Sign in to follow this  
Followers 0

Help needed to remove Trojan.Agent/Backdoor.Bot/Trojan.Zlob/Worm.AutoRun/Rogue.Trace/Trojan.Xanib

6 posts in this topic


I had Norton's installed but due to crashing all the time I removed it and installed Zone Alarm, after completing a full system scan with Zone Alarm it found the following: TROJAN WIN32.Monder,cqbi Zone Alarm did not know what to do with the Trojan it did nothing with it. I searched Zone Alarm website but still no help.

I searched the net and found out that Kaspersky could also find the Trojan and maybe remove it I installed Kaspersky and had the same result found the Trojan but did nothing with it. Then Kaspersky would not start or would freeze when scanning. I contacted Kaspersky and they informed me to download and install your program Malwarebytes after a scan it did not find the Trojan Win32.Monder.cqbi but did find the following infections:







I have followed all the instruction asked of me by the people at Kaspersky but Malwarebytes still finds the infections, looks like a have the same problem as the person in the following post:

Same infection as stualoo

I was hoping that you guys might be able to help me remove the infection from my computer. If indeed that is what they are. I am using windows vista service pack 2.

Here is a copy of the Malwarebytes scan.

Malwarebytes' Anti-Malware 1.39

Database version: 2543

Windows 6.0.6002 Service Pack 2

2/08/2009 11:27:05 AM

mbam-log-2009-08-02 (11-26-56).txt

Scan type: Quick Scan

Objects scanned: 84749

Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Public\Documents\My Music\foronandand.exe (Trojan.Agent) -> No action taken.

C:\Users\Public\Documents\My Music\New Song.lagu (Backdoor.Bot) -> No action taken.

C:\Users\Public\Documents\My Music\Video.vidz (Backdoor.Bot) -> No action taken.

C:\Users\Public\Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> No action taken.

C:\Users\Public\Documents\My Pictures\seram.pikz (Backdoor.Bot) -> No action taken.

C:\Users\Public\Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.

C:\Users\Public\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.

C:\Users\Public\Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.

C:\Users\Public\Documents\My Music\My Music.exe (Worm.AutoRun) -> No action taken.

C:\Users\Public\Documents\My Pictures\My Pictures.exe (Worm.AutoRun) -> No action taken.

C:\Users\Public\Documents\My Music\inout.exe (Trojan.Agent) -> No action taken.

C:\Users\All Users\Documents\qyrupelin.sys (Rogue.Trace) -> No action taken.

C:\Users\All Users\Documents\gosub._sy (Rogue.Trace) -> No action taken.

C:\Users\Public\Documents\My Pictures\Sample Pictures\Blue hills.exe (Trojan.Xanib) -> No action taken.

C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe (Trojan.Xanib) -> No action taken.

C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe (Trojan.Xanib) -> No action taken.

C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe (Trojan.Xanib) -> No action taken.

Here is the HiJack Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:49:06 AM, on 2/08/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v7.00 (7.00.6002.18005)

Boot mode: Normal

Running processes:




C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TRCMan\TRCMan.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\TrueSuite Access Manager\FpNotifier.exe

C:\Program Files\TrueSuite Access Manager\usbnotify.exe

C:\Program Files\TrueSuite Access Manager\PwdBank.exe

C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe

C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

D:\Program Files\iTunes\iTunesHelper.exe


C:\Program Files\Steam\steam.exe

C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe


C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe

C:\Program Files\TOSHIBA\HDMICtrlMan\HCMSoundChanger.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe


C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\CheckPoint\ZAForceField\forcefield.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe

C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe

C:\Program Files\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)

O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TRCMan] C:\Program Files\TOSHIBA\TRCMan\TRCMan.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

O4 - HKLM\..\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

O4 - HKLM\..\Run: [FingerPrintNotifer] "C:\Program Files\TrueSuite Access Manager\FpNotifier.exe"

O4 - HKLM\..\Run: [usbMonitor] "C:\Program Files\TrueSuite Access Manager\usbnotify.exe"

O4 - HKLM\..\Run: [PwdBank] "C:\Program Files\TrueSuite Access Manager\PwdBank.exe"

O4 - HKLM\..\Run: [HDMICtrlMan] C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe

O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [autodetect] C:\Windows\system32\SupportAppXL\AutoDect.exe

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: PrintKey-Pro.lnk = ?

O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Ultra\teleport.htm

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100

O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O13 - Gopher Prefix:

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA3D1EA2-E528-4834-8961-17479B8F820F}: NameServer =

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Authentec memory manager service (Authentec memory manager) - AuthenTec Inc. - C:\Windows\system32\TAMSvr.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

Any Help Would be good.

Share this post

Link to post
Share on other sites

Well it has been 3 days now I was hoping anyone from Malwarebytes could help me out with this issue ?

Share this post

Link to post
Share on other sites

Hi purpletick

The administrators are looking into this.

In the meantime dont worry about those paticular items please.

Share this post

Link to post
Share on other sites

Try this purpletick

Close mbam if open

Open the windows control panel find and open Indexing options >click advanced then use the rebuild button.

Leave that window open until it says complete, takes quite awhile, when it's complete close it and run

mbam quick scan (Malwarebytes' Anti-Malware) save and post it's log again please.

Share this post

Link to post
Share on other sites

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.