Thread: How to remove "trojan.Win32.monder.gen" virus
View Single Post
Old 05-14-2008, 02:08 PM   #7 (permalink)
amateur
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 3,291
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Re: How to remove "trojan.Win32.monder.gen" virus
Hi,

Quote:
Originally Posted by Nicky Lindberg View Post
The file is attached in this reply.
Next time please, copy/paste them here. I'll do it for convenience now.

ComboFix 08-05-12.1 - Nicky Lindberg 2008-05-14 21:50:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.155 [GMT 2:00]
Running from: D:\Documents and Settings\Nicky Lindberg\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Nicky Lindberg\Desktopblackbird.jpg
D:\Documents and Settings\Nicky Lindberg\DesktopEditorFKWP1.5.exe
D:\Documents and Settings\Nicky Lindberg\DesktopEditorFKWP2.0.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfilemanagerclient.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfkwp1.5.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfkwp2.0.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfwebd.exe
D:\Documents and Settings\Nicky Lindberg\DesktopFWebdEditor.exe
D:\Documents and Settings\Nicky Lindberg\DesktopTrojan.Win32.BlackBird.exe
D:\Documents and Settings\Nicky Lindberg\Desktopvirii
D:\Program Files\PC-Cleaner
D:\WINDOWS\cookies.ini
D:\WINDOWS\mslagent
D:\WINDOWS\mslagent\2_mslagent.dll
D:\WINDOWS\mslagent\mslagent.exe
D:\WINDOWS\mslagent\uninstall.exe
D:\WINDOWS\privacy_danger
D:\WINDOWS\privacy_danger\images\capt.gif
D:\WINDOWS\privacy_danger\images\danger.jpg
D:\WINDOWS\privacy_danger\images\down.gif
D:\WINDOWS\privacy_danger\images\spacer.gif
D:\WINDOWS\privacy_danger\index.htm
D:\WINDOWS\system32\dupnnplq.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\pmnoLBqp.dll
D:\WINDOWS\system32\pqBLonmp.ini
D:\WINDOWS\system32\pqBLonmp.ini2
D:\WINDOWS\system32smp
D:\WINDOWS\system32smp\msrc.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 19:45 . 2008-05-14 19:45 <DIR> d-------- D:\Deckard
2008-05-09 06:10 . 2008-05-09 06:10 8 --a------ D:\WINDOWS\system32\540f8538
2008-05-01 13:34 . 2008-05-01 13:34 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\MailFrontier
2008-05-01 12:57 . 2008-05-09 06:05 <DIR> d-------- D:\Program Files\PC Tune-Up
2008-04-27 14:22 . 2008-04-27 14:22 268 --ah----- D:\sqmdata08.sqm
2008-04-27 14:22 . 2008-04-27 14:22 244 --ah----- D:\sqmnoopt08.sqm
2008-04-17 13:55 . 2008-04-17 13:55 268 --ah----- D:\sqmdata07.sqm
2008-04-17 13:55 . 2008-04-17 13:55 244 --ah----- D:\sqmnoopt07.sqm
2008-04-17 13:40 . 2008-04-17 13:40 268 --ah----- D:\sqmdata06.sqm
2008-04-17 13:40 . 2008-04-17 13:40 244 --ah----- D:\sqmnoopt06.sqm
2008-04-15 21:04 . 2008-04-15 21:04 244 --ah----- D:\sqmnoopt05.sqm
2008-04-15 21:04 . 2008-04-15 21:04 232 --ah----- D:\sqmdata05.sqm
2008-04-15 19:32 . 2008-04-15 19:33 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\AdwareAlert
2008-04-15 19:06 . 2008-05-14 16:10 1,433 --a------ D:\rollback.ini
2008-04-15 09:21 . 2008-04-15 09:22 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\PC-Cleaner
2008-04-15 07:33 . 2008-04-15 07:33 268 --ah----- D:\sqmdata04.sqm
2008-04-15 07:33 . 2008-04-15 07:33 244 --ah----- D:\sqmnoopt04.sqm
2008-04-15 07:30 . 2008-04-15 20:43 <DIR> d-------- D:\Documents and Settings\Rebecca Holst\Application Data\MailFrontier
2008-04-15 00:01 . 2008-05-14 22:02 4,711,200 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-04-15 00:01 . 2008-05-14 21:56 65,168 --ahs---- D:\WINDOWS\system32\drivers\fidbox.idx
2008-04-14 23:38 . 2008-04-14 23:38 <DIR> d-------- D:\Program Files\ZoneAlarmSB
2008-04-14 23:31 . 2008-04-15 08:43 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-14 23:30 . 2008-04-02 21:07 75,248 --a------ D:\WINDOWS\zllsputility.exe
2008-04-14 23:30 . 2004-04-27 04:40 11,264 --a------ D:\WINDOWS\system32\SpOrder.dll
2008-04-14 23:28 . 2008-05-14 19:40 <DIR> d-------- D:\WINDOWS\system32\ZoneLabs
2008-04-14 23:28 . 2008-04-14 23:28 <DIR> d-------- D:\Program Files\Zone Labs
2008-04-14 23:28 . 2008-04-02 21:07 1,086,952 --a------ D:\WINDOWS\system32\zpeng24.dll
2008-04-14 23:28 . 2008-05-14 21:57 355,091 --a------ D:\WINDOWS\system32\vsconfig.xml
2008-04-14 17:03 . 2008-05-01 13:45 <DIR> d-------- D:\Program Files\SPYWAREfighter
2008-04-14 16:48 . 2008-04-14 16:48 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\TmpRecentIcons
2008-04-14 07:55 . 2008-04-14 20:34 <DIR> d-------- D:\Program Files\XoftSpySE
2008-04-14 07:36 . 2008-05-01 21:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\rynuxezs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 20:00 --------- d-----w D:\Program Files\Plaxo
2008-05-14 07:01 67,584 ----a-w D:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-09 14:42 767,488 ----a-w D:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-09 04:09 684,544 ----a-w D:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-09 04:09 2,010,624 ----a-w D:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-05 23:38 2,152,448 ----a-w D:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-05 21:02 549,888 ----a-w D:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-05 21:02 2,003,456 ----a-w D:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-05 20:35 1,479,425 ----a-w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-03 19:34 2,824,192 ----a-w D:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-01 22:04 1,872,896 ----a-w D:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-01 22:04 1,231,872 ----a-w D:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-01 20:26 1,916,416 ----a-w D:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-01 20:26 1,677,824 ----a-w D:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-14 18:35 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-04-14 14:49 --------- d-----w D:\Program Files\Mariasearch
2008-03-31 16:22 --------- d-----w D:\Documents and Settings\All Users\Application Data\e-Safekey
2008-03-15 15:33 --------- d-----w D:\Program Files\Packard Bell
2008-03-15 15:25 --------- d-----w D:\Program Files\Packard Bell External HDD
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-14 23:38 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"PlaxoUpdate"="D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"Packard Bell Software Suite"="D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe" [2008-01-09 17:14 1914168]
"MRC"="D:\Program Files\PC Tune-Up\PCTuneUp.exe" [2007-10-12 09:57 2435072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WpsRePsw"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE" [2000-01-21 00:00 32256]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-03 19:59 180269]
"Adobe Version Cue CS2"="D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"igfxtray"="D:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="D:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="D:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"540f97b6"="D:\WINDOWS\system32\qlpnnpud.dll" [ ]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56 15360]
"ALUAlert"="D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-23 15:46 54424]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-08-28 13:47:50 25214]
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Hurtig start.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
NkbMonitor.exe.lnk - D:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-01-02 13:53:13 118784]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2004-07-05 18:19:53 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"BOW0zI4P3f"= D:\Documents and Settings\All Users\Application Data\rynuxezs\vkjgryri.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///D:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJdAsPH]
mlJdAsPH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

R2 WpsPeppy;WpsPeppy;D:\WINDOWS\system32\DRIVERS\WpsPeppy.SYS [2000-01-21 00:00]
S3 OxUSBTIMOUT;OxUSBTIMOUT;D:\WINDOWS\system32\DRIVERS\OxUSBTIMOUT.sys [2007-06-07 08:48]
S3 USBAAPL;Apple Mobile USB Driver;D:\WINDOWS\system32\Drivers\usbaapl.sys [2007-10-31 15:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d266c014-f2a3-11dc-8e7e-000d5697cbdd}]
\Shell\AutoRun\command - F:\ClickMe.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 01:00:00 D:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- D:\Program Files\AdwareAlert\AdwareAlert.ex
- D:\Program Files\AdwareAlert
"2008-05-05 21:30:31 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-14 20:04:19 D:\WINDOWS\Tasks\Symantec NetDetect.job"
- D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 22:00:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Packard Bell\Packard Bell Software Suite\PowerSave\HDPBSSS.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-14 22:08:22 - machine was rebooted [Nicky Lindberg]
ComboFix-quarantined-files.txt 2008-05-14 20:08:14

Pre-Run: 2,788,093,952 bytes free
Post-Run: 9,328,320,512 bytes free

212 --- E O F --- 2008-05-14 17:29:13
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline