Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Packed.Monder virus


  • Please log in to reply
9 replies to this topic

#1 Rigaruu

Rigaruu

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 01 October 2009 - 08:33 PM

Hello and good day! I've recently (for about the past week+) been having issues with my computer crashing randomly. But today when it occurred and I logged back into windows (XP Home SP3), an AVG box appeared with "Threat Detected" Packed.Monder, it was in my drivers folder, and I moved it to the vault. Hours later I received yet another "Threat Detected" Packed.Monder, said C:\System Volume Information\_restore{various letters and numbers}. I moved this one to the vault as well. AVG runs a full scan every morning around 4am, and nothing was picked up. I haven't done anything more than try to google this, and find some sort of solution. It lead me to this website, and another thread about Packed.Monder. (Considering so many logs were posted and no logs are the same I'm sure, I made my own thread!)

I have limited virus knowledge, I'm at a loss, and I don't want to fry my computer by making a mistake. So please if you can help, I'll download anything and everything, and post millions of logs!

Edit: As of this morning, AVG Scan picked up another Packed.Monder and tossed it in the vault!

Edited by Rigaruu, 02 October 2009 - 07:37 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 PM

Posted 02 October 2009 - 07:42 AM

As of this morning, AVG Scan picked up another Packed.Monder and tossed it in the vault!

Where did it find the threat? Was it in C:\System Volume Information\_restore again?

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan was in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after removing a malware infection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Rigaruu

Rigaruu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 October 2009 - 07:56 AM

I read through your post, but wanted to reply to your question!

It says "Path to File" in C:\Documents and Settings\(username)\Local Settings\Temp\vspquftkos.tmp

So, because it's in the AVG vault, I can just delete it whenever it picks it up? (I was told to let AVG handle it, but it wasn't much reassurance, don't trust it alone!)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 PM

Posted 02 October 2009 - 08:19 AM

If AVG keeps finding such files in temp folders, then chances are some other piece of malware (which it has not detected) is still on your system and recreating them.

Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Rigaruu

Rigaruu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 October 2009 - 08:47 AM

Thank you for the replies!

I ran Malwarebyte's and the scan shows no malicious items.

Malwarebytes' Anti-Malware 1.41
Database version: 2893
Windows 5.1.2600 Service Pack 3

10/2/2009 9:45:06 AM
mbam-log-2009-10-02 (09-45-06).txt

Scan type: Quick Scan
Objects scanned: 95076
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 PM

Posted 02 October 2009 - 08:50 AM

Lets do another anti-malware scan to see if we find anything else that MBAM may have missed.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Rigaruu

Rigaruu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 October 2009 - 10:06 AM

I could not reboot into Safe more, so this was done in normal as instructed!

From DrWeb.CSV

t.tmp;C:\AeriaGames\Hello Kitty® Online North America;BackDoor.BlackHole.3647;Deleted.;
A0039614.exe;C:\System Volume Information\_restore{CADB36D5-7613-4E3E-990D-69CF3AEB9E3E}\RP249;BackDoor.BlackHole.3647;Deleted.;

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 PM

Posted 02 October 2009 - 03:43 PM

Please perform an online scan with Kaspersky Online Virus Scanner.
(Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Rigaruu

Rigaruu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 October 2009 - 06:18 PM

Apologies for the very slow reply. Someone in the house seems to be hogging bandwidth :thumbsup:
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 2, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 02, 2009 22:01:34
Records in database: 2892242
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Objects scanned 31323
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 00:52:46

No threats found. Scanned area is clean.
Selected area has been scanned.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 PM

Posted 02 October 2009 - 09:31 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users