Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
How to remove "trojan.Win32.monder.gen" virus How to remove "trojan.Win32.monder.gen" virus
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 05-05-2008, 04:27 PM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: XP


Mistake How to remove "trojan.Win32.monder.gen" virus
Hi There,

I have been hit by at least one virus / malware attact, and despite runing various anti-virus programmes I am still having severe problems removing a virus that ZoneAlarm calls "Trojan.Win32.monder.gen" (ZoneAlarm Security Suite cannot remove this buck).

My XP machine is running bad and it seems to be getting worse all the time (I have struggled with the problem for 2 weeks now).

Can someone help me to remove it manually, because I am not capable of operating computers at this highly specialised level without assistance. Girls like me usually trust software programmes to solve the problems, but when this fails I am in serious trouble.

I sincerely hope that there's someone who can assist me,

Thanks in advance,
/Nicky
Nicky Lindberg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2008, 12:08 PM   #2 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 2,504
OS: XP Home SP3, XP Media Center Edition SP3


Re: How to remove "trojan.Win32.monder.gen" virus
Hello and welcome to TSF.

Sorry for the delayed response. If you have not received help elsewhere and still need help please follow the instructions in IMPORTANT - Read This Before Posting A Log and post the two text files, main.txt and extra.txt produced by the Deckard's System Scanner, as it has been a while since you posted.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2008, 11:05 AM   #3 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: XP


Re: How to remove "trojan.Win32.monder.gen" virus
Hi Amateur,

Sorry for my late reply but I have been away from home for a few days, and have struggled to get Deckard's System Scanner to work on my PC (it seems as if I cannot download any exe-files...maybe part of the bug??).

Anyways, I managed to get it to work by downloading it on my work PC and then transfer the file via USB stick to my home PC.

Attached are the log-files from the Systems scan.

FYI I run ZoneAlarm Security Suite on my PC and it still can't do anything with the "Trojan.Win32.monder.gen" bug.

I really hope that you can help - thanks a lot in advance


_____________________________________________________

Deckard's System Scanner v20071014.68
Run by Nicky Lindberg on 2008-05-14 19:45:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-05-14 17:45:26 UTC - RP708 - Deckard's System Scanner Restore Point
28: 2008-05-14 17:27:50 UTC - RP707 - Software Distribution Service 3.0
27: 2008-05-14 06:21:19 UTC - RP706 - System Checkpoint
26: 2008-05-09 12:00:16 UTC - RP705 - System Checkpoint
25: 2008-05-01 11:44:54 UTC - RP704 - Removed SPYWAREfighter.


-- First Restore Point --
1: 2008-04-14 05:43:43 UTC - RP680 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive D: has 2.74 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-14 19:48:45
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
D:\WINDOWS\system32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Packard Bell\Packard Bell Software Suite\PowerSave\HDPBSSS.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\HP\HP Software Update\hpwuSchd2.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Documents and Settings\Nicky Lindberg\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
O1 - Hosts: 69.50.191.139 auto.search.msn.com
O1 - Hosts: 69.50.191.139 auto.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EBB3675-4242-43A8-8A61-9CF6C34EFFAF} - D:\WINDOWS\system32\pmnoLBqp.dll
O2 - BHO: DVA Storm - {53952518-97B4-4885-B7D6-3A274DB20792} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: sgoblxtm - {10BDE5C9-141F-4536-86D4-56883348BBA1} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [WpsRePsw] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [540f97b6] rundll32.exe "D:\WINDOWS\system32\qlpnnpud.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Packard Bell Software Suite] D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe /run
O4 - HKCU\..\Run: [MRC] "D:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKLM\..\Policies\Explorer\Run: [BOW0zI4P3f] D:\Documents and Settings\All Users\Application Data\rynuxezs\vkjgryri.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sd...-prod-1.20.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/.../e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - D:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: mlJdAsPH - D:\WINDOWS\system32\mlJdAsPH.dll (file missing)
O21 - SSODL: ogxtsepr - {1431BC7F-5906-4889-8FA9-2FD43D85E54D} - (no file)
O21 - SSODL: dsktbwfe - {470BD87A-70B6-45BD-9EE5-9D6FB9E10051} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Packard Bell Software Suite Service 1 (Service1) - Packard Bell Services - D:\Program Files\Packard Bell\Packard Bell Software Suite\PowerSave\HDPBSSS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

--
End of file - 14302 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - d:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 WpsPeppy - d:\windows\system32\drivers\wpspeppy.sys <Not Verified; Canon Inc.; Microsoft(R) Windows Printing System>

S3 grmnusb - d:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Adobe Version Cue CS2 - "d:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>
R2 Apple Mobile Device - "d:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 19:41:34 430 --a------ D:\WINDOWS\Tasks\Symantec NetDetect.job
2008-05-05 23:30:31 284 --a------ D:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-16 03:00:00 514 --a------ D:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job


-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-09 06:10:14 8 --a------ D:\WINDOWS\system32\540f8538
2008-05-01 13:34:33 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\MailFrontier
2008-05-01 12:57:52 0 d-------- D:\Program Files\PC Tune-Up
2008-04-15 19:32:44 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\AdwareAlert
2008-04-15 09:21:01 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\PC-Cleaner
2008-04-15 09:18:37 0 d-------- D:\Program Files\PC-Cleaner
2008-04-15 07:30:29 0 d-------- D:\Documents and Settings\Rebecca Holst\Application Data\MailFrontier
2008-04-15 00:01:33 4623392 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-04-14 23:38:19 0 d-------- D:\Program Files\ZoneAlarmSB
2008-04-14 23:31:46 0 d-------- D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-14 23:30:52 11264 --a------ D:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-04-14 23:28:24 0 d-------- D:\WINDOWS\system32\ZoneLabs
2008-04-14 22:18:08 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\Help
2008-04-14 20:36:09 0 d-------- D:\WINDOWS\system32\appmgmt
2008-04-14 17:03:05 0 d-------- D:\Program Files\SPYWAREfighter
2008-04-14 16:49:19 0 d-------- D:\WINDOWS\privacy_danger
2008-04-14 16:48:54 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\TmpRecentIcons
2008-04-14 07:55:20 0 d-------- D:\Program Files\XoftSpySE
2008-04-14 07:43:33 319808 --ahs---- D:\WINDOWS\system32\pqBLonmp.ini2
2008-04-14 07:43:30 272896 --a------ D:\WINDOWS\system32\pmnoLBqp.dll
2008-04-14 07:36:21 0 d-------- D:\Documents and Settings\Nicky Lindberg\Desktopvirii
2008-04-14 07:36:20 0 d-------- D:\WINDOWS\system32smp
2008-04-14 07:36:19 4096 --a------ D:\Documents and Settings\Nicky Lindberg\DesktopFWebdEditor.exe
2008-04-14 07:36:19 4096 --a------ D:\Documents and Settings\Nicky Lindberg\Desktopfwebd.exe
2008-04-14 07:36:19 4096 --a------ D:\Documents and Settings\Nicky Lindberg\Desktopfilemanagerclient.exe
2008-04-14 07:36:18 0 d-------- D:\WINDOWS\mslagent
2008-04-14 07:36:10 0 d-------- D:\Documents and Settings\All Users\Application Data\rynuxezs


-- Find3M Report ---------------------------------------------------------------

2008-05-14 19:41:32 0 d-------- D:\Program Files\Plaxo
2008-05-14 07:40:05 4212 --ah----- D:\WINDOWS\system32\zllictbl.dat
2008-05-01 13:45:36 0 d-------- D:\Program Files\Common Files
2008-04-14 20:35:40 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-04-14 16:49:31 0 d-------- D:\Program Files\Mariasearch
2008-03-15 17:33:24 0 d-------- D:\Program Files\Packard Bell
2008-03-15 17:25:01 0 d-------- D:\Program Files\Packard Bell External HDD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EBB3675-4242-43A8-8A61-9CF6C34EFFAF}]
14-04-2008 07:43 272896 --a------ D:\WINDOWS\system32\pmnoLBqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53952518-97B4-4885-B7D6-3A274DB20792}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14-04-2008 23:38 262144 --a------ D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WpsRePsw"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE" [21-01-2000 00:00]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03-06-2005 19:59]
"Adobe Version Cue CS2"="D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04-04-2005 18:58]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [12-01-2006 20:52]
"igfxtray"="D:\WINDOWS\system32\igfxtray.exe" [20-09-2005 09:35]
"igfxhkcmd"="D:\WINDOWS\system32\hkcmd.exe" [20-09-2005 09:32]
"igfxpers"="D:\WINDOWS\system32\igfxpers.exe" [20-09-2005 09:36]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22-02-2008 05:25]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11-05-2005 23:12]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [01-02-2008 00:13]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [04-02-2008 15:18]
"540f97b6"="D:\WINDOWS\system32\qlpnnpud.dll" []
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02-04-2008 21:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [04-08-2004 09:56]
"PlaxoUpdate"="D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [11-12-2007 18:21]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [19-01-2007 12:55]
"Packard Bell Software Suite"="D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe" [09-01-2008 17:14]
"MRC"="D:\Program Files\PC Tune-Up\PCTuneUp.exe" [12-10-2007 09:57]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [28-08-2005 13:47:50]
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16-03-2005 19:16:50]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11-05-2005 23:23:26]
HP Image Zone Hurtig start.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12-05-2005 00:49:24]
NkbMonitor.exe.lnk - D:\Program Files\Nikon\PictureProject\NkbMonitor.exe [02-01-2005 13:53:13]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [05-07-2004 18:19:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"BOW0zI4P3f"=D:\Documents and Settings\All Users\Application Data\rynuxezs\vkjgryri.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///D:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJdAsPH]
mlJdAsPH.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\system32\pmnoLBqp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d266c014-f2a3-11dc-8e7e-000d5697cbdd}]
AutoRun\command- F:\ClickMe.exe




-- Hosts -----------------------------------------------------------------------

69.50.191.139 auto.search.msn.com
69.50.191.139 auto.search.msn.com


-- End of Deckard's System Scanner: finished at 2008-05-14 19:49:45 ------------

__________________________________________________________
Attached Files
File Type: txt extra.txt (16.5 KB, 1 views)
Nicky Lindberg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2008, 11:21 AM   #4 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 2,504
OS: XP Home SP3, XP Media Center Edition SP3


Re: How to remove "trojan.Win32.monder.gen" virus
Hi,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2008, 01:15 PM   #5 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: XP


Re: How to remove "trojan.Win32.monder.gen" virus
Hi,

Okay I have now installed the items you mentioned and received a log-file.

The file is attached in this reply.

brgds
/Nicky
Attached Files
File Type: txt log.txt (13.4 KB, 4 views)
Nicky Lindberg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2008, 01:52 PM   #6 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: XP


Re: How to remove "trojan.Win32.monder.gen" virus
Ooops forgot to send the new HJT log-file.

Here it is:

__________________________________

Deckard's System Scanner v20071014.68
Run by Nicky Lindberg on 2008-05-14 22:44:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-14 22:45:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
D:\WINDOWS\system32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Packard Bell\Packard Bell Software Suite\PowerSave\HDPBSSS.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\HP\HP Software Update\hpwuSchd2.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Documents and Settings\Nicky Lindberg\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: sgoblxtm - {10BDE5C9-141F-4536-86D4-56883348BBA1} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [WpsRePsw] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [540f97b6] rundll32.exe "D:\WINDOWS\system32\qlpnnpud.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Packard Bell Software Suite] D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe /run
O4 - HKCU\..\Run: [MRC] "D:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKLM\..\Policies\Explorer\Run: [BOW0zI4P3f] D:\Documents and Settings\All Users\Application Data\rynuxezs\vkjgryri.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sd...-prod-1.20.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/.../e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - D:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: mlJdAsPH - D:\WINDOWS\system32\mlJdAsPH.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Packard Bell Software Suite Service 1 (Service1) - Packard Bell Services - D:\Program Files\Packard Bell\Packard Bell Software Suite\PowerSave\HDPBSSS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

--
End of file - 13348 bytes

-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-14 21:45:26 68096 --a------ D:\WINDOWS\zip.exe
2008-05-14 21:45:26 49152 --a------ D:\WINDOWS\VFind.exe
2008-05-14 21:45:26 212480 --a------ D:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-14 21:45:26 136704 --a------ D:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-14 21:45:26 161792 --a------ D:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-14 21:45:26 98816 --a------ D:\WINDOWS\sed.exe
2008-05-14 21:45:26 80412 --a------ D:\WINDOWS\grep.exe
2008-05-14 21:45:26 73728 --a------ D:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-09 06:10:14 8 --a------ D:\WINDOWS\system32\540f8538
2008-05-01 13:34:33 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\MailFrontier
2008-05-01 12:57:52 0 d-------- D:\Program Files\PC Tune-Up
2008-04-15 19:32:44 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\AdwareAlert
2008-04-15 09:21:01 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\PC-Cleaner
2008-04-15 07:30:29 0 d-------- D:\Documents and Settings\Rebecca Holst\Application Data\MailFrontier
2008-04-15 00:01:33 4723744 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-04-14 23:38:19 0 d-------- D:\Program Files\ZoneAlarmSB
2008-04-14 23:31:46 0 d-------- D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-14 23:30:52 11264 --a------ D:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-04-14 23:28:24 0 d-------- D:\WINDOWS\system32\ZoneLabs
2008-04-14 22:18:08 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\Help
2008-04-14 20:36:09 0 d-------- D:\WINDOWS\system32\appmgmt
2008-04-14 17:03:05 0 d-------- D:\Program Files\SPYWAREfighter
2008-04-14 16:48:54 0 d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\TmpRecentIcons
2008-04-14 07:55:20 0 d-------- D:\Program Files\XoftSpySE
2008-04-14 07:36:10 0 d-------- D:\Documents and Settings\All Users\Application Data\rynuxezs


-- Find3M Report ---------------------------------------------------------------

2008-05-14 22:43:06 0 d-------- D:\Program Files\Plaxo
2008-05-14 07:40:05 4212 --ah----- D:\WINDOWS\system32\zllictbl.dat
2008-05-01 13:45:36 0 d-------- D:\Program Files\Common Files
2008-04-14 20:35:40 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-04-14 16:49:31 0 d-------- D:\Program Files\Mariasearch
2008-03-15 17:33:24 0 d-------- D:\Program Files\Packard Bell
2008-03-15 17:25:01 0 d-------- D:\Program Files\Packard Bell External HDD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14-04-2008 23:38 262144 --a------ D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WpsRePsw"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE" [21-01-2000 00:00]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03-06-2005 19:59]
"Adobe Version Cue CS2"="D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04-04-2005 18:58]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [12-01-2006 20:52]
"igfxtray"="D:\WINDOWS\system32\igfxtray.exe" [20-09-2005 09:35]
"igfxhkcmd"="D:\WINDOWS\system32\hkcmd.exe" [20-09-2005 09:32]
"igfxpers"="D:\WINDOWS\system32\igfxpers.exe" [20-09-2005 09:36]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22-02-2008 05:25]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11-05-2005 23:12]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [01-02-2008 00:13]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [04-02-2008 15:18]
"540f97b6"="D:\WINDOWS\system32\qlpnnpud.dll" []
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02-04-2008 21:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [04-08-2004 09:56]
"PlaxoUpdate"="D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [11-12-2007 18:21]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [19-01-2007 12:55]
"Packard Bell Software Suite"="D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe" [09-01-2008 17:14]
"MRC"="D:\Program Files\PC Tune-Up\PCTuneUp.exe" [12-10-2007 09:57]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [28-08-2005 13:47:50]
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16-03-2005 19:16:50]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11-05-2005 23:23:26]
HP Image Zone Hurtig start.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12-05-2005 00:49:24]
NkbMonitor.exe.lnk - D:\Program Files\Nikon\PictureProject\NkbMonitor.exe [02-01-2005 13:53:13]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [05-07-2004 18:19:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"BOW0zI4P3f"=D:\Documents and Settings\All Users\Application Data\rynuxezs\vkjgryri.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///D:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJdAsPH]
mlJdAsPH.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d266c014-f2a3-11dc-8e7e-000d5697cbdd}]
AutoRun\command- F:\ClickMe.exe




-- End of Deckard's System Scanner: finished at 2008-05-14 22:46:01 ------------
Nicky Lindberg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2008, 02:08 PM   #7 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 2,504
OS: XP Home SP3, XP Media Center Edition SP3


Re: How to remove "trojan.Win32.monder.gen" virus
Hi,

Quote:
Originally Posted by Nicky Lindberg View Post
The file is attached in this reply.
Next time please, copy/paste them here. I'll do it for convenience now.

ComboFix 08-05-12.1 - Nicky Lindberg 2008-05-14 21:50:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.155 [GMT 2:00]
Running from: D:\Documents and Settings\Nicky Lindberg\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Nicky Lindberg\Desktopblackbird.jpg
D:\Documents and Settings\Nicky Lindberg\DesktopEditorFKWP1.5.exe
D:\Documents and Settings\Nicky Lindberg\DesktopEditorFKWP2.0.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfilemanagerclient.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfkwp1.5.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfkwp2.0.exe
D:\Documents and Settings\Nicky Lindberg\Desktopfwebd.exe
D:\Documents and Settings\Nicky Lindberg\DesktopFWebdEditor.exe
D:\Documents and Settings\Nicky Lindberg\DesktopTrojan.Win32.BlackBird.exe
D:\Documents and Settings\Nicky Lindberg\Desktopvirii
D:\Program Files\PC-Cleaner
D:\WINDOWS\cookies.ini
D:\WINDOWS\mslagent
D:\WINDOWS\mslagent\2_mslagent.dll
D:\WINDOWS\mslagent\mslagent.exe
D:\WINDOWS\mslagent\uninstall.exe
D:\WINDOWS\privacy_danger
D:\WINDOWS\privacy_danger\images\capt.gif
D:\WINDOWS\privacy_danger\images\danger.jpg
D:\WINDOWS\privacy_danger\images\down.gif
D:\WINDOWS\privacy_danger\images\spacer.gif
D:\WINDOWS\privacy_danger\index.htm
D:\WINDOWS\system32\dupnnplq.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\pmnoLBqp.dll
D:\WINDOWS\system32\pqBLonmp.ini
D:\WINDOWS\system32\pqBLonmp.ini2
D:\WINDOWS\system32smp
D:\WINDOWS\system32smp\msrc.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 19:45 . 2008-05-14 19:45 <DIR> d-------- D:\Deckard
2008-05-09 06:10 . 2008-05-09 06:10 8 --a------ D:\WINDOWS\system32\540f8538
2008-05-01 13:34 . 2008-05-01 13:34 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\MailFrontier
2008-05-01 12:57 . 2008-05-09 06:05 <DIR> d-------- D:\Program Files\PC Tune-Up
2008-04-27 14:22 . 2008-04-27 14:22 268 --ah----- D:\sqmdata08.sqm
2008-04-27 14:22 . 2008-04-27 14:22 244 --ah----- D:\sqmnoopt08.sqm
2008-04-17 13:55 . 2008-04-17 13:55 268 --ah----- D:\sqmdata07.sqm
2008-04-17 13:55 . 2008-04-17 13:55 244 --ah----- D:\sqmnoopt07.sqm
2008-04-17 13:40 . 2008-04-17 13:40 268 --ah----- D:\sqmdata06.sqm
2008-04-17 13:40 . 2008-04-17 13:40 244 --ah----- D:\sqmnoopt06.sqm
2008-04-15 21:04 . 2008-04-15 21:04 244 --ah----- D:\sqmnoopt05.sqm
2008-04-15 21:04 . 2008-04-15 21:04 232 --ah----- D:\sqmdata05.sqm
2008-04-15 19:32 . 2008-04-15 19:33 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\AdwareAlert
2008-04-15 19:06 . 2008-05-14 16:10 1,433 --a------ D:\rollback.ini
2008-04-15 09:21 . 2008-04-15 09:22 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\PC-Cleaner
2008-04-15 07:33 . 2008-04-15 07:33 268 --ah----- D:\sqmdata04.sqm
2008-04-15 07:33 . 2008-04-15 07:33 244 --ah----- D:\sqmnoopt04.sqm
2008-04-15 07:30 . 2008-04-15 20:43 <DIR> d-------- D:\Documents and Settings\Rebecca Holst\Application Data\MailFrontier
2008-04-15 00:01 . 2008-05-14 22:02 4,711,200 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-04-15 00:01 . 2008-05-14 21:56 65,168 --ahs---- D:\WINDOWS\system32\drivers\fidbox.idx
2008-04-14 23:38 . 2008-04-14 23:38 <DIR> d-------- D:\Program Files\ZoneAlarmSB
2008-04-14 23:31 . 2008-04-15 08:43 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-14 23:30 . 2008-04-02 21:07 75,248 --a------ D:\WINDOWS\zllsputility.exe
2008-04-14 23:30 . 2004-04-27 04:40 11,264 --a------ D:\WINDOWS\system32\SpOrder.dll
2008-04-14 23:28 . 2008-05-14 19:40 <DIR> d-------- D:\WINDOWS\system32\ZoneLabs
2008-04-14 23:28 . 2008-04-14 23:28 <DIR> d-------- D:\Program Files\Zone Labs
2008-04-14 23:28 . 2008-04-02 21:07 1,086,952 --a------ D:\WINDOWS\system32\zpeng24.dll
2008-04-14 23:28 . 2008-05-14 21:57 355,091 --a------ D:\WINDOWS\system32\vsconfig.xml
2008-04-14 17:03 . 2008-05-01 13:45 <DIR> d-------- D:\Program Files\SPYWAREfighter
2008-04-14 16:48 . 2008-04-14 16:48 <DIR> d-------- D:\Documents and Settings\Nicky Lindberg\Application Data\TmpRecentIcons
2008-04-14 07:55 . 2008-04-14 20:34 <DIR> d-------- D:\Program Files\XoftSpySE
2008-04-14 07:36 . 2008-05-01 21:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\rynuxezs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 20:00 --------- d-----w D:\Program Files\Plaxo
2008-05-14 07:01 67,584 ----a-w D:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-09 14:42 767,488 ----a-w D:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-09 04:09 684,544 ----a-w D:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-09 04:09 2,010,624 ----a-w D:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-05 23:38 2,152,448 ----a-w D:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-05 21:02 549,888 ----a-w D:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-05 21:02 2,003,456 ----a-w D:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-05 20:35 1,479,425 ----a-w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-03 19:34 2,824,192 ----a-w D:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-01 22:04 1,872,896 ----a-w D:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-01 22:04 1,231,872 ----a-w D:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-01 20:26 1,916,416 ----a-w D:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-01 20:26 1,677,824 ----a-w D:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-14 18:35 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-04-14 14:49 --------- d-----w D:\Program Files\Mariasearch
2008-03-31 16:22 --------- d-----w D:\Documents and Settings\All Users\Application Data\e-Safekey
2008-03-15 15:33 --------- d-----w D:\Program Files\Packard Bell
2008-03-15 15:25 --------- d-----w D:\Program Files\Packard Bell External HDD
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-14 23:38 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"PlaxoUpdate"="D:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"Packard Bell Software Suite"="D:\Program Files\Packard Bell\Packard Bell Software Suite\Launcher.exe" [2008-01-09 17:14 1914168]
"MRC"="D:\Program Files\PC Tune-Up\PCTuneUp.exe" [2007-10-12 09:57 2435072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WpsRePsw"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE" [2000-01-21 00:00 32256]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-03 19:59 180269]
"Adobe Version Cue CS2"="D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"igfxtray"="D:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="D:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="D:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"540f97b6"="D:\WINDOWS\system32\qlpnnpud.dll" [ ]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56 15360]
"ALUAlert"="D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-23 15:46 54424]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-08-28 13:47:50 25214]
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Hurtig start.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
NkbMonitor.exe.lnk - D:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-01-02 13:53:13 118784]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2004-07-05 18:19:53 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"BOW0zI4P3f"= D:\Documents and Settings\All Users\Application Data\rynuxezs\vkjgryri.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///D:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJdAsPH]
mlJdAsPH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

R2 WpsPeppy;WpsPeppy;D:\WINDOWS\system32\DRIVERS\WpsPeppy.SYS [2000-01-21 00:00]
S3 OxUSBTIMOUT;OxUSBTIMOUT;D:\WINDOWS\system32\DRIVERS\OxUSBTIMOUT.sys [2007-06-07 08:48]
S3 USBAAPL;Apple Mobile USB Driver;D:\WINDOWS\system32\Drivers\usbaapl.sys [2007-10-31 15:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d266c014-f2a3-11dc-8e7e-000d5697cbdd}]
\Shell\AutoRun\command - F:\ClickMe.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 01:00:00 D:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- D:\Program Files\AdwareAlert\AdwareAlert.ex
- D:\Program Files\AdwareAlert
"2008-05-05 21:30:31 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-14 20:04:19 D:\WINDOWS\Tasks\Symantec NetDetect.job"
- D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 22:00:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Packard Bell\Packard Bell Software Suite\PowerSave\HDPBSSS.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-14 22:08:22 - machine was rebooted [Nicky Lindberg]
ComboFix-quarantined-files.txt 2008-05-14 20:08:14

Pre-Run: 2,788,093,952 bytes free
Post-Run: 9,328,3