pmnlk.dll (Virtumundo) Trouble

By Metzer
Aug 8, 2006
  1. I've been trying to remove some crap from my machine all day, and I'm at my wits' end. I've followed the instructions on the pre-post thread, but ewido's fast scan still isn't coming up clean. There are three tracking cookies listed, and while I can delete them all, they return after I reboot.

    ewido removed about 200 items the first time I ran it, but a few bugs have been really persistent; the worst has been one that seems to match Virtumundo. I ran the special removal tool, but it has stopped responding three times, twice in safe mode, and I've been forced to soft-boot. There is a BHO that also refuses to disappear: c:\windows\system32\pmnlk.dll (I believe this is Virtumundo).

    I'm attaching my HJT, ewido fast scan, and VirtumundoBeGone logs as text. If you need any more information, let me know. Any help is appreciated.

    Attached Files:

    • VBG.TXT
      File size:
      2.4 KB
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your HJT log is clean.

    No BHO entries are showing up at all.
    As far as the tracking cookies are concerned. run Firefox and click on the tools menu and select options. Click on the privacy tab and click cookies. Click the clear cookies now button, click ok.

    c:\windows\system32\pmnlk.dll is indeed part of the virtumundo infection, but like I said, it isn`t showing up in your HJT log.

    I suspect, you`ve used HJT log to fix things without the proper advice.

    With that in mind, I`d like you to do the following.

    Run HJT and click on the config button. Click on the backups button and tick all the little boxes next to all the entries. Now click the restore button and click yes.

    Click start/run and type msconfig into the run box and press the enter key. Click the startup tab, click the enable all button and click apply/ok.

    You will be prompted to restart your system.

    Once your system has rebooted, you will see a window that says you have used msconfig to make changes etc. Tick the little box that says not to run msconfig the next time you start your system and click ok.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:
  3. Metzer

    Metzer TS Rookie Topic Starter

    Raw HJT Log

    Here's the new HJT log.

    Please bear in mind that, even after enabling all the Startup items in msconfig, I'm still not booting in "normal mode" - I micromanage the TSRs running on my machine, and make a point of disabling any I don't want running (e.g. CloneCD Tray or Macromedia Licensing Service).

    I also removed the following line from my win.ini file (I didn't notice when it was added, but it makes me very suspicious):
    NOTEPAD.EXE=C:\Program Files\Internet Explorer\IEXPLORE.EXE

    One more thing: with the current startup options, ewido detects two tracking cookies, while it detected 5 when I booted with my doctored up init.
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix these entries.

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O15 - Trusted Zone:

    O15 - Trusted Zone:

    O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)

    Other than the above your HJT log looks clean.

    You could try booting into safe mode and turning off system restore. Then, run your antivirus programme and delete whatever it finds. Reboot into normal mode and turn system restore back on.

    Other than the above I have no other suggestions. unfortunately I can`t fix what I can`t see.

    Regards Howard :)
  5. Metzer

    Metzer TS Rookie Topic Starter

    No Good

    Well, I'm still in trouble. In fact, it seems like something is going on, because I got a couple virus warnings from AVG while trying to figure out how to deregister pmnlk.dll using regsvr32. It turns out that ishost.exe and issearch.exe reappeared on my system.

    Is it incredibly stupid to think I might have more success by deliberately reinfecting myself, and running through the entire process again so I can show you a fresh HJT log?
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t think reinfecting the computer is a good idea.

    Try this instead.

    Download and run these three tools. Follow the instructions for using each tool. It is important that you do download them and not use the tools you already have.

    Tool1 Tool2 Tool3.

    Follow these additional instructions for the Vundofix tool. This is not the same vundo removal tool that you`ve already used.

    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
    Select “[7b]Add More Files?” from the menu that comes up. This will open a new VundoFix window.
    In the Window: copy and paste next in the first field: c:\windows\system32\pmnlk.dll
    Click the “Add Files” button.
    Click the "Close Window" button.
    Click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.

    Regards Howard :)
  7. Metzer

    Metzer TS Rookie Topic Starter


    Thanks for the extra help - it turns out the solution was a bit simpler.

    I hadn't been able to install Kasperksy per the directions on the sticky thread; the link led me to a page that allows you to scan a single file. After my latest post, I went back and tried to get some actual software, and ended up downloading a trial of KAV 6. It was able to detect the Virtumundo entries, as well as intercept the load-time virus activity. I've since scanned my computer a half a dozen times without detecting anything. What's more, I haven't seen any suspicous processes or virus activity. I think I'm clean. I'm going to run a handful of complete scans tonight with Ad-Aware, ewido, and Kaspersky, but I think I'm out of the woods.

    Thanks very much for all your help.
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s great news.

    Thanks for letting us know.

    Regards Howard :)
  9. Metzer

    Metzer TS Rookie Topic Starter

    Plagued by Tracking Cookies

    A couple of weeks ago I foolishly ran an .exe that infected me with a handful of virii and adware. Following the instructions on these forums allowed me to rid myself of almost all of the crap on my PC. However, despite repeated scans by half a dozen programs, there is still something living on here that lets about 10 tracking cookies in. This doesn't just happen at boot - I turned my machine on several hours ago, removed the cookies with ewido, then ran full scans with ewido, Kaspersky, Spybot S&D, and Ad-Aware SE. Sometime between the end of the ewido scan and the end of my barrage, these cookies have returned.

    I've attached my HJT log, as well as logs from the ewido scans I did before and after my spyware hunt.

    A quick note: I have always kept a close eye on the processes running on my machine, and have doctored up my startup routine using msconfig for some years. It is unusual for me to do a "Normal Boot."

    Any help is very much appreciated.
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have merged your new thread into this one.

    Your HJT log is clean.

    I wouldn`t worry too much about those cookies. However, if you want, you can always block them in Firefox. See HERE.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Metzer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. Metzer

    Metzer TS Rookie Topic Starter

    Other Things

    I'm not so much worried about the cookies as I am about how they get there - perhaps there is some kind of undiscovered backdoor program living somewhere. As long as the cookies continue to regenerate, there is something happening on my computer that I don't control, and which was not written with my interests (or privacy) in mind.
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Cookies are set when you visit certain websites. This is useful for remembering password/login details etc. You need to findout which website/s you`re visiting that`s setting those cookies.

    Regards Howard :)
  13. Metzer

    Metzer TS Rookie Topic Starter

    I know about cookies in general.

    These cookies appear whether or not I visit a website. During the time I was scanning my PC with Kaspersky and Ad-Aware, I was not browsing the internet (I wasn't even at my computer). Immediately afterwards, I ran ewido again and detected the same cookies that I removed just prior to running Kaspersky.

    I have not yet determined if these cookies appear when I'm disconnected from the internet. I just installed a trial version of Zone Alarm to see if I can catch anything in the act. Speaking of which: is it normal for winlogon.exe to access the internet? I suspect it's not, and I'm going to run the file through Kasperky's scanner.
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll This is your Kaspersky antivirus programme. So no need to worry about that. That`s why winlogon is accessing the net.

    Like I said, you can block those cookies in Firefox. That should stop them from reappearing.

    Regards Howard :)
  15. Metzer

    Metzer TS Rookie Topic Starter

    Phoning Home?

    I'm starting to think my winlogon.exe is a problem. I caught it attempting to contact 2 separate external IPs: (this appears to be IANA - can't think why my machine would need to contact them) (an address owned by my ISP)

    I also caught services.exe trying to contact an external IP: (another address owned by my ISP?!)

    I don't think these outbound connections can have any legitimate purpose.

    Is it possible to get checksums for winlogon.exe and services.exe? I'm assuming that anyone else with the same version of Windows and the same updates as I should have identical files, enabling me to check to see if mine have been modified.
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`ve just been looking at your HJT log. I hadn`t noticed before, but you`re running two antivirus programmes. This is not recommended. I suggest you uninstall one of them. Running more than one antivirus programme can cause conflicts and will slow your system down.

    It`s perfectly normal for services.exe and winlogon.exe to access the net.

    See HERE for info on winlogon.exe.

    See HERE for more info on services.exe.

    I have checked the location of the above two files in your HJT log and can tell you they are legit.

    I think you`re worrying unecessarily to be honest.

    Apart from the odd tracking cookie, which really aren`t that dangerous, your system is clean as far as I can tell.

    Regards Howard :)

    This thread is for the use of Metzer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. Metzer

    Metzer TS Rookie Topic Starter

    I realize that winlogon & services are normally essential to Windows - but I think it's possible that any one of the virii that I was infected with could have modified one or more system files such that they'll install spyware or provide backdoor access or something.

    I know it must be aggravating that I won't let this die, but there is something on my computer that is repeatedly making silent modifications to my system that I have not authorized. I don't have any "handy" weather bugs or IM software or IE toolbars; I don't participate in any sort of distributed computing networks (like SETI@Home), and I'm not using an ad-supported ISP.

    Whatever this thing is, it acts sometime during startup, and sporadically during the normal operation of my PC. There is no way that this is okay. It appears to require an internet connection to install these tracking cookies. When I boot with no network connection, I can leave my machine on for hours without tracking cookies. If I boot with a connection, or if I restore my network connection, the cookies appear sometime afterward. I haven't been able to nail down a timeline because it takes several minutes for ewido to discover these cookies, but they are the same ones every time. I've tried to use this apparent dependence on a network connection to catch the program using ZoneAlarm, but I haven't been able to find anything definitive, and I know that I can't simply delete the files I've noticed acting suspiciously (because they are part of Windows - making them excellent targets).

    Is there a way I can check system files to see if they have been modified?
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I do understand your concerns, but I can`t see anything nasty in your HJT log.

    However, if it`ll make you feel more comfortable, go HERE and follow the instructions exactly. this should help you to discover whether you have anything nasty on your system.

    If nothing turns up after doing the above and you`re still concerned, backup your important data and reformat and reinstall.

    Regards Howard :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...