Pmnlm.exe Trojan

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal > Misplaced HJT Logs

Pmnlm.exe Trojan

Options

mr-scarface View Member Profile	Jan 21 2008, 11:11 PM Post #1
New Member Group: Members Posts: 3 Joined: 21-January 08 Member No.: 185,121	I had a virus removed from my virus scanner (NOD32), the file was c:\windows\system32\pmnlm.exe NOD32 claimed that it cleaned this virus. I noticed something was wrong when a few programs were missing the .exe files - that is, when you click on the .exe, windows just browses for the file and doesn't find it. This pmnlm.exe file was set to run at startup, i checked in msconfig startup and disabled it to run at startup. Now after the virus cleansing by NOD32, the pmnlm.exe file is still there (although it's dll files aren't), and NOD32 doesn't detect it as a virus anymore. A person on this forum has had the same problem as me over here: http://www.bleepingcomputer.com/forums/topic125409.html I have the same symptoms as him, even the general slowdown of the computer - programs take longer to load etc. I ran vundofix and here is the log file from it: VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 12:37:21 AM 1/22/2008 Listing files found while scanning.... C:\WINDOWS\system32\jkkhgde.dll C:\WINDOWS\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini2 C:\WINDOWS\system32\pmnlm.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\jkkhgde.dll C:\WINDOWS\system32\jkkhgde.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.ini2 C:\WINDOWS\system32\mlnmp.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\pmnlm.dll C:\WINDOWS\system32\pmnlm.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\jkkhgde.dll C:\WINDOWS\system32\jkkhgde.dll Could not be deleted. Performing Repairs to the registry. Done! VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 12:55:18 AM 1/22/2008 Listing files found while scanning.... VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 4:55:24 AM 1/22/2008 Listing files found while scanning.... Lastly, I checked msconfig again and now there is a file in c:\windows\system32\ssttr.exe which is set to run at system startup. In the msconfig window it's location is here: HKCU\SOFTWARE\Microsoft\WindowsNT\Currentversion\Windows:Load This looks suspicious and that pmnlm.exe file is still present. edit: I've just ran another scan from NOD32 and it says this: application Win32/Adware.Virtumonde.FP found in operating memory. System memory infection originated from file C:\WINDOWS\system32\ssttr.dll. C:\System Volume Information\_restore{0BD74437-0F09-4468-97A6-81924F51D7BA}\RP249\A0037744.dll - Win32/Adware.Virtumonde.FP application C:\VundoFix Backups\pmnlm.dll.bad - Win32/Adware.Virtumonde.FP application C:\WINDOWS\system32\ssttr.dll - Win32/Adware.Virtumonde.FP application NOD32 claims now it deleted all 3 of those. I've also just done a hijack this scan and here is the log: Logfile of HijackThis v1.99.1 Scan saved at 5:52:17 AM, on 1/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.65.0.25:3128 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {46B0B8CD-8E10-4E22-8098-7B2D5728B8BE} - C:\WINDOWS\system32\ssttr.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {82C75AF6-736F-4F76-A43D-2E3BDFCEFD3E} - C:\WINDOWS\SYSTEM32\PMNLM.DLL (file missing) O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\jkkhgde.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153448606640 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe ________________________________________________________________________________ ______________________________________ And here is the startup list report: StartupList report, 1/22/2008, 5:55:25 AM StartupList version: 1.52.2 Started from : C:\Program Files\Hijackthis\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Hijackthis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SoundMan = SOUNDMAN.EXE (Default) = NWEReboot = MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Steam = SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=Registry value not found drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry key not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670} (no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\WINDOWS\system32\ssttr.dll - {46B0B8CD-8E10-4E22-8098-7B2D5728B8BE} (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} (no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045} (no name) - C:\WINDOWS\SYSTEM32\PMNLM.DLL (file missing) - {82C75AF6-736F-4F76-A43D-2E3BDFCEFD3E} (no name) - C:\WINDOWS\system32\jkkhgde.dll - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} (no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910} (no name) - C:\PROGRA~1\FlashFXP\IEFlash.dll - {E5A1691B-D188-4419-AD02-90002030B8EE} -------------------------------------------------- Enumerating Task Scheduler jobs: defrag.job -------------------------------------------------- Enumerating Download Program Files: [SpinTop DRM Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\stg_drm.ocx CODEBASE = file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx [WUWebControl Class] InProcServer32 = C:\WINDOWS\system32\wuweb.dll CODEBASE = http://update.microsoft.com/windowsupdate/...b?1153448606640 [ArmHelper Control] InProcServer32 = ./Images/armhelper.ocx CODEBASE = file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll -------------------------------------------------- End of report, 5,295 bytes Report generated in 0.000 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only This post has been edited by mr-scarface: Jan 21 2008, 11:56 PM

tg1911 View Member Profile	Jan 22 2008, 12:17 AM Post #2
SPAM Magnet Group: Site Admin Posts: 14,438 Joined: 6-May 04 From: SW Louisiana Member No.: 363	I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not. Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system. Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. The last step will include downloading and using the most current version of HijackThis if the first line of your log does not appear as follows: Logfile of Trend Micro HijackThis v2.0.2 Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log. Please DO NOT post any more logs to this topic, or post a log again in the wrong forum. This Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for. When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done. Thanks for your cooperation and good luck. The BC Staff -------------------- I love being married. It's so great to find that one special person you want to annoy, for the rest of your life.

mr-scarface View Member Profile	Jan 22 2008, 12:44 AM Post #3
New Member Group: Members Posts: 3 Joined: 21-January 08 Member No.: 185,121	http://www.bleepingcomputer.com/forums/topic127041.html

rigel View Member Profile	Jan 22 2008, 10:15 AM Post #4
BC 1st Responder Group: Moderator Posts: 5,879 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean. Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?". To avoid confusion, I am closing this topic. -------------------- "In a world where you can be anything, be yourself." ~ unknown

« Next Oldest · Misplaced HJT Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th January 2009 - 04:25 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides