Trojan.Win32.Monderb.gen not picked by Avast.

Hi

I recently made a complete scan of my PC using different tools, like MWAV Toolkit utility and Kaspersky online scan.
Both the tools found a virus Trojan.Win32.Monderb.gen in some of windows error report folders located at C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report…\Report.cab. I made a scan with Avast of that specific folder allowing to scan archives, but Avast did not pick it up. Besides, I found no information of this trojan on viruslist nor anywhere else.

Does anyone have a clue what is Trojan.Win32.Monderb.gen? Is it a false call?

thanks for help.

Well generally the .gen in the signature usually means generic which are more prone to false detection.

Try a google search for Win32.Monderb.gen, http://www.google.com/search?q=Win32.Monderb.gen or drop the .gen bit and see what the family does.

I would normally suggest that you upload the file to VirusTotal - Multi engine on-line virus scanner and report the findings here. However there is a 10MB upload limit and I think the .cab (cabinet/archive) file would exceed that.

You could try right clicking on the file select properties and see if there is a digital signature (probably not) or anything to identify it as an MS file.

Some other specialised anti-spyware tools you could try.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Im also working on a computer infected?!? with this trojan.win32.monderb.gen that was brought to me for running slow and Trend-micro picked this up as possible_vundo-7. Its related to the file c:\windows\system32\opnnlkKe.dll on this computer. Has WXP Home edition installed. Neither the Trend-micro nor Kaspersky antivirus can get rid of it. So far can not manually delete it. Gonna try some of the things the last poster suggested and some other things i know to do. Just hoping additional info might help someone else.

Shawn

Based only on the file name it looks like the common random file name associated with vundo, and with zero hits on the file name in google it is suspect.

Though I don’t see where you are getting any association with Win32.Monderb.gen from ?
Or are you saying something else said it was Win32.Monderb.gen, if so what ?

This file should be able to be uploaded to virustotal as it shouldn’t exceed 10MB and the two applications do pick up a lot of vundo variants.

kaspersky AV => trojan.win32.monderb.gen on same file as
Trend-micro AV => possible_vundo-7

sorry new to these forums, and just started working on this computer

Shawn

will update when i get a HJT report and get some basic research done

I would run the other two programs, before the HJT as a) they should clean-up to a degree if it is vundo and other possible malware b) it could bring your HJT log size down in size.

Mind you both of these are either generic or possible (heuristic) detections so may not hit the mark specifically as a distinct signature would. Though I don’t doubt that it is malware what is the issue.

DavidR

thank you very much for your reply.
The infected .cab file has only 331 kB so I uploaded it to Virustotal (didn’t know about this service, thank you for advice) and here is the log.
I will be checking further with Superantispyware and shall post log file as well. By the way, I use Spybot Search&Destroy, isn’t it good enough?

Antivirus Version Last Update Result AhnLab-V3 2008.10.22.0 2008.10.21 - AntiVir 7.9.0.5 2008.10.21 TR/Monderb.318208.2 Authentium 5.1.0.4 2008.10.21 W32/Trojan2.BTIQ Avast 4.8.1248.0 2008.10.21 - AVG 8.0.0.161 2008.10.21 - BitDefender 7.2 2008.10.21 Trojan.Vundo.FAM CAT-QuickHeal 9.50 2008.10.21 - ClamAV 0.93.1 2008.10.21 - DrWeb 4.44.0.09170 2008.10.21 Trojan.Virtumod.based.18 eSafe 7.0.17.0 2008.10.19 - eTrust-Vet 31.6.6162 2008.10.21 - Ewido 4.0 2008.10.21 - F-Prot 4.4.4.56 2008.10.21 W32/Trojan2.BTIQ F-Secure 8.0.14332.0 2008.10.21 Trojan.Win32.Monderb.gen Fortinet 3.113.0.0 2008.10.21 - GData 19 2008.10.21 Trojan.Vundo.FAM Ikarus T3.1.1.44.0 2008.10.21 - K7AntiVirus 7.10.501 2008.10.21 - Kaspersky 7.0.0.125 2008.10.21 Trojan.Win32.Monderb.gen McAfee 5409 2008.10.21 - Microsoft 1.4005 2008.10.21 - NOD32 3544 2008.10.21 - Norman 5.80.02 2008.10.21 - Panda 9.0.0.4 2008.10.21 - PCTools 4.4.2.0 2008.10.21 - Prevx1 V2 2008.10.21 Malicious Software Rising 20.67.12.00 2008.10.21 - SecureWeb-Gateway 6.7.6 2008.10.21 - Sophos 4.34.0 2008.10.21 Troj/Virtum-Gen Sunbelt 3.1.1742.1 2008.10.21 - Symantec 10 2008.10.21 - TheHacker 6.3.1.0.122 2008.10.21 - TrendMicro 8.700.0.1004 2008.10.21 - VBA32 3.12.8.8 2008.10.21 Trojan.Win32.Monderb.gen ViRobot 2008.10.21.1430 2008.10.21 - VirusBuster 4.5.11.0 2008.10.21 -

Additional information
File size: 339173 bytes
MD5…: b3605bf14aa2591f9a26c19a03baf145
SHA1…: a4347a3b80eb1ca89cd4566da1d35615084be978
SHA256: 7e0177261be67916eca0295ddb835c23e7dda4bb84e035ebd16724f7c3a5e1ec
SHA512: 412bbd197ffb29a390e55c4fe9e9c3cd6c88bad803cbfe183a24d318ece12097
e6ef39e1a72ed04522ba503a0ebea909bb825896084a11a1e25ea079ed3b8556
PEiD…: -
TrID…: File type identification
Microsoft Cabinet Archive (99.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8B2AEE290039F760DBAE04A848BFE70012AF3D04
packers (Kaspersky): PE-Crypt.XorPE, PE-Crypt.XorPE, PE-Crypt.XorPE
packers (F-Prot): XORCrypt, Unicode
packers (Authentium): XORCrypt, XORCrypt, XORCrypt

Well that is pretty conclusive (although most of the detections are generic), before getting rid of this send a sample to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic and the virustotal results page might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Dear DavidR

I’ve sent the file to the address you indicated on 22 october. no reply yet from Avast.
What else can I do to be sure it’s not a virus?

thanks.

You generally won’t get a reply unless they need more information.

Periodically scan the file you put in the chest user files section (from within the chest) to see when it is detected.

However, I don’t really doubt that it is malware as VT results also suggest.

You still don’t say if you have run both the programs I suggested (preferably from safe mode) nor have you posted a HJT log as also suggested. So my advice would be to follow the suggestions one at a time and post the report/log before doing the next one.

OK , here is SUPERAntispyware log:

SUPERAntiSpyware Scan Log http://www.superantispyware.com

Generated 10/30/2008 at 10:37 PM

Application Version : 4.21.1004

Core Rules Database Version : 3615
Trace Rules Database Version: 1601

Scan type : Complete Scan
Total Scan Time : 00:41:23

Memory items scanned : 231
Memory threats detected : 0
Registry items scanned : 8220
Registry threats detected : 0
File items scanned : 42241
File threats detected : 4

Adware.Tracking Cookie
C:\Users\Olufsen\AppData\Roaming\Microsoft\Windows\Cookies\olufsen@yadro[1].txt
C:\Users\Olufsen\AppData\Roaming\Microsoft\Windows\Cookies\olufsen@count.rbc[1].txt
C:\Users\Olufsen\AppData\Roaming\Microsoft\Windows\Cookies\olufsen@list[1].txt
C:\Users\Olufsen\AppData\Roaming\Microsoft\Windows\Cookies\olufsen@medialand.relax[2].txt

Here is the other tool’s log file. Nothing found here.


Malwarebytes log

Malwarebytes' Anti-Malware 1.20 Database version: 935 Windows 6.0.6001 Service Pack 1

22:22:06 31. 10. 2008
mbam-log-10-31-2008 (22-22-06).txt

Scan type: Quick Scan
Objects scanned: 41228
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OK, I tried to post a HJT log file here, but there is a limit of 10000 characters per post on this forum.

The message exceeds the maximum allowed length (10000 characters).

… and finally here is the HTJ log in attached file

thanks in advance for help

OK the SAS log other than cookies, which are a minor privacy issue rather than security that is good.

The MBAM is good.

The HJT log shows no active firewall, by active it means no outbound protection. The Vista firewall has the outbound protection disabled by default. It is rules based and you have to create the rules, which isn’t easy. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

This is highly suspect (zero hits on a google search for the file name), Fix:
O23 - Service: EJUWTE - Unknown owner - C:\Users\Olufsen\AppData\Local\Temp\EJUWTE.exe (file missing)

Check to see if the file is indeed missing - Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.

If the file is there tell us, add it to the avast chest, user files section, see image 2.

Other than that I don’t see anything obvious.

I enabled hidden files and unhidden the system files, I looked for the file EJUWTE.exe, it’s not there.

thanks for advices.

You’re welcome, the file may have been dealt with earlier but the registry entry remains, fix in hijackthis (HJT), e.g. tick the box to the left of the entry in HJT and click the Fix Selected button at the bottom of the HJT window.

Re: Trojan-keylogger.Win32.fung

Is this somehow related to the Trojan referenced above? If so, please help with the following…

I keep seeing a malformed “Windows Security Alert” pop-up that indicates the presence of a “Trojan-keylogger.Win32.fung.” It inquires whether I wish to “nable Protectio” As indicated, the button text is truncated on either side. The dialog’s English text is poorly written. I strongly suspect this to be a virus or something of the sort masquerading as an alert.

I’ve run a scan on the entire system. It identified two questionable files. However, when I tried to delete them, the Avast system indicated that a system error had taken place. The two files in question seem to have altered themselves in a way that made them essentially untouchable/unreadable to the Avast 4.8 system.

I am highly inexperienced at dealing with such issues and much of what I’ve read on the forum is too technical to be clear to me… at present. Please advise what I should do, in a step-by-step process.

Many thanks

gsmichaels

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
    If avast does not detect it, you can try DrWeb CureIT! instead.

  3. It will be good if you download, install, update and run SUPERantispyware, MBAM or SpywareTerminator.
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
    About legit antispyware applications or the bad ones: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

  6. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After disabling you can enable it again. To use System Restoration it’s necessary to disable avast! self-protection: avast! settings > Troubleshooting > Disable avast! self-defence module then start a System Restore.

  7. Use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.