I recently made a complete scan of my PC using different tools, like MWAV Toolkit utility and Kaspersky online scan.
Both the tools found a virus Trojan.Win32.Monderb.gen in some of windows error report folders located at C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report…\Report.cab. I made a scan with Avast of that specific folder allowing to scan archives, but Avast did not pick it up. Besides, I found no information of this trojan on viruslist nor anywhere else.
Does anyone have a clue what is Trojan.Win32.Monderb.gen? Is it a false call?
I would normally suggest that you upload the file to VirusTotal - Multi engine on-line virus scanner and report the findings here. However there is a 10MB upload limit and I think the .cab (cabinet/archive) file would exceed that.
You could try right clicking on the file select properties and see if there is a digital signature (probably not) or anything to identify it as an MS file.
Some other specialised anti-spyware tools you could try.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
Im also working on a computer infected?!? with this trojan.win32.monderb.gen that was brought to me for running slow and Trend-micro picked this up as possible_vundo-7. Its related to the file c:\windows\system32\opnnlkKe.dll on this computer. Has WXP Home edition installed. Neither the Trend-micro nor Kaspersky antivirus can get rid of it. So far can not manually delete it. Gonna try some of the things the last poster suggested and some other things i know to do. Just hoping additional info might help someone else.
Based only on the file name it looks like the common random file name associated with vundo, and with zero hits on the file name in google it is suspect.
Though I don’t see where you are getting any association with Win32.Monderb.gen from ?
Or are you saying something else said it was Win32.Monderb.gen, if so what ?
This file should be able to be uploaded to virustotal as it shouldn’t exceed 10MB and the two applications do pick up a lot of vundo variants.
I would run the other two programs, before the HJT as a) they should clean-up to a degree if it is vundo and other possible malware b) it could bring your HJT log size down in size.
Mind you both of these are either generic or possible (heuristic) detections so may not hit the mark specifically as a distinct signature would. Though I don’t doubt that it is malware what is the issue.
thank you very much for your reply.
The infected .cab file has only 331 kB so I uploaded it to Virustotal (didn’t know about this service, thank you for advice) and here is the log.
I will be checking further with Superantispyware and shall post log file as well. By the way, I use Spybot Search&Destroy, isn’t it good enough?
Well that is pretty conclusive (although most of the detections are generic), before getting rid of this send a sample to avast.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic and the virustotal results page might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
You generally won’t get a reply unless they need more information.
Periodically scan the file you put in the chest user files section (from within the chest) to see when it is detected.
However, I don’t really doubt that it is malware as VT results also suggest.
You still don’t say if you have run both the programs I suggested (preferably from safe mode) nor have you posted a HJT log as also suggested. So my advice would be to follow the suggestions one at a time and post the report/log before doing the next one.
OK the SAS log other than cookies, which are a minor privacy issue rather than security that is good.
The MBAM is good.
The HJT log shows no active firewall, by active it means no outbound protection. The Vista firewall has the outbound protection disabled by default. It is rules based and you have to create the rules, which isn’t easy. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0
This is highly suspect (zero hits on a google search for the file name), Fix:
O23 - Service: EJUWTE - Unknown owner - C:\Users\Olufsen\AppData\Local\Temp\EJUWTE.exe (file missing)
Check to see if the file is indeed missing - Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.
If the file is there tell us, add it to the avast chest, user files section, see image 2.
You’re welcome, the file may have been dealt with earlier but the registry entry remains, fix in hijackthis (HJT), e.g. tick the box to the left of the entry in HJT and click the Fix Selected button at the bottom of the HJT window.
Is this somehow related to the Trojan referenced above? If so, please help with the following…
I keep seeing a malformed “Windows Security Alert” pop-up that indicates the presence of a “Trojan-keylogger.Win32.fung.” It inquires whether I wish to “nable Protectio” As indicated, the button text is truncated on either side. The dialog’s English text is poorly written. I strongly suspect this to be a virus or something of the sort masquerading as an alert.
I’ve run a scan on the entire system. It identified two questionable files. However, when I tried to delete them, the Avast system indicated that a system error had taken place. The two files in question seem to have altered themselves in a way that made them essentially untouchable/unreadable to the Avast 4.8 system.
I am highly inexperienced at dealing with such issues and much of what I’ve read on the forum is too technical to be clear to me… at present. Please advise what I should do, in a step-by-step process.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
If avast does not detect it, you can try DrWeb CureIT! instead.
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After disabling you can enable it again. To use System Restoration it’s necessary to disable avast! self-protection: avast! settings > Troubleshooting > Disable avast! self-defence module then start a System Restore.