1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help removing Trojan.Win32.Monder.rhy

Discussion in 'Virus & Other Malware Removal' started by ojo80, Oct 6, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. ojo80

    ojo80 Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    4
    Need help removing Trojan.Win32.Monder.rhy
    I must have downloaded a bad file somewhere, but Zone Alarm keeps detecting Trojan.win32.Monder.rhy
    Zone Alarm just isn't cutting it. Any ideas?
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.
     
  3. ojo80

    ojo80 Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    4
    Thank you for your prompt response

    Here the details

    Malwarebytes' Anti-Malware 1.28
    Database version: 1240
    Windows 6.0.6001 Service Pack 1

    10/7/2008 2:01:31 PM
    mbam-log-2008-10-07 (14-01-31).txt

    Scan type: Quick Scan
    Objects scanned: 46181
    Time elapsed: 4 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 5
    Registry Keys Infected: 12
    Registry Values Infected: 5
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 19

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\Windows\System32\dlouggrs.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Windows\System32\fccbASmM.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Windows\System32\ajenvwbh.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Windows\System32\vrzhsf.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Windows\System32\xxyvsSJD.dll (Trojan.Vundo) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{998b74e0-8c42-4e15-9d8b-f412d53ac685} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{998b74e0-8c42-4e15-9d8b-f412d53ac685} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f5a82cc9-9fe6-4f7e-a955-705721d78615} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f5a82cc9-9fe6-4f7e-a955-705721d78615} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cbe6300-759b-447a-b406-31b86293e390} (Trojan.BHO.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6cbe6300-759b-447a-b406-31b86293e390} (Trojan.BHO.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4053463e (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm436075a2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6cbe6300-759b-447a-b406-31b86293e390} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Transaction Tasker (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccbasmm -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccbasmm -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\vrzhsf.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Windows\System32\fccbASmM.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Windows\System32\MmSAbccf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\MmSAbccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\dlouggrs.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Windows\System32\srgguold.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\xxyvsSJD.dll (Trojan.BHO.H) -> Delete on reboot.
    C:\Windows\System32\ajenvwbh.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Windows\System32\gukfrd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\homlvu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\jqombpwa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\lvbowxlo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\system32\rjmwdlha.dll.vzr (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\rtoswj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\siggvpfh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\xybldiak.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\rqRHwTMc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\xxyxYpnL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\ssqPfeEv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    reboot
    run MBAM again & post its new log
     
  5. ojo80

    ojo80 Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    4
    Here the details

    I run first a deep scan of Zone Alarm and there was nothing but these are the other results

    Malwarebytes' Anti-Malware 1.28
    Database version: 1240
    Windows 6.0.6001 Service Pack 1

    10/7/2008 7:02:15 PM
    mbam-log-2008-10-07 (19-02-15).txt

    Scan type: Full Scan (C:\|J:\|)
    Objects scanned: 194257
    Time elapsed: 2 hour(s), 8 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\Onasis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GAWOYOY5\nd82m0[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Users\Onasis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GAWOYOY5\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    looks ok now so if all [problems have stopped

    Please download ATF Cleaner by Atribune

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

    If you use Firefox browser as well as Internet Explorer or instead of it then also do this step

    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser as well as Internet Explorer or instead of it then also do this step

    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.


    Notes for Windows Vista users:

    On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
    Prefetch has been disabled on Windows Vista. As the author is not not sure the effects that emptying prefetch on Windows Vista will have, for the time being that function won't be enabled

    then

    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


    I urge you to consider purchasing the protection component in Malwarebytes to prevent further infections of this nature
    Open Malwarebytes Antimalware, select the protection tab, press test to see if your system will benefit from it & if it says yes, then you can press the purchase button
     
  7. ojo80

    ojo80 Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    4
    Well Thank you very much for all your help I really appreciate

    I will do this final steps right away
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/756691

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice