Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With W32.trats!inf, Virtumonde, And Others?


  • This topic is locked This topic is locked
7 replies to this topic

#1 gworthey

gworthey

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 February 2008 - 06:13 AM

Hello. Iím infected! My computer has become increasingly slower over the last few days and I have been unable to make much progress trying to clean it up. I am running Windows XP-SP2 with Norton AV (with current updates).

After starting Windows, I started getting error messages (GEBCC.DLL not found, PMNNM.EXE not found, etc.) and erroneous Windows Installer requests (see step 14 below). I have run Norton scans and attempted cleanup as detailed below in preparation for running HijackThis. (Unless you can fix me first!)

Iím getting soooooo frustrated. Can you please help?

Norton has identified and attempted to clean up the following:

Trojan.Desktophijack
Trojan.Adclicker
Trojan.Horse
Adware.ISMonitor
W32.Trats!inf
Backdoor.Trojan
Downloader
Adware.Purityscan


1. Ran cleanmgr to clean up Temp files

2. Downloaded and updated Ad-Aware. Ran Full System Scan and cleanup

20080207 10-24-44 : Full scan started.
20080207 11-10-55 : Full scan ended.
20080207 12-42-59 : Tried to Quarantine an infection.
20080207 12-43-04 : Successfully Quarantined Root: HKCR Path: clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} belonging to Virtumonde

20080207 12-43-06 : Successfully Quarantined Root: HKLM Path: software\microsoft\windows\currentversion\explorer\shellexecutehooks Value: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} belonging to Virtumonde

20080207 12-43-06 : Successfully Quarantined Root: HKCR Path: clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} belonging to Virtumonde

20080207 12-43-06 : Successfully Quarantined Root: HKLM Path: software\microsoft\windows\currentversion\explorer\shellexecutehooks Value: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} belonging to Virtumonde

20080207 12-43-06 : Successfully Quarantined Root: HKLM Path: software\microsoft\windows\currentversion\explorer\browser helper objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} belonging to Virtumonde

20080207 12-43-06 : Successfully Quarantined Root: HKCR Path: wr Value: cmd belonging to Virtumonde

20080207 12-43-06 : Successfully Quarantined Root: HKCR Path: wr belonging to Virtumonde

20080207 12-43-07 : Successfully Quarantined Root: HKU Path: S-1-5-21-583907252-1580436667-1417001333-1003\software\microsoft\ms juan belonging to Virtumonde

20080207 12-43-07 : Successfully Quarantined Root: HKLM Path: software\microsoft\jkwslist belonging to Virtumonde

20080207 12-43-08 : Successfully Quarantined Root: HKU Path: S-1-5-21-583907252-1580436667-1417001333-1003\software\microsoft\aldd belonging to Virtumonde

20080207 12-43-08 : Successfully Quarantined Root: HKLM Path: software\microsoft\aoprndtws belonging to Virtumonde

20080207 12-43-08 : Successfully Quarantined Root: HKU Path: S-1-5-21-583907252-1580436667-1417001333-1003\software\microsoft\rdfa belonging to Virtumonde

20080207 12-43-20 : Quarantine succeeded.
20080207 12-46-12 : Started cleaning the system of infections
20080207 12-52-15 : Clean operation finished


3. Downloaded and updated SpyBot - Search and Destroy. Ran scan and deleted what was found.

Yazzle: [SBI $59C4E331] Executable (File, fixed)
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe

Virtumonde: [SBI $050FD60A] Library (File, fixed)
C:\WINDOWS\system32\gebcc.dll

Virtumonde: [SBI $050FD60A] Library (File, fixed)
C:\WINDOWS\system32\pmnnm.dll

Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-583907252-1580436667-1417001333-1003\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-583907252-1580436667-1417001333-1003\Software\Microsoft\aldd

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-583907252-1580436667-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}


4. Ran Housecall

5. Ran Bit Defender

6. Ran MacAfee Stinger with Auto Clean selected.

7. Ran Windows Update to make sure I had the latest updates (I did)

8. Downloaded HijackThis and ran a System scan with save logfile option. (Still have log if needed.)

9. Ran VundoFix
Msg: No Infected Files Found

10. Re-booted into Safe Mode

11. Ran VirtumundoBegone (log saved on Desktop Ė VBG)
Msg: Nothing Found

12. Re-booted back to Normal Mode

13. When Windows came up, received the following:
ē
Msg: Windows cannot find 'C:\WINDOWS\System32\pmnnm.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Msg: Could not load or run 'C:\WINDOWS\System32\pmnnm.exe' specified in the registry. Make sure the file exists on your computer or removethe reference to it in the registry.

14. Started Yahoo DSL, then a Windows Installer popped up saying it wanted to install Office XP Small Business, which is already on my computer. I clicked cancel, and it kept coming back trying to do it again. If I let it try to install, it asks for the CD then gave me a 1706 error when I clicked cancel.

15. Messages from Step 13 were repeated (this is repeated several times when I try to access a different web site, or program)

16. Downloaded ATF Cleaner and SUPERAntiSpyware , and saved to desktop.

17. Installed and updated SUPERAntiSpyware, selected the following Scanner Options and exited the program:
-Close browsers before scanning.
-Scan for tracking cookies.
-Terminate memory threats before quarantining.



18. Rebooted into Safe Mode and ran ATF-Cleaner (Under "Select Files to Delete" chose: Select All)

19. Scanned with SUPERAntiSpyware. (Performed a Complete scan and quarantineed all found items.)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 11:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 01:26:20

Memory items scanned : 191
Memory threats detected : 0
Registry items scanned : 5125
Registry threats detected : 6
File items scanned : 71348
File threats detected : 7

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{AFDEA1CA-AE44-4D0F-AAE6-170B4B099740}
HKCR\CLSID\{AFDEA1CA-AE44-4D0F-AAE6-170B4B099740}
HKCR\CLSID\{AFDEA1CA-AE44-4D0F-AAE6-170B4B099740}\InprocServer32
HKCR\CLSID\{AFDEA1CA-AE44-4D0F-AAE6-170B4B099740}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNNM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFDEA1CA-AE44-4D0F-AAE6-170B4B099740}

Adware.AdSponsor/ISM
HKU\S-1-5-21-583907252-1580436667-1417001333-1003\Software\QdrModule
C:\Documents and Settings\worthey\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\worthey\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\worthey\Start Menu\Programs\Internet Speed Monitor

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\BRETT\FAVORITES\ONLINE SECURITY TEST.URL

Adware.Tracking Cookie
C:\Old Documents\Documents and Settings\LocalService\Cookies\kyle@cbs.112.2o7[2].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MNNMP.INI


20. Re-booted back to Normal Mode

21. When Windows came up, received the same messages as before (Steps 13 & 14).


Do I need to head on over to the HijackThis forum, or is there still hope for me here? Please let me know if additional information is needed. Thanks in advance!


BC AdBot (Login to Remove)

 


m

#2 V e g e t a

V e g e t a

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 10 February 2008 - 07:01 AM

Seems to me like its startup enteries that haven't fully been removed.
I had this problem on my old pc with virkosun.dll , a virus.
After getting rid of it i kept getting The Specified Moudule could not be found message.
The way i fixed it was:
Start>Run> Type "msconfig" without the quotes.
I pressed the 'startup' tag, and unticked virkosun.dll
Try seeing if GEBCC.DLL, PMNNM.EXE etc. are there and if they are, untick them, apply, and reboot.
Upon reboot, a System Cnfig utlility window will appear when you next log in.
Tick the check box and press ok.
Hope this helps,
Vegeta.

#3 gworthey

gworthey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 February 2008 - 03:00 PM

Thanks Vegeta. May give this a try when I get home if I still haven't heard from the Mods.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:07 PM

Posted 10 February 2008 - 03:22 PM

Hello gworthey and welcome to BC :flowers:

Please don't use the MSConfig method of stopping the messages. It is to be used as a troubleshooting method, not as a solution.

The messages you are receiving are the result of entries the remain in the registry when the files related to them are gone. You can fix this by using AutoRuns.

Download Autoruns, search for the related entry and delete it.[list]
[*]Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
[*]Open the folder and double-click on autoruns.exe to launch it.
[*]Please be patient as it scans and populates the entries.
[*]When done scanning, it will say Ready at the bottom.
[*]Scroll through the list and look for a startup entry related to the file in the error message.
[*]Right-click on the entry and choose delete.
[*]Reboot your computer and see if the startup error returns.

That should take care of the error messages. SAS found and removed a lot of malware. There could be more on your computer. I'm going to contact someone with more experience to look at your thread.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:07 PM

Posted 10 February 2008 - 05:43 PM

What you have are stubborn remnants of that winfixer .
You'll have`to post that hijack log here
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Click on New topic,give it a title and paste the log

after posting make no more changes to your PC until the HJT Team tell you to.
Good luck!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 gworthey

gworthey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 February 2008 - 06:02 PM

Thanks boopme and Orange Blossom. Do I still need to launch Autoruns before running HJT?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:07 PM

Posted 10 February 2008 - 06:07 PM

No if you're posting a log just wait for the HJT Expert they'll guide thru what to do. In fact once you've posted the log make no more changes to your PC .
You're welcome from both of us and Good Luck!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:07 PM

Posted 11 February 2008 - 10:34 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users