Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Wif Trojan.win32.monder.gen And .lfz


  • This topic is locked This topic is locked
3 replies to this topic

#1 jarady

jarady

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 September 2008 - 02:05 AM

I'm using ZoneAlarm and they always detect Trojon.win32.monder.gen and .lfx but when i delete it after quarrantine, it keeps coming back. I have done some of the instructions , downloading malwarebytes and scanning and fixing it. I have the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:04 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS2\system32\tcpsvcs.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS2\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS2\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS2\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS2\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS2\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS2\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS2\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Internet Explorer 7] iexplorer7.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199911836860
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2610202F-6BF5-429C-8464-D056D3E4834D}: NameServer = 192.168.1.254
O20 - AppInit_DLLs: zvjwjl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS2\system32\ZoneLabs\vsmon.exe

--
End of file - 6156 bytes


Malwarebytes' Anti-Malware 1.26
Database version: 1119
Windows 5.1.2600 Service Pack 2

9/6/2008 2:53:09 PM
mbam-log-2008-09-06 (14-53-09).txt

Scan type: Quick Scan
Objects scanned: 43934
Time elapsed: 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\rqRLbyxw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS2\system32\zvjwjl.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2a3f8c65-a12a-4d1f-94c4-53f5f9aa16c1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2a3f8c65-a12a-4d1f-94c4-53f5f9aa16c1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ebe0959c-736b-4a6a-81e5-49870f29eb07} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ebe0959c-736b-4a6a-81e5-49870f29eb07} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcf56769 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmbfc654f5 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows2\system32\rqrlbyxw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows2\system32\rqrlbyxw -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\rqRLbyxw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS2\system32\wxybLRqr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\wxybLRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\zvjwjl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS2\system32\fckjdkyu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\uykdjkcf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\qdrpncri.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\ircnprdq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\olsojima.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\mcwbutje.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\nkmaxgqr.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\syxqysvj.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\gtnhghqg.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\ocwkelwn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\qgqlvmuq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\sdatvxvy.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\tkcdecas.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\woqqnwun.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\jtkiihio.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\htsypjan.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\wwewxgct.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\fbniniue.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\vsbluycm.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\rrpxcksn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS2\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\nutpyycs.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS2\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\BMbfc654f5.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\BMbfc654f5.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\svchost.log (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


m

#2 jarady

jarady
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 September 2008 - 02:33 AM

Also, there is this update.exe that keeps getting in my task manager. Once i end it, it keeps coming back. And if I leave it alone, it will operate for few seconds, den gone, then the cycle just continues. Is it a virus or something?

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 07 September 2008 - 04:56 PM

HI

The process update.exe could be one of many Adware/Spyware/Virus programs. update.exe is also a process belonging to the Spyware Doctor Internet Security Product which protects your computer, or Windows update ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 28 September 2008 - 03:31 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users