 Virtumonde, Trojan, Plmmn.exe |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jan 22 2008, 12:43 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 3 Joined: 21-January 08 Member No.: 185,121  |
NOD32 claimed that it cleaned this virus. I noticed something was wrong when a few programs were missing the .exe files - that is, when you click on the .exe, windows just browses for the file and doesn't find it. This pmnlm.exe file was set to run at startup, i checked in msconfig startup and disabled it to run at startup. Now after the virus cleansing by NOD32, the pmnlm.exe file is still there (although it's dll files aren't), and NOD32 doesn't detect it as a virus anymore. A person on this forum has had the same problem as me over here: http://www.bleepingcomputer.com/forums/topic125409.html I have the same symptoms as him, even the general slowdown of the computer - programs take longer to load etc. I ran vundofix and here is the log file from it: VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 12:37:21 AM 1/22/2008 Listing files found while scanning.... C:\WINDOWS\system32\jkkhgde.dll C:\WINDOWS\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini2 C:\WINDOWS\system32\pmnlm.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\jkkhgde.dll C:\WINDOWS\system32\jkkhgde.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.ini2 C:\WINDOWS\system32\mlnmp.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\pmnlm.dll C:\WINDOWS\system32\pmnlm.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\jkkhgde.dll C:\WINDOWS\system32\jkkhgde.dll Could not be deleted. Performing Repairs to the registry. Done! VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 12:55:18 AM 1/22/2008 Listing files found while scanning.... VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Scan started at 4:55:24 AM 1/22/2008 Listing files found while scanning.... Next, I checked msconfig again and now there is a file in c:\windows\system32\ssttr.exe which is set to run at system startup. In the msconfig window it's location is here: HKCU\SOFTWARE\Microsoft\WindowsNT\Currentversion\Windows:Load This looks suspicious and that pmnlm.exe file is still present. edit: I've just ran another scan from NOD32 and it says this: application Win32/Adware.Virtumonde.FP found in operating memory. System memory infection originated from file C:\WINDOWS\system32\ssttr.dll. C:\System Volume Information\_restore{0BD74437-0F09-4468-97A6-81924F51D7BA}\RP249\A0037744.dll - Win32/Adware.Virtumonde.FP application C:\VundoFix Backups\pmnlm.dll.bad - Win32/Adware.Virtumonde.FP application C:\WINDOWS\system32\ssttr.dll - Win32/Adware.Virtumonde.FP application NOD32 claims now it deleted all 3 of those. Here is the hijack this logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:38:03 AM, on 1/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.65.0.25:3128 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {82C75AF6-736F-4F76-A43D-2E3BDFCEFD3E} - C:\WINDOWS\SYSTEM32\PMNLM.DLL (file missing) O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\jkkhgde.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: (no name) - {F00882F5-E0ED-42A1-9BD3-98BDE1660683} - C:\WINDOWS\system32\ssttr.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153448606640 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 6056 bytes |
 |
 
|
|
Jan 26 2008, 06:49 AM
Post
#2
|
|
 Malware Assassin Group: HJT Team Posts: 13,610 Joined: 13-July 06 Member No.: 75,975 |
Welcome to the BleepingComputer HijackThis Logs and Analysis forum mr-scarface
My name is Richie and i'll be helping you to fix your problems. You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows. This can be bad if they’re malware, so please re-enable those startup entries by doing the following: Click on Start>Run,type msconfig and then press Enter. When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked. Then press Apply/Ok to exit the utility. If it asks you to restart your pc,please don’t,it‘s not necessary at this point. Please visit this webpage for instructions for downloading and running ComboFix. This includes installing the Windows XP Recovery Console in case you have not installed it yet. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Post the entire contents of C:\ComboFix.txt into your next reply. Also post a new Hijackthis log. -------------------- If I have helped you in any way, please consider a donation:
 Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th January 2009 - 04:12 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.