Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.win32.monderc.gen


  • This topic is locked This topic is locked
5 replies to this topic

#1 moonshaye

moonshaye

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 16 July 2008 - 10:32 PM

started getting sneaky popups(under my window exact size and placement). my av found nothing, but spybot found virtumonde. after reading here, i ran kaspersky... finding instead monderc, so im kinda confused. anyways, whichever it is, i cant get rid of it.

here's the kaspersky and dss results.

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 AM

Posted 17 July 2008 - 05:00 AM

Hello Moonshaye and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 moonshaye

moonshaye
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 17 July 2008 - 03:54 PM

thank you thunder. :thumbsup:

i did everything you requested and here are the results. hopefully this got rid of that pesky virus.




ComboFix 08-07-15.4 - Administrator 2008-07-17 14:09:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1544 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000047_.tmp.dll
C:\WINDOWS\system32\aeasus.dll
C:\WINDOWS\system32\ahpbhblf.dll
C:\WINDOWS\system32\bfyynnna.ini
C:\WINDOWS\system32\dphxyjsx.dll
C:\WINDOWS\system32\eegnqp.dll
C:\WINDOWS\system32\FgghQqss.ini
C:\WINDOWS\system32\FgghQqss.ini2
C:\WINDOWS\system32\fvhbqh.dll
C:\WINDOWS\system32\GQsAIkkj.ini
C:\WINDOWS\system32\GQsAIkkj.ini2
C:\WINDOWS\system32\iqlityfm.dll
C:\WINDOWS\system32\mbnjycem.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nhfqluag.ini
C:\WINDOWS\system32\oodcjt.dll
C:\WINDOWS\system32\osgquxcf.dll
C:\WINDOWS\system32\poiingfo.dll
C:\WINDOWS\system32\qnjbpdga.ini
C:\WINDOWS\system32\rrjaurgg.dll
C:\WINDOWS\system32\svcjwfrl.ini
C:\WINDOWS\system32\tpunaaea.dll
C:\WINDOWS\system32\tquekn.dll
C:\WINDOWS\system32\tysmbx.dll
C:\WINDOWS\system32\upnaupds.ini
C:\WINDOWS\system32\vawlhtmh.ini
C:\WINDOWS\system32\vqyjjh.dll
C:\WINDOWS\system32\WFeOUvut.ini
C:\WINDOWS\system32\WFeOUvut.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 13:28 . 2008-07-17 13:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-17 13:27 . 2008-07-17 13:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 13:27 . 2008-07-17 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 13:27 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 13:27 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-16 03:25 . 2008-07-16 03:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WildTangent
2008-07-14 13:18 . 2008-07-14 13:18 <DIR> d-------- C:\Deckard
2008-07-14 12:10 . 2008-07-14 12:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 01:16 . 2008-07-13 01:38 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-07-12 22:04 . 2008-07-13 03:49 95 --a------ C:\WINDOWS\wininit.ini
2008-07-12 20:18 . 2008-07-12 20:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2008-07-12 14:21 . 2008-07-12 14:21 <DIR> d--hs---- C:\found.001
2008-07-11 12:13 . 2008-07-15 09:30 <DIR> d-------- C:\Program Files\PonyGenerator
2008-07-10 17:31 . 2008-07-12 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 19:21 . 2008-07-09 19:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Playrix Entertainment
2008-07-09 19:18 . 2008-07-12 23:47 <DIR> d-------- C:\Program Files\Fishdom
2008-07-06 15:53 . 2008-07-06 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-07-02 13:59 . 1999-04-09 02:14 416,304 --a------ C:\WINDOWS\system32\MPG4C32.DLL
2008-06-30 14:47 . 2008-06-30 14:47 876 --a------ C:\WINDOWS\$_hpcst$.hpc
2008-06-30 09:46 . 2008-06-30 09:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-29 19:06 . 2008-06-29 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-06-29 19:02 . 2008-06-29 19:03 <DIR> d-------- C:\Program Files\Luxor 3
2008-06-29 19:02 . 2008-06-29 19:03 <DIR> d-------- C:\Program Files\Luxor 2
2008-06-29 19:01 . 2008-06-29 19:13 <DIR> d-------- C:\Program Files\Luxor Amun Rising
2008-06-29 19:01 . 2008-06-29 19:03 <DIR> d-------- C:\Program Files\Luxor
2008-06-29 18:43 . 2008-06-29 19:00 <DIR> d-------- C:\Program Files\Musikapa
2008-06-29 18:38 . 2008-07-17 01:33 <DIR> d-------- C:\Program Files\Mythic Pearls
2008-06-29 18:31 . 2008-06-29 18:31 <DIR> d-------- C:\Program Files\StoneLoops Of Jurassica
2008-06-29 18:31 . 2008-06-29 18:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\StoneLoopsRE
2008-06-29 18:06 . 2008-06-29 18:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Wildfire
2008-06-29 18:06 . 2008-06-29 18:06 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-06-29 17:56 . 2008-06-29 17:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\URSE Games
2008-06-29 17:51 . 2008-06-29 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Genimo
2008-06-29 17:47 . 2008-06-29 17:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Genimo
2008-06-29 17:46 . 2008-06-29 17:47 <DIR> d-------- C:\Program Files\Butterfly Escape
2008-06-29 14:11 . 2008-06-30 07:07 <DIR> d-------- C:\Program Files\Inca Ball
2008-06-29 13:18 . 2008-06-29 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HiddenSecretsNightmare
2008-06-28 19:24 . 2008-06-28 19:25 <DIR> d-------- C:\Program Files\Adventure Inlay Safari Edition
2008-06-28 19:24 . 2006-12-28 13:37 389,120 --a------ C:\WINDOWS\Adventure Inlay.scr
2008-06-28 19:23 . 2008-06-28 19:25 <DIR> d-------- C:\Program Files\Adventure Inlay
2008-06-28 19:22 . 2008-06-28 19:25 <DIR> d-------- C:\Program Files\Buildalot 2 Town Of The Year
2008-06-28 19:21 . 2008-06-28 19:25 <DIR> d-------- C:\Program Files\Buildalot
2008-06-28 19:15 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Super Collapse II
2008-06-28 19:15 . 2008-06-28 19:18 <DIR> d-------- C:\Program Files\Super Collapse
2008-06-28 19:11 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Deep Sea Tycoon 2
2008-06-28 19:11 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Deep Sea Tycoon
2008-06-28 19:11 . 2008-06-28 19:11 34 --a------ C:\WINDOWS\dst2pth.dst
2008-06-28 19:09 . 2008-06-29 14:38 <DIR> d-------- C:\Program Files\Feeding Frenzy 2
2008-06-28 19:09 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Fairy Godmother Tycoon
2008-06-28 19:08 . 2008-07-01 10:40 <DIR> d-------- C:\Program Files\Fish Tycoon
2008-06-28 19:08 . 2008-07-07 18:47 <DIR> d-------- C:\Program Files\Fish Tales
2008-06-28 19:08 . 2008-06-28 19:10 <DIR> d-------- C:\Program Files\Feeding Frenzy
2008-06-28 19:08 . 2006-12-28 13:12 811,008 --a------ C:\WINDOWS\FeedingFrenzy.scr
2008-06-28 19:08 . 2006-12-28 13:12 40,960 --a------ C:\WINDOWS\system32\Fish Tycoon.scr
2008-06-28 19:04 . 2008-07-01 14:51 <DIR> d-------- C:\Program Files\Hidden Expedition Titanic
2008-06-28 19:03 . 2008-07-10 21:44 <DIR> d-------- C:\Program Files\Hidden Expedition Everest
2008-06-28 18:59 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Magic Ball 2 New Worlds
2008-06-28 18:59 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Magic Ball 2
2008-06-28 18:58 . 2008-06-28 19:00 <DIR> d-------- C:\Program Files\Magic Inlay
2008-06-28 18:58 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Magic Ball 3
2008-06-28 18:56 . 2008-06-30 15:07 <DIR> d-------- C:\Program Files\Tile Quest
2008-06-28 18:56 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\Super Spongebob Collapse
2008-06-28 18:56 . 2008-06-28 18:57 <DIR> d-------- C:\Program Files\Super Collapse 3
2008-06-28 18:55 . 2008-07-08 16:00 <DIR> d-------- C:\Program Files\Plant Tycoon
2008-06-28 18:50 . 2008-06-28 18:51 <DIR> d-------- C:\Program Files\Wildlife Tycoon Venture Africa
2008-06-28 15:40 . 2008-06-28 15:42 <DIR> d-------- C:\Program Files\Arctic Quest
2008-06-28 10:32 . 2008-06-28 10:32 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-06-28 05:33 . 2008-06-28 05:33 <DIR> d-------- C:\Program Files\PopCap Games
2008-06-28 05:33 . 2008-07-17 01:37 19 --a------ C:\WINDOWS\popcinfo.dat
2008-06-28 05:14 . 2008-07-16 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-06-28 05:13 . 2008-07-16 03:23 <DIR> d-------- C:\Program Files\WildGames
2008-06-26 15:10 . 2008-06-26 15:10 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-26 08:50 . 2008-06-26 10:58 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2008-06-26 08:50 . 2008-06-26 10:58 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2008-06-26 08:50 . 2008-06-26 10:58 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2008-06-26 08:34 . 2008-06-26 08:34 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-06-26 08:34 . 2008-06-26 08:50 35,595 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-26 08:34 . 2008-06-26 08:34 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-26 08:24 . 2008-06-26 08:52 <DIR> d-------- C:\Program Files\Diablo II
2008-06-25 05:57 . 2008-07-15 00:59 <DIR> d-------- C:\Program Files\9Dragons
2008-06-25 05:51 . 2008-06-25 05:51 <DIR> d-------- C:\AeriaGames
2008-06-25 04:14 . 2008-06-25 04:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-25 04:06 . 2008-06-25 09:38 <DIR> d-------- C:\Program Files\Tilted Mill
2008-06-23 18:27 . 2008-06-23 18:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LEGO Company
2008-06-20 12:41 . 2008-06-20 12:41 245,248 --a------ C:\WINDOWS\system32\SETB6.tmp
2008-06-20 12:41 . 2008-06-20 12:41 245,248 --a--c--- C:\WINDOWS\system32\dllcache\SETBA.tmp
2008-06-20 12:41 . 2008-06-20 12:41 148,992 --a------ C:\WINDOWS\system32\SETB7.tmp
2008-06-20 12:41 . 2008-06-20 12:41 148,992 --a--c--- C:\WINDOWS\system32\dllcache\SETBB.tmp
2008-06-20 05:45 . 2008-06-20 05:45 360,320 --a--c--- C:\WINDOWS\system32\dllcache\SETB9.tmp
2008-06-20 05:44 . 2008-06-20 05:44 138,368 --a--c--- C:\WINDOWS\system32\dllcache\SETBC.tmp
2008-06-20 04:52 . 2008-06-20 04:52 225,920 --a--c--- C:\WINDOWS\system32\dllcache\SETB8.tmp
2008-06-17 20:09 . 2008-07-11 12:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
2008-06-17 20:08 . 2008-06-17 20:08 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-17 20:06 . 2008-06-17 20:06 <DIR> d-------- C:\ProgramData
2008-06-17 20:06 . 2008-07-15 01:01 486 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 19:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-17 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-16 23:19 --------- d-----w C:\Program Files\Java
2008-07-16 08:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Xfire
2008-07-16 00:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-15 06:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 00:59 --------- d-----w C:\Program Files\Norton SystemWorks
2008-07-10 19:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2008-07-10 19:46 --------- d-----w C:\Program Files\Xfire
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 06:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FileZilla
2008-06-16 07:21 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-13 19:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 19:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 19:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 19:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 19:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 19:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 19:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 19:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 19:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 19:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 19:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 19:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 14:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 13:36 --------- d--h--w C:\Program Files\Zero G Registry
2008-06-08 13:35 --------- d-----w C:\Program Files\Ubisoft
2008-06-05 20:17 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-05 20:17 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-05 20:17 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-05 20:17 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-05 20:17 --------- d-----w C:\Program Files\Symantec
2008-05-31 11:26 --------- d-----w C:\Program Files\Apophysis 2.0
2008-05-31 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-30 16:22 --------- d-----w C:\Program Files\WON
2008-05-22 23:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-17 07:04 --------- d-----w C:\Program Files\GALA-NET
2008-05-17 07:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 03:46 8,769,536 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2008-05-03 03:46 6,108,160 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2008-05-03 03:46 159,812 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2008-05-03 03:46 1,241,088 ----a-w C:\WINDOWS\system32\nvcuda.dll
2008-04-30 22:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-24 01:57 32 --sha-w C:\WINDOWS\{2FFB1E93-1F59-4CE1-8215-8565FAEDBB77}.dat
2008-03-24 01:57 32 --sha-w C:\WINDOWS\system32\{6C2BCBE3-1630-4765-8A79-271E3EFCE74D}.dat
.

------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2006-02-28 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2005-03-01 18:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-02-20 22:36 2057984 501c033d08ac37c4be751633ab02197c C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-28 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-02-20 23:01 2180992 df4d09b676964646fa166a78c816b4c3 C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2006-02-28 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2006-02-28 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2006-02-28 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\explorer.exe
2006-02-28 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2006-02-28 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2005-12-20 17:34 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 08:05 8429568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-13 22:08 385024]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-26 15:10:40 3031376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-31 14:15 51048 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigitalStorm]
--a------ 2005-08-27 15:43 233472 C:\WINDOWS\system32\Splash.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 04:00 28672 C:\Program Files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-20 08:05 8429568 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-13 22:08 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
--a------ 2007-08-02 21:08 95504 C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 12:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 04:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-06-08 21:07 28672 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 04:22 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2006-03-17 18:11 81408 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Codemasters\\RF Online\\RF.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"C:\\Rohan\\rohanclient.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Diablo II\\Game.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 16:55]
R3 Alpham1;Ideazon Merc USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 08:56]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 20:34]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 01:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-11 22:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{4661E34D-35DE-42B3-830C-31EDA8811AFA} - C:\WINDOWS\system32\ssqQhggF.dll
BHO-{BA0E4A4E-CD2D-4445-AEEB-9F9B8C721F66} - C:\WINDOWS\system32\tuvUOeFW.dll
BHO-{EFA2B78F-61FE-4F49-979B-AEC299D84DEC} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S8VVNIGS\3077ahntdksr[1].dll
HKLM-Run-NvMediaCenter - C:\WINDOWS\system32\NvMcTray.dll
MSConfigStartUp-NvMediaCenter - NvMCTray.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 14:27:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-17 14:28:57
ComboFix-quarantined-files.txt 2008-07-17 19:28:54

Pre-Run: 122,217,521,152 bytes free
Post-Run: 122,344,374,272 bytes free

343 --- E O F --- 2008-07-13 07:00:33

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 AM

Posted 18 July 2008 - 03:37 AM

Hello Moonshaye,

Could you upload some files please ?
Can you zip all .dll.vir files in the folder C:\Qoobox using WinZip (or a similar program) to Qoobox.zip and upload the zipped file to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/158153/trojanwin32mondercgen/
2. In the second window (Browse to the file you want to submit: ) browse to the Qoobox.zip file

3. Click the Send file button :thumbsup:
[/list]Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 moonshaye

moonshaye
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 18 July 2008 - 10:43 AM

uploaded that file. ran kaspersky one last time to doublecheck.. and all seems clear. thanks so much!! :thumbsup:

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 AM

Posted 18 July 2008 - 05:11 PM

Glad we could help, Moonshaye :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users