Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde - Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 na999

na999

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:00 PM

Posted 24 November 2007 - 09:36 PM

My Kerio firewall keeps trapping an outgoing alert - Windows Explorer from your computer wants to connect to 65.243.103.91, Port 80. I ran a Whois to find out that it is a Belgian end point on the Ripe Server system. I ran VundoFix which found one Virtumonde file then said it was cleared but the alert kept coming back. I ran VundoFix a few more times but it kept coming up clean. I ran VirtumundoBeGone a few times but it kept coming up as clean. I ran Adaware which did not see an infection. I ran Norton, Spy Hunter and Search & destroy and none of them saw an infection. What is happening is that a file called pmkkj.dll is called up in the Windows 2000 start up sequence. This file, as well as looking likr the call out file, creates two files called jkkmp.ini and jkkmp.ini2. It recreates these two files about every 3 to 5 seconds. The .ini files in turn recreate a registry entry at HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects every time it is erased or changed. It also creates a registry entry at HKLM\SYSTEM\CurrentControlSet\Lsa\Authentication Packages every time it is deleted as well. I am not able to get at the latter through the registry but can delete it using Autoruns software. The Browser Helper Registry entry defines the serial number as pmkkj.dll and the Authentifications Packages entry shows up as C:\WINNT\system 32\pmkkj.dll. This is also the only place that pmkkj.dll occurs. Since pmkkj.dll is called up at start up, it can not be erased or altered since it is in use. If I erase the ini and ini2 files they are recreated in less than 5 seconds and if I erase the BHO Registry entry it is recreated immediately so there is virtually no way to get rid of these files. When I run Hijack this, there is nothing running ( no BHO, or other related files). I run Hijack this regularly and know every file that is running there. Nothing looks bad. My computer is very clean abd basic so there are not more than twenty entries in Hijack this after all. I also tried deleting these files using DOS but, of course, Windows is running when I call up the DOS prompt so then is pmkkj.dll etc., etc., etc. I will try to find a stand alone DOS that I can install in a new partition on the hard drive to sneak into the windows partition and erase the pmkkj files and hopefully that will stop the endless protection circle it seems to have. That is of course unless there is another hidden file that recreates the pmkkj.dll file as I will not be able to edit the registry file until I start up windows. I have tried doing all this in safe mode as well as regular mode but the pmkkj.dll file loads in safe mode as well so can not be touched. I have been here once before with a problem that I did not think was solvable but you guys came through. So, of course, at my wit's end and after having tried just about everything else, here I am again. Hope someone out there can help me...

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:00 PM

Posted 25 November 2007 - 08:18 AM

SAS has had success removing the Vundo/Virtumonde malware.
Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Post back with results and further instructions.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 na999

na999
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:00 PM

Posted 25 November 2007 - 07:29 PM

I was finally able to isolate and quarantine the pmkkj.dll file so that it could not replace the ini files and I was able to delete the files and the registry entries. I was then able to replace the dll file with a harmless file renamed to the pmkkj.dll which was called up as an autostart file then I could kill the actual file because it was quarantined and not called up. This was a very difficult spyware to remove. I tried many different spyware traps and removers as well as virus softwares to no avail. The Virtumonde reovers did not work at all and I ended up doing it myself. It took me three days of noodling around to get rid of this. That was scary. I got it from trying out a FREE trial software download. Guess there is no such thing as FREE is there??? Thanks for the help and suggestion...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users