Tech Support Forum - View Single Post - Removal of Trojan.Win32.Monder.Gen STEP 2 fails

**Angelfire777** · 06-14-2008, 11:27 AM

Hi,

Make sure you don't forget to disable Zonealarm the next time I ask you to run combofix. As you have seen, it could've interfered with it.

Do you have utorrent installd in your machine?

Some programs I recommend you uninstall from your system:

PokerStars
Programs like this normally has some sort of malware bundled in them. They sometimes serve as vectors for malware to enter your system. Please uninstall it if you do not play it.

Registry Mechanic 7.0
Uniblue RegistryBooster 2
Registry cleaners usually do more good than harm. We do not recommend such products in your system.
More info could be found here: http://aumha.net/viewtopic.php?t=28099

*If you decide to uninstall them, click start > control panel > add/remove programs > uninstall them.
________

Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/258439-removal-trojan-win32-monder-gen-step-2-fails.html
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_CLASSES_ROOT\CLSID\{A90A5822-F108-45AD-8482-9BC8B12DD539}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A90A5822-F108-45AD-8482-9BC8B12DD539}]
Collect::
C:\WINDOWS\system32\geBtTjgg.dll
Filelook::
C:\WINDOWS\HideWin.exe

Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.

_______

We will need to install the latest version of Java before you can perform the kaspersky scan.

Download Java Runtime Environment 6u6, and install it to your computer.
_______

Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

Fresh HijackThis log.
kaspersky scan log
combofix log

06-14-2008, 11:27 AM	#14 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,580 OS: Vista	Re: Removal of Trojan.Win32.Monder.Gen STEP 2 fails Hi, Make sure you don't forget to disable Zonealarm the next time I ask you to run combofix. As you have seen, it could've interfered with it. Do you have utorrent installd in your machine? Some programs I recommend you uninstall from your system: PokerStars Programs like this normally has some sort of malware bundled in them. They sometimes serve as vectors for malware to enter your system. Please uninstall it if you do not play it. Registry Mechanic 7.0 Uniblue RegistryBooster 2 Registry cleaners usually do more good than harm. We do not recommend such products in your system. More info could be found here: http://aumha.net/viewtopic.php?t=28099 If you decide to uninstall them, click start > control panel > add/remove programs > uninstall them. ________ Open notepad. Copy and paste the text inside the code box below to notepad* Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/258439-removal-trojan-win32-monder-gen-step-2-fails.html Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{8EA86503-476F-476A-A55A-7225082DF3EB}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] [-HKEY_CLASSES_ROOT\CLSID\{A90A5822-F108-45AD-8482-9BC8B12DD539}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A90A5822-F108-45AD-8482-9BC8B12DD539}] Collect:: C:\WINDOWS\system32\geBtTjgg.dll Filelook:: C:\WINDOWS\HideWin.exe Save and Name it as "CFScript" Drag and drop CFScript.txt to your copy of combofix. You can take a look at the image below if you're unsure on how to do it. Combofix wil restart your machine then it will produce a log afterwards. Please post the contents of that log along with a fresh HijackThis log. Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out. _______ We will need to install the latest version of Java before you can perform the kaspersky scan. Download Java Runtime Environment 6u6, and install it to your computer. _______ Please do an online scan with Kaspersky WebScanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. On your next reply, please include a Fresh HijackThis log. kaspersky scan log combofix log __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. Last edited by Angelfire777; 06-14-2008 at 11:29 AM.