How to Remove Monder Trojan Virus?
For the past two days, I have been having a hard time with my computer because I got infected with a virus. Here is a pic that shows Kaspersky Antivirus detecting it.
After spending a lot of time researching on how to remove it, I finally found the solution so I would like to share with you all my solution on how to remove Monder Trojan Virus effectively and permanently.
Note: When reading this guide, I suggest you read this from another computer or you print it as it is suggested that you have no other open programs while trying to remove the Monder Trojan from your computer.
About Monder Trojan Virus
Monder Trojan virus is something I got when I tried to install pirated software on my laptop. It is not easy to remove as it attaches itself to the winlogon.exe and explorer.exe, two essential files that are needed to make your pc run. I tried deleting the files via Safe Mode but I wasn’t able to as they say the file is locked. The virus usually creates a lot of garbage dll files in the c:\windows\system32 folder. It is easy to spot as the letters are not readable, looks like random typing like asdadauiobg.dll. If you manage to delete one, more will be created in its place so a special procedure is needed to remove these pests from your computer.
Initial ComboFix
First thing you should do is to download the program ComboFix [download link] [Alternative download link] and save it to your desktop. This is a program that will try to clean your system automatically and it usually takes about 10 minutes.
After downloading Combofix, go to Start->Run then type this in the box, “%userprofile%\desktop\combofix.exe” /killall
then execute. Combofix will now run. Here are the things that combofix will do so that you will not be alarmed.
- First it will change your time and date (it will return it back later)
- it will kill all other running processes
- it will do a series of tests and permanently deleting those bad files (just trust the program ok? )
- it will reboot your computer
- it will do a secondary scan
- it will generate a log file of what it has deleted, what it has found .. more like a report
Combofix and HijackThis
Now that you have ComboFix’s log, you will have to download HijackThis [download link], run a scan and generate a log report. I would assume that you now have two logs, Combofix’s log and Hijackthis’ log.
!!!WARNING!!!
You can opt to go to forums specializing in analyzing these logs to seek for more help because they can really understand these logs. This is the safest option but not the quickest. (Very recommended option)
However, if you are adventurous like me, you can read the logs yourself and try to remove the Monder Trojan Virus yourself. This is the riskier option but the faster one. At this point, I’m going to share what I did to remove the Monder Trojan Virus.
Disclaimer: The file names will be different as they are randomly generated by the virus. Please do not blame me if it worsens your computers condition. This is for those who want to take the risk only. If you can wait, seek help in forums as they have more experience than me. If you go past this line, that means that you will not make me responsible for anything that happens to your computer.
Removing Monder Trojan manually
Continue reading if you want to take the risk. It’s a bit technical but I’ll try to make it easy.
The first thing you should do is to create a file named CFScript on your desktop and write these stuffs. [use notepad to create the file]
KILLALL::
File::
Registry::
Then the next thing you should do is to read the ComboFix log that can be found on C:\.
Now look for the section that reads, “Files Created from date to date“. Then you should look at those and look for files that look suspicious, like asd97agdasd.dll or something. Monder creates it’s files in the \system32\ folder so make sure the suspicious looking dlls are there. All the files that you see should be placed on the CFScript file under File::
(example)
KILLALL::
File::
suspicious.dll
suspicious2.dllRegistry::
Next step is to look for the section of the report that reads, “Reg Loading Points“. Here are the places where you can see the virus infects in your Registry.
- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
You will know if its the virus because the next line after the [hkey blah blah] is the filename and location of the virus file. So what you have to do is to copy that part of the log under the Registry:: section in your CFScript.
(example)
KILLALL::
File::
suspicious.dll
suspicious2.dllRegistry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{blah blah blah}”= “C:\windows\system32\blahblah.dll”
After finding all the suspicious files and registry entries, it’s time to run Combofix again. However, this time you have to run it in a different way. You will have to drag the CFScript file and drop it into Combofix (both should be located on your desktop)
After running combofix with cfscript
Combofix will run again and you will have to wait again. After running, it will once again show it’s log and you have to check it again. Are the suspicious files still there?
- If yes, then you have to add them to a new cfscript file then drop it again to combofix
- if no, I suggest that you run combofix again just like before ,”"%userprofile%\desktop\combofix.exe” /killall” in the run command just to be sure. This is optional though.
If you don’t want to run cfscript again, then it’s time to clean-up the changes made by combofix (remember it changed your time settings)
Post Combofix Clean-up
Go to start-> and run this, combofix /u . It will start deleting all traces of combofix, reset your time and hopefully, you pc will be virus free.
This is what I did to my laptop and it got rid of the Monder Trojan Virus. If there are things that you want to ask or things that are unclear, just leave a comment and I’ll reply to them. Thanks for reading and take care of your computers. 
This worked great for me, only small traces of the virus were found on later inspection and I was then easily able to remove the remains. I have yet to find out if there are any repercussions for using ComboFix but hey, at least I’m rid of the virus now.
Anyhow, thanks for writing a great tutorial.
Now I’ll be off to change all my passwords…
/Someone
I also have this trojan virus that controls the C drive. I tried to click on your combo but i does not open. I dont know why?
@Anonymous – The only side effect that I found out is that it resets your time to military time. But it can be fixed easily in control panel.
@Rodaflip – You should execute combofix via run command at first.
Use this “%userprofile%\desktop\combofix.exe” /killall
I too got infected with this today. It took me half day to remove this. I have used malware bytes anti malware (http://www.malwarebytes.org/mbam.php) to remove this Monder trojan. I think it is relatively more easy and safe.
@Sarath – Hello Sarath, thanks for sharing your experience. I would still recommend that you do a scan of combofix just to be sure.
[...] trial crack so I don’t have to look for Kaspersky keys but I found failed. All I got was a monder trojan in exchange for searching. However, don’t give up because sooner or later, we could really [...]
One of my computers was infested with Monder. I have spent hours trying to remove it with various other ‘solutions’; none worked. Then I tried your method – it has worked and now I am virus & Trojan free. Thanks for publishing your solution.
This worked great. Thanks for sharing.
By the way I tried going at it three times without any luck.
When I used the following modifications below, it worked like a charm.
1. Since Combofix scans again after the reboot, it will take just as much time as before the reboot. If it “appears” to be freezing, don’t touch anything. Put your ear up to your computer and look at the HD activity light blinking. It is still running. It is only done when you see the log file on your screen.
2. The CFScript, because most of us create it on notepad, will have a .txt extension. That is fine.
3. I tried writing my CFScript to your instructions (ie. KILLALL:, registry entries) and for me it didn’t work. A little searching around the internet turned up these alternate rules:
INCLUDE FULL PATH OF THE FILES TO KILL. Therefore, suspicious.dll would become
************
File:
c:\windows\system32\suspicious.dll
c:\windows\system32\suspicious32.dll
************
Omit KILLALL on the heading of the CFScript
And registry entries to be killed only need the portion within the square brackets listed. Unless there are multiple entries under a square braketed key, I found I didn’t need the descriptive line. Cutting and pasting from HiJackThis log or ComboFix log is recommended.
Additional notes: Some sites recommend that you change the ComboFix.exe icon into a numerical icon. (ie. “123.exe”) because some malwares are smart enough to disable any programs called combofix.exe. However, ComboFix instructors seem vociferous about not changing the name.
Cheers!
@Pristine Angie, hello Pristine Angie. Thanks for the modification. After I removed the monder trojan, I have yet to be infected again. I just reread my guide and yes, I agree with your modification. They can simply copy the text that they see in the log file and they would be fine.
[...] :: Never download anything that says it is a mafia war cheat, most likely, it is a virus or a trojan that will just infect your computer making your cry all day long ok? Protection is still the key [...]
[...] trojan is a program that claims to do something good for you but instead, it does someting bad to your [...]
[...] I have experienced both of these programs and I really would suggest that you use MalwareBytes first before using ComboFix. MalwareBytes has an easy interface (click to scan, and click to fix) while Combofix requires some additional input via notepad (you have to create that file with the correct inputs) before it can help you. Basically, Malwarebytes is for the average user and Combofix is for the more advanced user. [Click here for a sample post that shows you how to use ComboFix] [...]