My Computer is infected with TR/Monderb

**Reinhart** · 14.06.2008, 01:40

please help me to clear my PC from TR/Monderb

**AndreyKa** · 14.06.2008, 07:24

Close all programs.
Run AVZ.
Run custom script in AVZ (thru File menu):

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DelBHO('{C075D7A0-956E-4AF8-B5EC-8FFA98C53940}');
 DelBHO('{CF55DD2E-1E2C-44F7-8514-A94864AC2990}');
 DelBHO('{AAC1ECA0-D938-41A2-91E5-94AE19214BEF}');
 QuarantineFile('C:\WINDOWS\rtsplgob.dll','');
 QuarantineFile('C:\WINDOWS\xkefqtgs.dll','');
 QuarantineFile('C:\WINDOWS\system32\vwnajrjh.dll','');
 QuarantineFile('C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe','');
 QuarantineFile('C:\WINDOWS\rnopbfgt.dll','');
 QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
 QuarantineFile('C:\WINDOWS\system32\qoMdcbaY.dll','');
 QuarantineFile('C:\WINDOWS\system32\iifFuRkI.dll','');
 BC_DeleteFile('C:\WINDOWS\system32\iifFuRkI.dll');
 BC_DeleteFile('C:\WINDOWS\system32\qoMdcbaY.dll');
 BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
 BC_DeleteFile('C:\WINDOWS\rnopbfgt.dll');
 BC_DeleteFile('C:\WINDOWS\system32\vwnajrjh.dll');
 BC_DeleteFile('C:\WINDOWS\xkefqtgs.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After re-boot upload a quarantine file following the link
http://virusinfo.info/upload_virus_eng.php?tid=24575
and make/attach 3 new logfiles.

**Reinhart** · 14.06.2008, 10:51

I have run AVZ, as you told me

Добавлено через 5 минут

I have ru AVZ, as you told me, but i cannot attach the 3 logfiles

**Rene-gad** · 14.06.2008, 10:53

Сообщение от Reinhart

I have run AVZ, as you told me
I have ru AVZ, as you told me, but i cannot attach the 3 logfiles

Why?
BTW: Are you German?

**Reinhart** · 14.06.2008, 10:58

now after running the script

**Rene-gad** · 14.06.2008, 11:22

Am besten -trenne PC vom Netz.
Schalte Systemwiederherstellung aus
Schalte Antivir und Adware ab.
Fixe mit HJT

Код:

O2 - BHO: (no name) - {CF55DD2E-1E2C-44F7-8514-A94864AC2990} - C:\WINDOWS\system32\qoMdcbaY.dll (file missing)
O2 - BHO: (no name) - {DF3B8CC4-1C73-4F8A-AEE4-792F3F4D2A34} - C:\WINDOWS\system32\iifFuRkI.dll (file missing)
O4 - HKLM\..\Run: [advap32] C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe/r
O4 - HKLM\..\Run: [4804e768] rundll32.exe "C:\WINDOWS\system32\vwnajrjh.dll",b
O20 - Winlogon Notify: qoMdcbaY - qoMdcbaY.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: rnopbfgt - {BD812E94-DA5A-4C12-B966-B9B6B5BB304D} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {D9A3E7F5-B1F6-4B5F-900B-CABC431A45C6} - C:\WINDOWS\xkefqtgs.dll (file missing)

Fьhre Script aus:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DelBHO('{CF55DD2E-1E2C-44F7-8514-A94864AC2990}');
 DelBHO('{DF3B8CC4-1C73-4F8A-AEE4-792F3F4D2A34}');
 DeleteService('ThemesERSvc');
 DeleteService('MSDTChkmsvc');
 DeleteService('Winbn22');
 DeleteService('Winbv11');
 DeleteService('Winch61');
 DeleteService('Winiv23');
 DeleteService('Winjq31');
 DeleteService('Winkn42');
 DeleteService('Winoc74');
 DeleteService('Winqm63');
 DeleteService('Winxf42');
 DeleteService('Winyy57');
 DeleteService('Winho20');
 QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
 QuarantineFile('srv.exe','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winho20.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winyy57.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winxf42.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winqm63.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winoc74.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winkn42.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winjq31.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winjo43.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winiv23.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Wineh04.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winch61.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Wincc80.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winbv11.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Winbn22.sys',''); 
 QuarantineFile('C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe/r','');
 QuarantineFile('C:\WINDOWS\rnopbfgt.dll','');
 QuarantineFile('C:\WINDOWS\system32\vwnajrjh.dll','');
 QuarantineFile('C:\WINDOWS\xkefqtgs.dll','');
 QuarantineFile('WinCtrl32.dll','');
 QuarantineFile('qoMdcbaY.dll','');
 QuarantineFile('C:\WINDOWS\system32\iifFuRkI.dll','');
 QuarantineFile('C:\WINDOWS\system32\qoMdcbaY.dll','');
 QuarantineFile('C:\WINDOWS\system32\Drivers\Winho20.sys','');
 DeleteFile('C:\WINDOWS\system32\Drivers\Winho20.sys');
 DeleteFile('C:\WINDOWS\system32\qoMdcbaY.dll');
 DeleteFile('C:\WINDOWS\system32\iifFuRkI.dll');
 DeleteFile('qoMdcbaY.dll');
 DeleteFile('WinCtrl32.dll');
 DeleteFile('C:\WINDOWS\xkefqtgs.dll');
 DeleteFile('C:\WINDOWS\system32\vwnajrjh.dll');
 DeleteFile('C:\WINDOWS\rnopbfgt.dll');
 DeleteFile('C:\DOKUME~1\user\LOKALE~1\Temp\rbnpsrv.exe/r');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winbn22.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winbv11.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Wincc80.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winch61.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Wineh04.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winiv23.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winjo43.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winjq31.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winkn42.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winoc74.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winqm63.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winxf42.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winyy57.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
 DeleteFile('srv.exe');
 DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Nach dem Reboot - uploade die Qurantдne und wiederhole die Log-Files.

**Reinhart** · 14.06.2008, 12:07

Done

**Rene-gad** · 14.06.2008, 12:20

Schon viel besser

Lade IceSword herunter, File / suchen nach C:\WINDOWS\system32\WinCtrl32.dll, wдhle forcedelete.
Dann noch ein Script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DelWinlogonNotifyByFileName('WinCtrl32.dll ');
 DeleteService('Winho20');
 DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
 DeleteFile('C:\WINDOWS\system32\Drivers\Winho20.sys');
 DeleteFile('WinCtrl32.dll');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
 BC_DeleteFile('C:\WINDOWS\system32\Drivers\Winho20.sys');
 BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
 BC_DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
 BC_DeleteFile('WinCtrl32.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Nach dem Reboot - neue Logfiles nur virusinfo_syscheck und Hijackthis.

**Reinhart** · 14.06.2008, 15:34

done 3.

**Rene-gad** · 14.06.2008, 15:52

Gehe vom Netz weg,
schalte Avira, Ad Aware, Systemwiederherstellung ab
Bitte mit IceSword diese 2 Dateien

Код:

C:\WINDOWS\System32\Drivers\Winho20.sys
C:\WINDOWS\system32\WinCtrl32.dll

finden und mit force delete entfernen.
Fixe mit Hijackthis

Код:

O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

Script ausfьhren

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DeleteService('Winho20');
 DeleteService('FontCache3.0.0.0Spooler');
 DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
 BC_DeleteFile('Winho20.sys');
 BC_DeleteFile('C:\WINDOWS\System32\Drivers\Winho20.sys');
 BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
 BC_DeleteFile('srv.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2 logs wiederholen

Bitte verschwinde nicht wieder fьr 3 Stunden, bleibe am Ball solange noch Malware aktiv ist.

**Reinhart** · 14.06.2008, 16:44

excuse me, now I did it immediately
cold not find winho20.sys in system32/drivers

**Rene-gad** · 14.06.2008, 17:52

Fixe mit Hijackthis

Код:

O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

Script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 StopService('hkmsvcRasMan');
 StopService('FontCache3.0.0.0Spooler');
 SetServiceStart('hkmsvcRasMan', 4);
 SetServiceStart('FontCache3.0.0.0Spooler', 4);
 DeleteService('FontCache3.0.0.0Spooler');
 DeleteService('hkmsvcRasMan');
 DeleteService('Wintm60');
 DelWinlogonNotifyByFileName('WinCtrl32.dll ');
 BC_QrFile('C:\WINDOWS\system32\Drivers\Wintm60.sys');
 BC_DeleteFile('C:\WINDOWS\system32\Drivers\Wintm60.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Irgendwo sitzt der Feind. Mach mal den Script und die neuen Logs, ich frage bei den Kollegen nach.

**Reinhart** · 14.06.2008, 18:24

habe es erneut versucht,
glaube ohne Erfolg

**kps** · 14.06.2008, 18:46

In IceSword gehen Sie ins Menü File. Dort suchen Sie C:\WINDOWS\system32\Drivers\Wintm60.sys, wenn gefunden - rechter Mausklick - force delete - yes

Danach AVZ - File - Custom scripts
Führen Sie das aus

Код:

begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('srv.exe','');
 QuarantineFile('C:\WINDOWS\system32\Drivers\Wintm60.sys','');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\tcpip.sys','');
 QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
 DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
 DeleteFile('C:\WINDOWS\system32\Drivers\Wintm60.sys');
DelWinlogonNotifyByKeyName('WinCtrl32');
BC_ImportALL;
ExecuteSysClean;
BC_DeleteSvc('Wintm60');
BC_Activate;
RebootWindows(true);
end.

Nach dem Reboot uploaden Sie die Quarantäne und machen Sie neue Log-Dateien.

**Reinhart** · 14.06.2008, 19:07

hier die neuen Laeufe

**kps** · 14.06.2008, 19:15

Das Rootkit ist gelцscht worden. Aber wir brauchen die Quarantдne, um weitermachen zu kцnnen. Sehen Sie hier die Regeln - Anlage 3. (uploaden Sie hier http://virusinfo.info/upload_virus_eng.php?tid=24575 )

**Reinhart** · 14.06.2008, 21:28

I do not understand anything about that, what you all -dear helpers - have done and I am very impressed, thank you so much
Reinhart

**Rene-gad** · 14.06.2008, 21:32

Сообщение от Reinhart

I do not understand anything about that, what you all -dear helpers - have done and I am very impressed, thank you so much

Gern geschehen

Hast Du die Quarantдne geuploaded (s. Posting von kps #16)?
Mal eine Nebenfrage: Benutzest Du T-Online Software noch fьr was anderes, auЯer die Verbindung herzustellen? Wenn Nein - kannst Du sie getrost entfernen.

**Reinhart** · 14.06.2008, 21:53

habe die Quarantдne geuplaoded, hat funktioniert, PC ist richtig fix,
danke fьr den Tip mit T-online

**kps** · 14.06.2008, 22:10

AVZ - File - Custom scripts
Führen Sie folgendes aus:

Код:

begin
DelWinlogonNotifyByKeyName('WinCtrl32');
BC_DeleteSvc('FontCache3.0.0.0Spooler');
BC_DeleteSvc('hkmsvcRasMan');
BC_DeleteSvc('ScheduleBITS');
BC_Activate;
RebootWindows(true);
end.

Nach dem Reboot machen Sie neue Log-Dateien, einschliesslich virusinfo_syscure.zip.

My Computer is infected with TR/Monderb

Опции темы

My Computer is infected with TR/Monderb

Repy to TR/Monderb

TR/Monderb

TR/monerb

TR/Monderb

TR/Monderb

TR/Monderb

TR/Monderb

TR/monderb

Похожие темы

restore sistem does not works,I have some adds trying me to buy them a antivirus to fix my computer, the screan of my computer says is infected with a virus, i can not open the browser. (заявка №45872)

Computer infected!

fix an infected computer

Your computer is infected!

TR/Monderb infected

Ваши права в разделе