My Computer is infected with TR/Monderb

please help me to clear my PC from TR/Monderb

Close all programs.
Run AVZ.
Run custom script in AVZ (thru File menu):
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{C075D7A0-956E-4AF8-B5EC-8FFA98C53940}');
DelBHO('{CF55DD2E-1E2C-44F7-8514-A94864AC2990}');
DelBHO('{AAC1ECA0-D938-41A2-91E5-94AE19214BEF}');
QuarantineFile('C:\WINDOWS\rtsplgob.dll','');
QuarantineFile('C:\WINDOWS\xkefqtgs.dll','');
QuarantineFile('C:\WINDOWS\system32\vwnajrjh.dll','');
QuarantineFile('C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe','');
QuarantineFile('C:\WINDOWS\rnopbfgt.dll','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
QuarantineFile('C:\WINDOWS\system32\qoMdcbaY.dll','');
QuarantineFile('C:\WINDOWS\system32\iifFuRkI.dll','');
BC_DeleteFile('C:\WINDOWS\system32\iifFuRkI.dll');
BC_DeleteFile('C:\WINDOWS\system32\qoMdcbaY.dll');
BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_DeleteFile('C:\WINDOWS\rnopbfgt.dll');
BC_DeleteFile('C:\WINDOWS\system32\vwnajrjh.dll');
BC_DeleteFile('C:\WINDOWS\xkefqtgs.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
After re-boot upload a quarantine file following the link
[url]http://virusinfo.info/upload_virus_eng.php?tid=24575[/url]
and make/attach 3 new logfiles.

I have run AVZ, as you told me

[size="1"][color="#666686"][B][I]Добавлено через 5 минут[/I][/B][/color][/size]

I have ru AVZ, as you told me, but i cannot attach the 3 logfiles

[QUOTE=Reinhart;240665]I have run AVZ, as you told me
I have ru AVZ, as you told me, but i cannot attach the 3 logfiles[/QUOTE]Why?
BTW: Are you German? ;)

now after running the script

Am besten -trenne PC vom Netz.
Schalte Systemwiederherstellung aus
Schalte Antivir und Adware ab.
Fixe mit HJT
[CODE]O2 - BHO: (no name) - {CF55DD2E-1E2C-44F7-8514-A94864AC2990} - C:\WINDOWS\system32\qoMdcbaY.dll (file missing)
O2 - BHO: (no name) - {DF3B8CC4-1C73-4F8A-AEE4-792F3F4D2A34} - C:\WINDOWS\system32\iifFuRkI.dll (file missing)
O4 - HKLM\..\Run: [advap32] C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe/r
O4 - HKLM\..\Run: [4804e768] rundll32.exe "C:\WINDOWS\system32\vwnajrjh.dll",b
O20 - Winlogon Notify: qoMdcbaY - qoMdcbaY.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: rnopbfgt - {BD812E94-DA5A-4C12-B966-B9B6B5BB304D} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {D9A3E7F5-B1F6-4B5F-900B-CABC431A45C6} - C:\WINDOWS\xkefqtgs.dll (file missing)
[/CODE]
Fьhre Script aus:
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{CF55DD2E-1E2C-44F7-8514-A94864AC2990}');
DelBHO('{DF3B8CC4-1C73-4F8A-AEE4-792F3F4D2A34}');
DeleteService('ThemesERSvc');
DeleteService('MSDTChkmsvc');
DeleteService('Winbn22');
DeleteService('Winbv11');
DeleteService('Winch61');
DeleteService('Winiv23');
DeleteService('Winjq31');
DeleteService('Winkn42');
DeleteService('Winoc74');
DeleteService('Winqm63');
DeleteService('Winxf42');
DeleteService('Winyy57');
DeleteService('Winho20');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
QuarantineFile('srv.exe','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winho20.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winyy57.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winxf42.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winqm63.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winoc74.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winkn42.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winjq31.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winjo43.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winiv23.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Wineh04.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winch61.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Wincc80.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winbv11.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winbn22.sys','');
QuarantineFile('C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe/r','');
QuarantineFile('C:\WINDOWS\rnopbfgt.dll','');
QuarantineFile('C:\WINDOWS\system32\vwnajrjh.dll','');
QuarantineFile('C:\WINDOWS\xkefqtgs.dll','');
QuarantineFile('WinCtrl32.dll','');
QuarantineFile('qoMdcbaY.dll','');
QuarantineFile('C:\WINDOWS\system32\iifFuRkI.dll','');
QuarantineFile('C:\WINDOWS\system32\qoMdcbaY.dll','');
QuarantineFile('C:\WINDOWS\system32\Drivers\Winho20.sys','');
DeleteFile('C:\WINDOWS\system32\Drivers\Winho20.sys');
DeleteFile('C:\WINDOWS\system32\qoMdcbaY.dll');
DeleteFile('C:\WINDOWS\system32\iifFuRkI.dll');
DeleteFile('qoMdcbaY.dll');
DeleteFile('WinCtrl32.dll');
DeleteFile('C:\WINDOWS\xkefqtgs.dll');
DeleteFile('C:\WINDOWS\system32\vwnajrjh.dll');
DeleteFile('C:\WINDOWS\rnopbfgt.dll');
DeleteFile('C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe/r');
DeleteFile('C:\WINDOWS\System32\Drivers\Winbn22.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winbv11.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wincc80.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winch61.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wineh04.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winiv23.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winjo43.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winjq31.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winkn42.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winoc74.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winqm63.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winxf42.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winyy57.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
DeleteFile('srv.exe');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]
Nach dem Reboot - uploade die Qurantдne und wiederhole die Log-Files.

Done

Schon viel besser :)
Lade IceSword herunter, File / suchen nach C:\WINDOWS\system32\WinCtrl32.dll, wдhle forcedelete.
Dann noch ein Script
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelWinlogonNotifyByFileName('WinCtrl32.dll ');
DeleteService('Winho20');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\Winho20.sys');
DeleteFile('WinCtrl32.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
BC_DeleteFile('C:\WINDOWS\system32\Drivers\Winho20.sys');
BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
BC_DeleteFile('WinCtrl32.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]
Nach dem Reboot - neue Logfiles nur [B]virusinfo_syscheck [/B]und [B]Hijackthis[/B].

done 3.

Gehe vom Netz weg,
schalte Avira, Ad Aware, Systemwiederherstellung ab
Bitte mit IceSword diese 2 Dateien
[CODE]C:\WINDOWS\System32\Drivers\Winho20.sys
C:\WINDOWS\system32\WinCtrl32.dll[/CODE]
finden und mit force delete entfernen.
Fixe mit Hijackthis
[CODE]O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll[/CODE]
Script ausfьhren
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('Winho20');
DeleteService('FontCache3.0.0.0Spooler');
DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
BC_DeleteFile('Winho20.sys');
BC_DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_DeleteFile('srv.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]
2 logs wiederholen ;)
Bitte verschwinde nicht wieder fьr 3 Stunden, bleibe am Ball solange noch Malware aktiv ist.

excuse me, now I did it immediately
cold not find winho20.sys in system32/drivers

Fixe mit Hijackthis
[CODE]O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll[/CODE]
Script
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('hkmsvcRasMan');
StopService('FontCache3.0.0.0Spooler');
SetServiceStart('hkmsvcRasMan', 4);
SetServiceStart('FontCache3.0.0.0Spooler', 4);
DeleteService('FontCache3.0.0.0Spooler');
DeleteService('hkmsvcRasMan');
DeleteService('Wintm60');
DelWinlogonNotifyByFileName('WinCtrl32.dll ');
BC_QrFile('C:\WINDOWS\system32\Drivers\Wintm60.sys');
BC_DeleteFile('C:\WINDOWS\system32\Drivers\Wintm60.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]
Irgendwo sitzt der Feind. Mach mal den Script und die neuen Logs, ich frage bei den Kollegen nach.

habe es erneut versucht,
glaube ohne Erfolg

In [url=http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip]IceSword[/url] gehen Sie ins Menü File. Dort suchen Sie C:\WINDOWS\system32\Drivers\Wintm60.sys, wenn gefunden - rechter Mausklick - force delete - yes

Danach AVZ - File - Custom scripts
Führen Sie das aus
[code]begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('srv.exe','');
QuarantineFile('C:\WINDOWS\system32\Drivers\Wintm60.sys','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\tcpip.sys','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\Wintm60.sys');
DelWinlogonNotifyByKeyName('WinCtrl32');
BC_ImportALL;
ExecuteSysClean;
BC_DeleteSvc('Wintm60');
BC_Activate;
RebootWindows(true);
end.[/code]
Nach dem Reboot uploaden Sie die Quarantäne und machen Sie neue Log-Dateien.

hier die neuen Laeufe

Das Rootkit ist gelцscht worden. Aber wir brauchen die Quarantдne, um weitermachen zu kцnnen. Sehen Sie hier [url=http://virusinfo.info/showthread.php?t=9184]die Regeln[/url] - Anlage 3. (uploaden Sie hier [url]http://virusinfo.info/upload_virus_eng.php?tid=24575[/url] )

I do not understand anything about that, what you all -dear helpers - have done and I am very impressed, thank you so much
Reinhart

[QUOTE=Reinhart;240850]I do not understand anything about that, what you all -dear helpers - have done and I am very impressed, thank you so much
[/QUOTE]Gern geschehen :) Hast Du die Quarantдne geuploaded (s. Posting von kps #16)?
Mal eine Nebenfrage: Benutzest Du T-Online Software noch fьr was anderes, auЯer die Verbindung herzustellen? Wenn Nein - kannst Du sie getrost entfernen.

habe die Quarantдne geuplaoded, hat funktioniert, PC ist richtig fix,
danke fьr den Tip mit T-online

AVZ - File - Custom scripts
Führen Sie folgendes aus:
[code]begin
DelWinlogonNotifyByKeyName('WinCtrl32');
BC_DeleteSvc('FontCache3.0.0.0Spooler');
BC_DeleteSvc('hkmsvcRasMan');
BC_DeleteSvc('ScheduleBITS');
BC_Activate;
RebootWindows(true);
end.[/code]
Nach dem Reboot machen Sie neue Log-Dateien, einschliesslich virusinfo_syscure.zip.