Jump to content
aplus

Gen-Mondike Trojan

Recommended Posts

I have gotten the Gen-Mondike trojan twice. (Perhaps it is not the correct name for the trojan.) It seems to cause pop-ups in IE even while using Firefox. I can find no information about it, even on Superantispyware's site. However, Superantispyware is the only anti-malware program that can detect it. It seems to remove it, but after removing once the problem came back, so I used Superantispyware to remove it again. Since then I have not seen any symptoms of it. I am very cautious when I am opening e-mail, as I don't open them if they have an attachment. Likewise, I do not download screensavers, games or other such programs. All antivirus programs on my computer are from download.cnet.com. It would seem as though the trojan was not removed the first time. Does anyone have additional information?

Share this post


Link to post
Share on other sites
I have gotten the Gen-Mondike trojan twice. (Perhaps it is not the correct name for the trojan.) It seems to cause pop-ups in IE even while using Firefox. I can find no information about it, even on Superantispyware's site. However, Superantispyware is the only anti-malware program that can detect it. It seems to remove it, but after removing once the problem came back, so I used Superantispyware to remove it again. Since then I have not seen any symptoms of it. I am very cautious when I am opening e-mail, as I don't open them if they have an attachment. Likewise, I do not download screensavers, games or other such programs. All antivirus programs on my computer are from download.cnet.com. It would seem as though the trojan was not removed the first time. Does anyone have additional information?

Can you post your SUPERAntiSypware scan log here for review?

Share this post


Link to post
Share on other sites

Here is the log from the scan showing the Mondlike trojan. (Sorry about the typo in the original post.) How hard is it to remove this virus. Do I need to delete it from the registry?

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/23/2009 at 10:52 AM

Application Version : 4.29.1004

Core Rules Database Version : 4183

Trace Rules Database Version: 2099

Scan type : Complete Scan

Total Scan Time : 00:54:53

Memory items scanned : 510

Memory threats detected : 2

Registry items scanned : 5234

Registry threats detected : 49

File items scanned : 28397

File threats detected : 7

Trojan.Agent/Gen-Mondlike-STS

C:\WINDOWS\SYSTEM32\APNULLIF.DLL

C:\WINDOWS\SYSTEM32\APNULLIF.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{936AD335-D19F-4B9E-8CF6-196DA612B16A}

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\Implemented Categories

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\InprocServer32

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\InprocServer32#ThreadingModel

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\ProgID

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\Programmable

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\TypeLib

HKCR\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\VERSION

HKCR\ApnullifMms.Apnullif

HKCR\ApnullifMms.Apnullif\Clsid

HKCR\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}

HKCR\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0

HKCR\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0\0

HKCR\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0\0\win32

HKCR\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0\FLAGS

HKCR\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0\HELPDIR

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7AFE5F9-E2E5-4DA4-AE29-6EF39B5DF5B6}\RP270\A0034162.DLL

HKCR\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}

HKCR\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}\ProxyStubClsid

HKCR\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}\ProxyStubClsid32

HKCR\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}\TypeLib

HKCR\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}\TypeLib#Version

HKCR\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}

HKCR\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}\ProxyStubClsid

HKCR\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}\ProxyStubClsid32

HKCR\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}\TypeLib

HKCR\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}\TypeLib#Version

HKCR\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}

HKCR\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}\ProxyStubClsid

HKCR\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}\ProxyStubClsid32

HKCR\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}\TypeLib

HKCR\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}\TypeLib#Version

HKCR\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}

HKCR\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}\ProxyStubClsid

HKCR\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}\ProxyStubClsid32

HKCR\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}\TypeLib

HKCR\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}\TypeLib#Version

HKCR\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}

HKCR\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}\ProxyStubClsid

HKCR\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}\ProxyStubClsid32

HKCR\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}\TypeLib

HKCR\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}\TypeLib#Version

HKCR\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}

HKCR\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}\ProxyStubClsid

HKCR\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}\ProxyStubClsid32

HKCR\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}\TypeLib

HKCR\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}\TypeLib#Version

Trojan.Agent/Gen-ModuleR[N]

C:\WINDOWS\SYSTEM32\HAYESETMD.DLL

C:\WINDOWS\SYSTEM32\HAYESETMD.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7AFE5F9-E2E5-4DA4-AE29-6EF39B5DF5B6}\RP270\A0034163.DLL

Adware.Tracking Cookie

Share this post


Link to post
Share on other sites

Do you have any more information or experience with Gen-Mondlike? I am having the same problem with it re-appearing every few weeks. My log file is exactly like yours except the file name is IUZASMID.DLL. The size and Registry keys are the same.

I run Vipre Anti-Virus and they claim this is a false positive, but the symptoms of this infection are very real and SUPERAntiSpyware does remove it for weeks at a time.

Share this post


Link to post
Share on other sites

Hi Aplus.

You're using an outdated version of SAS.

Right click on the SAS icon to the left of the time and choose "Check For Updates".

Following that, disable System Restore, restart the computer, then enable System Restore.

Run a complete scan with SAS and post the results.

Share this post


Link to post
Share on other sites

Do you have any more information or experience with Gen-Mondlike? I am having the same problem with it re-appearing every few weeks. My log file is exactly like yours except the file name is IUZASMID.DLL. The size and Registry keys are the same.

I run Vipre Anti-Virus and they claim this is a false positive, but the symptoms of this infection are very real and SUPERAntiSpyware does remove it for weeks at a time.

It would seem that you have a variant of the virus that was on my computer. The file you named is not the same as the ones that I had. The names of the files I found were APNULLIF, HAYSETMD, and MSCATDPM. (It would seem as if the three files I found were related to the same virus.) Viruses can mutate just as they do in people, so perhaps it is the same virus that is on your computer, but it just mutated. After stuggling with the infection for a while on my system I did an extensive search to find out what I could about the virus. I used the names of the files and other clues to see if any other antivirus programs had detected it also. The only other program I found that acknowledged the virus was Prevx. Their website had some information about it. Prevx says that MSCATDPM is an alias of INTERPLE.EXE. Prevx calls INTEROLE.EXE cloaked malware.

I then downloaded Prevx from the DOWNLOAD.CNET.COM website and ran a scan. The free version only allows detection, it won't remove anything. Prevx found one of the files I named that Superantispyware did not find it. If I remember correctly, it was the MSCATDPM file. (Again, maybe there was more than one virus, but it seems as if these files were part of the same one.) Prevx also found a few things in the registry that Superantispyware did not find. As I said, the free version of Prevx does not remove anything, it only detects.

I then did a manual search for the files just as you would for any file. Only the three files detected were found. There were no other instances of them. I then renamed them by changing the extension on the file. Programs are associated to files by their extension, and changing the extension should make them not function, or at least that is my understanding of how it works. I ran another scan to see what would happen. They could not be detected after changing the extension. Actually, these files are still on my computer tucked away in a folder I reserved for them.

After checking to see if all was working fine after making those changes I did a search throughout the Registery for any place where these files were referenced. There were numerous instances throughout the Registry that neither Superantispyware or Prevx detected. I carefully deleted them, and I have had no problems since then. By the way, editing the Registry can be a dangerous thing to do as it can make your computer stop working if you are not careful. Listed below by file name are the Registry searches that I found when I deleted the keys containing the references to the virus. Understand that some of the keys in the listings were from performing searches to find the virus both on the internet on the computer itself. However most of them are related to the virus spreading itself on the computer. Note that I did not find Registry keys for the MSCATDPM file.

If you do not know a computer virus can hide itself from detection by changing its characteristics. Not only that, if scanned by an antivirus program some viruses can re-infect a system because they can tell they have been scanned and take action to insure they can not be removed. It seems that this virus has both of these characteristics.

I hope this is of some help to you. If your certain that the files found are from the virus I would delete them. I only renamed the to see what the effects would be. They serve no useful purpose.

HAYSETMD REGISTRY LISTING:

HKEY_CLASSES_ROOT\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}

HKEY_CLASSES_ROOT\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}\ProgID

HKEY_CLASSES_ROOT\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}\VersionIndependentProgID

HKEY_CLASSES_ROOT\HayesetMd.HayesetMd

HKEY_CLASSES_ROOT\HayesetMd.HayesetMd\CurVer

HKEY_CLASSES_ROOT\HayesetMd.HayesetMd.1

HKEY_CLASSES_ROOT\Interface\{26A8E34B-63AB-49BF-BED9-500F70EA6273}

HKEY_CLASSES_ROOT\TypeLib\{92A5C8F8-88DA-4B90-9EF8-A36A7DD13013}\1.0

HKEY_CLASSES_ROOT\TypeLib\{92A5C8F8-88DA-4B90-9EF8-A36A7DD13013}\1.0\0\win32

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F22652F-9F21-45C8-B9CF-3CB676C4092D}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HayesetMd.HayesetMd

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HayesetMd.HayesetMd\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HayesetMd.HayesetMd.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26A8E34B-63AB-49BF-BED9-500F70EA6273}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{92A5C8F8-88DA-4B90-9EF8-A36A7DD13013}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{92A5C8F8-88DA-4B90-9EF8-A36A7DD13013}\1.0\0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_USERS\S-1-5-21-220523388-839522115-2065394627-1003\Software\Microsoft\Search Assistant\ACMru\5603

APNULLIF REGISTRY LISTING:

HKEY_CLASSES_ROOT\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0

HKEY_CLASSES_ROOT\ApnullifMms.Apnullif

HKEY_CLASSES_ROOT\ApnullifMms.cApnullif

HKEY_CLASSES_ROOT\ApnullifMms.cApnullifEvents

HKEY_CLASSES_ROOT\ApnullifMms.cApnullifs

HKEY_CLASSES_ROOT\ApnullifMms.IApnullif

HKEY_CLASSES_ROOT\CLSID\{13175A7E-20DE-421D-9092-7BA47EE2F5A8}

HKEY_CLASSES_ROOT\CLSID\{13175A7E-20DE-421D-9092-7BA47EE2F5A8}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{13175A7E-20DE-421D-9092-7BA47EE2F5A8}\ProgID

HKEY_CLASSES_ROOT\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}

HKEY_CLASSES_ROOT\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\ProgID

HKEY_CLASSES_ROOT\CLSID\{B4CA8F0B-1154-48FA-95B0-52034B5C4454}

HKEY_CLASSES_ROOT\CLSID\{B4CA8F0B-1154-48FA-95B0-52034B5C4454}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{B4CA8F0B-1154-48FA-95B0-52034B5C4454}\ProgID

HKEY_CLASSES_ROOT\CLSID\{CD252E47-534B-45A0-8C07-BD2A8022148C}

HKEY_CLASSES_ROOT\CLSID\{CD252E47-534B-45A0-8C07-BD2A8022148C}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{CD252E47-534B-45A0-8C07-BD2A8022148C}\ProgID

HKEY_CLASSES_ROOT\CLSID\{F92835BA-8ADB-408A-9954-8FB8F6B19E69}

HKEY_CLASSES_ROOT\CLSID\{F92835BA-8ADB-408A-9954-8FB8F6B19E69}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{F92835BA-8ADB-408A-9954-8FB8F6B19E69}\ProgID

HKEY_CLASSES_ROOT\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}

HKEY_CLASSES_ROOT\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}

HKEY_CLASSES_ROOT\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}

HKEY_CLASSES_ROOT\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}

HKEY_CLASSES_ROOT\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}

HKEY_CLASSES_ROOT\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}

HKEY_CLASSES_ROOT\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0\0\win32

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ApnullifMms.Apnullif

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ApnullifMms.cApnullif

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ApnullifMms.cApnullifEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ApnullifMms.cApnullifs

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ApnullifMms.IApnullif

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13175A7E-20DE-421D-9092-7BA47EE2F5A8}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13175A7E-20DE-421D-9092-7BA47EE2F5A8}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13175A7E-20DE-421D-9092-7BA47EE2F5A8}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{936AD335-D19F-4B9E-8CF6-196DA612B16A}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4CA8F0B-1154-48FA-95B0-52034B5C4454}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4CA8F0B-1154-48FA-95B0-52034B5C4454}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4CA8F0B-1154-48FA-95B0-52034B5C4454}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD252E47-534B-45A0-8C07-BD2A8022148C}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD252E47-534B-45A0-8C07-BD2A8022148C}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD252E47-534B-45A0-8C07-BD2A8022148C}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F92835BA-8ADB-408A-9954-8FB8F6B19E69}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F92835BA-8ADB-408A-9954-8FB8F6B19E69}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F92835BA-8ADB-408A-9954-8FB8F6B19E69}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A852BEA-6EA1-4AE3-B4DE-89197B740C73}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5792FB9D-1540-40F0-B14D-EE3DE3F5652D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6CA53518-E28D-4127-9266-4C03C6F796B4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF8D1C93-D680-4D28-A6D1-3B7E9739F832}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EF61486C-B69C-419F-8660-C11938CD2230}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FA95A069-5F13-40F0-92EF-165FFFA4C1B2}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1A0CF9E-D6A7-48B3-A235-DC972139B992}\1.0\0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_USERS\S-1-5-21-220523388-839522115-2065394627-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...