dll \systemroot\system32\gasfkyngtlexhw.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx\modules@gasfkywsp8p.dll \systemroot\system32\gasfkypwqvbqie.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x8A 0xE4 0x13 0x74 ...

---- Files - GMER 1.0.15 ----

File C:\Users\DEFAULT.ABC_RANGE-1\AppData\Local\Temp\gasfky000 0 bytes
File C:\Windows\System32\drivers\gasfkymxtcrqpu.sys 68096 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gasfkycgksorqr.dll 41984 bytes executable
File C:\Windows\System32\gasfkyiexedupr.dat 75022 bytes
File C:\Windows\System32\gasfkymycvetyb.dll 19456 bytes executable
File C:\Windows\System32\gasfkynfumcfjw.dat 43 bytes
File C:\Windows\System32\gasfkyngtlexhw.dll 21504 bytes
File C:\Windows\System32\gasfkypwqvbqie.dll 21504 bytes executable
File C:\Windows\Temp\gasfkyomtdxnertr.tmp 43 bytes
File C:\Windows\Temp\gasfkypwqetvtdbf.tmp 43 bytes

---- EOF - GMER 1.0.15 ----

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 10:39 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
gasfkymdpuspsx

Drivers to delete:
gasfkymdpuspsx

Files to delete:
C:\Windows\System32\drivers\gasfkymxtcrqpu.sys
C:\Windows\System32\gasfkycgksorqr.dll
C:\Windows\System32\gasfkyiexedupr.dat
C:\Windows\System32\gasfkymycvetyb.dll
C:\Windows\System32\gasfkynfumcfjw.dat
C:\Windows\System32\gasfkyngtlexhw.dll
C:\Windows\System32\gasfkypwqvbqie.dll

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet004\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx
HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Input script here:", paste in the script from the quote box above.
Leave the ticked box "Scan for rootkit" ticked.
Then tick "Disable any rootkits found"
Now click on the Execute to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

4. Please copy/paste the content of c:\avenger.txt into your reply.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 10:49 pm

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Sat Oct 24 23:47:05 2009

23:47:05: Error: Could not create Services key.
Aborting execution! (error 0: the operation completed successfully.)

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Sat Oct 24 23:47:17 2009

23:47:17: Error: Could not create Services key.
Aborting execution! (error 0: the operation completed successfully.)

any ideas ?

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 10:58 pm

all gone wrong computer wont boot windows in safe or normal mode

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 11:05 pm

no options work all say

file: windows\system32\ntkrnlpa.exe

status: 0xc000000f

info: windows failed to load because kernel is missing, or corrupt.

now i am bugged

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 11:14 pm

Do you have your XP disc? this rootkit isn't nice on the system. Sad tearing

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 11:20 pm

nope its a custom built pc n am running vista ultimate 32bit said in the first post, when i ordered the pc all i got was the tower (obviously) and 2 disks, both were software cds nothing todo with windows just 2 programs Sad tearing

is there nothing i can do without the cd ? its 2 expensive buying a new operating system Sad tearing

i have come across a fair few viruses but NEVER one this bad its a bloody b**ch of a virus

Re: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 11:26 am

anyone ???

Re: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 12:02 pm

i have found an online boot cd which i have downloaded, the startup repair is checking the system now.

if anyone runs into the problem i have getting rid of the packed.monder here is the boot cds needed (if u dnt have 1) both windows vista 32bit and 64bit: http://digiex.net/applications/956-windows-vista-32-bit-x86-recovery-disc.html

i am unsure if the virus has gone if not do i retry the avenger program or will that just do the same again ?

thanks

Re: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 12:26 pm

ok pc up and running virus still alive after rerunning avanger heres the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "gasfkymdpuspsx" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "gasfkymdpuspsx" deleted successfully.

Error: could not delete file "C:\Windows\System32\drivers\gasfkymxtcrqpu.sys"
Deletion of file "C:\Windows\System32\drivers\gasfkymxtcrqpu.sys" failed!
Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\gasfkycgksorqr.dll"
Deletion of file "C:\Windows\System32\gasfkycgksorqr.dll" failed!
Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\gasfkyiexedupr.dat"
Deletion of file "C:\Windows\System32\gasfkyiexedupr.dat" failed!
Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\gasfkymycvetyb.dll"
Deletion of file "C:\Windows\System32\gasfkymycvetyb.dll" failed!
Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\gasfkynfumcfjw.dat"
Deletion of file "C:\Windows\System32\gasfkynfumcfjw.dat" failed!
Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\gasfkyngtlexhw.dll"
Deletion of file "C:\Windows\System32\gasfkyngtlexhw.dll" failed!
Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\gasfkypwqvbqie.dll"
Deletion of file "C:\Windows\System32\gasfkypwqvbqie.dll" failed!
Status: 0xc0000156

Error: registry key "HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet003\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet004\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet004\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet005\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet006\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet007\Services\gasfkymdpuspsx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet008\Services\gasfkymdpuspsx" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Re: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 12:32 pm

new report with hijackthis:

Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Lexmark 1500 Series\lxdgmon.exe
C:\Program Files\Lexmark 1500 Series\lxdgamon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PEAK Multimedia\DVB-T Digital PCI Utilities\AFRCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\Windows\System32\dvmurl.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [lxdgmon.exe] "C:\Program Files\Lexmark 1500 Series\lxdgmon.exe"
O4 - HKLM\..\Run: [lxdgamon] "C:\Program Files\Lexmark 1500 Series\lxdgamon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF23826.exe" /c "C:\ComboFix\C.bat"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Center Agent] C:\Program Files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: Remote Control.lnk = C:\Program Files\PEAK Multimedia\DVB-T Digital PCI Utilities\AFRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdgCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdgserv.exe
O23 - Service: lxdg_device - - C:\Windows\system32\lxdgcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\DEFAULT.ABC_RANGE-1\AppData\Local\TVersity\Media Server\MediaServer.exe

--
End of file - 8782 bytes

the bad image box no longer appears but avg is still firing the warnings at me

Re: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 6:43 pm

Sigh, why do I always get the stubborn rootkits.

Go to Start > in the search box, type in "Run". Once the Run box opens, copy and paste in the following:

notepad "C:\Windows\System32\drivers\gasfkymxtcrqpu.sys"

Hit enter.
Notepad will open with lots of unreadable characters, just hightlight everything (ctrl+a), and remove everything, so it's left blank, then go to the File menu > Save.

Now re-run my avenger script.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

Re: YET ANOTHER PACKED.MONDER VIRUS26th October 2009, 12:58 pm

tryed it worked then came back Sad tearing

. BUT once i did that i ran avg which picked up the real name of the trojan alura.. something like that and an agent trojan. the araura (or something similar) being very servear virus so i updated AVG and windows Defender and launched them both 5 scans later they surfaced and defender wiped them out. as far as i know its gone. the AVG is not throwing up warnings and windows defender is coming back clean. i have ran hijack this came back clear, and i havent had the problems i have been. but time will tell, thanks for your help and if u dnt already feel free to take the link i posted for the vista boot disk and put it as a sticky as i wont be the only one without 1 u can pay full price for an operating system but it dnt mean u get the boot disk.

link supplyed will NOT allow u to install vista only run the boot repair. 1 file was removed to stop that for obvious reasons.

thanks for your help could not of found it without ya

Thank You!

Re: YET ANOTHER PACKED.MONDER VIRUS26th October 2009, 12:59 pm

quick question what do u think of windows 7 should i upgrade from vista ultimate ?? i am totally unsure so if u could shead some light on it that would be good
.

thanks again

Re: YET ANOTHER PACKED.MONDER VIRUS26th October 2009, 5:54 pm

Hello.

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
Link 1
Link 2
Double click DDS.scr to run.
When complete, two logs will open. Save both of the report to your Desktop.
Copy and paste BOTH LOGS back here, use more than one post if needed.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
YET ANOTHER PACKED.MONDER VIRUS DXwU4

YET ANOTHER PACKED.MONDER VIRUS

descriptionYET ANOTHER PACKED.MONDER VIRUS24th October 2009, 7:06 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 7:47 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 8:19 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 8:29 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 8:48 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:10 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:12 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:15 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:16 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 9:57 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 10:39 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 10:49 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 10:58 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 11:05 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 11:14 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS24th October 2009, 11:20 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 11:26 am

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 12:02 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 12:26 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 12:32 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS25th October 2009, 6:43 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS26th October 2009, 12:58 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS26th October 2009, 12:59 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS26th October 2009, 5:54 pm

descriptionRe: YET ANOTHER PACKED.MONDER VIRUS