How to remove TROJAN.VUNDO -- pmkji.dll

Hello All,

I originally acquired this fix from Brian Gideon's posting. Below I
will list what steps I used working off of Brian's posting.

My Steps:

After Nortan AV located the trojan within my system32 folder, under the
name pmkji.dll, here's what I did: (Note:this was on the XP Pro OS,
with all SP updates)

YOU CAN RUN ALL THESE STEPS IN NORMAL MODE...

1) Tried to delete the file manually, both in normal mode and safe
mode. No good, file was in use by a system process, so deleting the
file was denied.

2) Downloaded a tool from Norton that was designed to find the infected
file and remove it. No luck. The stupid tool couldn't even locate the
file. I think I'm loosing some of my faith in Norton.

3) Still reading through Norton's recommondations for this trojan, I
tried their 'manual removal steps'; which included removing some
specific keys from the registry. Every key they listed to removed
could not be found on my PC. So nuts to that attempt.

4) When in doubt 'Google it!' This is where I found Brian's posting.
God bless Google groups. I started by Downloading the Process Explorer
application from http://www.sysinternals.com. This is truly an
excellent tool.

5) After installing Process Explorer, you'll find that when you first
try to run the program, it will ask for you to install a debugging tool
from Microsoft. The message that pops up will provide you with a Link
to Microsofts site. Choose the debugging tool update that best suites
your OS and install it. Then re-run Process Explorer.

6) Once Process Explorer is up and running, jump into the registry.
Within the registry do a search for pmkji.dll. Remove everything
anything within your registry that lists this file name. Note, if you
skip this step and proceed with removing the infected pmkji.dll file,
upon reboot, the registry will reload the pmkji.dll file back on your
system. So do not skip this step.

7) OK with the registry cleared, open up a command prompt, cmd.exe.
Within the command line, work your way to c:\windows\system32. This is
where the file was on my system, your path may vary depending on your
OS.

8) Once your in that directory, type in the following command, but
don't hit enter just yet,
del pmkji.dll

9) Now the next step is tricky, you've got to be quick about this.
Using Process Explorer, locate explorer.exe and winlogon.exe in the
list of active processes running on your PC. You might want to
collapse the list of processes under each so you can get the two next
to each other. What your essentially doing here is killing both of
these processes because the trojan utilizes them to stay alive. First
right click on explorer.exe and choose Kill Process. This will knock
out all browsers or folders you may have open, but it will not kill
your command line session. Next, right click on winlogon.exe and
choose Kill Process. NOW REAL FAST, JUMP BACK OVER TO YOUR COMMAND
LINE PROMPT AND EXECUTE THE DELETE COMMAND ON PMKJI.DLL. YOU WILL ONLY
HAVE ABOUT 10 - 15 SECONDS TO EXECUTE THAT DELETE COMMAND. Sorry for
the caps, but I must emphasize how quick you need to be; because after
that 10-15 second time lapse, your machine will lockup with the blue
screen of death. After your machine locks up, give her a hard boot and
you'll be in business. No more damn Trojan! :0)

Don't sweat it if you are unable to get it the first time. I had to do
it twice. Just remember, if you do have to start over, you will need
to repeat all the steps above. The trojan will re-replicate itself
back into your registry if you fail the on the first attempt.

Please let me know how it works. Any questions or assistance needed,
feel free to contact me.

Brian, I give you props for your posting. Couldn't have fixed this
problem without ya.

thx,
LOGAN

Hello,

Our database has that file in it, so we will detect and remove that item.
You may also wish to try Super Ad Blocker with SUPERAntiSpyware:
http://www.superadblocker.com

Super Ad Blocker | SUPERAntiSpyware offers several unique features such as
using a system level driver to delete the files, so pests do not come back
once detected and cleaned.

Super Ad Blocker offers a fully functional 15-day trail. You can scan and
clean your computer and then remove Super Ad Blocker if you do not wish to
keep it. We do appreciate when users support our development efforts by
purchasing the product :) You can also do a PayPal donation to
sales@superadblocker.com of any amount if you wish.

If that does not find and/or remove the spware/adware on your machine, you
can submit a diagnositc and I will diagnose your machine for free and post
the results back to the group and update our rules with anything found:
http://www.superadblocker.com/diagnostic.html?id=nicks

You may also wish to "see" what is running on your computer here:
http://www.fileresearchcenter.com

Nick Skrepetos
SuperAdBlocker.com - SUPERAntiSpyware
http://www.superadblocker.com
http://blogs.superadblocker.com
http://forums.superadblocker.com


<LJD306@comcast.net> wrote in message
news:1132427633.206747.267950@g47g2000cwa.googlegroups.com...
> Hello All,
>
> I originally acquired this fix from Brian Gideon's posting. Below I
> will list what steps I used working off of Brian's posting.
>
> My Steps:
>
> After Nortan AV located the trojan within my system32 folder, under the
> name pmkji.dll, here's what I did: (Note:this was on the XP Pro OS,
> with all SP updates)
>
> YOU CAN RUN ALL THESE STEPS IN NORMAL MODE...
>
> 1) Tried to delete the file manually, both in normal mode and safe
> mode. No good, file was in use by a system process, so deleting the
> file was denied.
>
> 2) Downloaded a tool from Norton that was designed to find the infected
> file and remove it. No luck. The stupid tool couldn't even locate the
> file. I think I'm loosing some of my faith in Norton.
>
> 3) Still reading through Norton's recommondations for this trojan, I
> tried their 'manual removal steps'; which included removing some
> specific keys from the registry. Every key they listed to removed
> could not be found on my PC. So nuts to that attempt.
>
> 4) When in doubt 'Google it!' This is where I found Brian's posting.
> God bless Google groups. I started by Downloading the Process Explorer
> application from http://www.sysinternals.com. This is truly an
> excellent tool.
>
> 5) After installing Process Explorer, you'll find that when you first
> try to run the program, it will ask for you to install a debugging tool
> from Microsoft. The message that pops up will provide you with a Link
> to Microsofts site. Choose the debugging tool update that best suites
> your OS and install it. Then re-run Process Explorer.
>
> 6) Once Process Explorer is up and running, jump into the registry.
> Within the registry do a search for pmkji.dll. Remove everything
> anything within your registry that lists this file name. Note, if you
> skip this step and proceed with removing the infected pmkji.dll file,
> upon reboot, the registry will reload the pmkji.dll file back on your
> system. So do not skip this step.
>
> 7) OK with the registry cleared, open up a command prompt, cmd.exe.
> Within the command line, work your way to c:\windows\system32. This is
> where the file was on my system, your path may vary depending on your
> OS.
>
> 8) Once your in that directory, type in the following command, but
> don't hit enter just yet,
> del pmkji.dll
>
> 9) Now the next step is tricky, you've got to be quick about this.
> Using Process Explorer, locate explorer.exe and winlogon.exe in the
> list of active processes running on your PC. You might want to
> collapse the list of processes under each so you can get the two next
> to each other. What your essentially doing here is killing both of
> these processes because the trojan utilizes them to stay alive. First
> right click on explorer.exe and choose Kill Process. This will knock
> out all browsers or folders you may have open, but it will not kill
> your command line session. Next, right click on winlogon.exe and
> choose Kill Process. NOW REAL FAST, JUMP BACK OVER TO YOUR COMMAND
> LINE PROMPT AND EXECUTE THE DELETE COMMAND ON PMKJI.DLL. YOU WILL ONLY
> HAVE ABOUT 10 - 15 SECONDS TO EXECUTE THAT DELETE COMMAND. Sorry for
> the caps, but I must emphasize how quick you need to be; because after
> that 10-15 second time lapse, your machine will lockup with the blue
> screen of death. After your machine locks up, give her a hard boot and
> you'll be in business. No more damn Trojan! :0)
>
> Don't sweat it if you are unable to get it the first time. I had to do
> it twice. Just remember, if you do have to start over, you will need
> to repeat all the steps above. The trojan will re-replicate itself
> back into your registry if you fail the on the first attempt.
>
> Please let me know how it works. Any questions or assistance needed,
> feel free to contact me.
>
> Brian, I give you props for your posting. Couldn't have fixed this
> problem without ya.
>
> thx,
> LOGAN
>

http://www.atribune.org

Atri has made a tool that will remove the Vundo trojan once you've
ascertained the file path of the malicious .dll

Spysweeper is the only other program that will remove it currently

SuperAdBlocker | SUPERAntiSpyware will remove it also - that's why I
suggested trying it.

Nick Skrepetos
SuperAdBlocker.com
http://www.superadblocker.com

"Avohir" <Avohir@gmail.com> wrote in message
news:1132463517.689188.78340@f14g2000cwb.googlegroups.com...
> http://www.atribune.org
>
> Atri has made a tool that will remove the Vundo trojan once you've
> ascertained the file path of the malicious .dll
>
> Spysweeper is the only other program that will remove it currently
>

From: "Nick Skrepetos (SuperAdBlocker.com)" <nicks@superadblocker.com>

SuperAdBlocker |> SUPERAntiSpyware will remove it also - that's why I
| suggested trying it.
|
| Nick Skrepetos
| SuperAdBlocker.com
| http://www.superadblocker.com
|
| "Avohir" <Avohir@gmail.com> wrote in message
| news:1132463517.689188.78340@f14g2000cwb.googlegroups.com...
>> http://www.atribune.org
>>
>> Atri has made a tool that will remove the Vundo trojan once you've
>> ascertained the file path of the malicious .dll
>>
>> Spysweeper is the only other program that will remove it currently
>>

So will AV software.
Vundo -- http://vil.nai.com/vil/content/v_127690.htm

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[punkdude600]

hey guys. and truly thanks to LJD306, and brian. i am here to tell u i have also found a program that will delete the file, it is a free antivirus known as avg free edition. u can download it from download.com, be sure to get avg free 8.0. download the software, install and then do a quick scan of the file. it will imediately recognize the virus and delete it, but not the whole file. after avg is done, navigate to the file and it should be a white box for the icon instead of the default dll icon. now delete the file and wolah!!!empty recycle bin and the trojan is gone. ALSO:dont forget to search registry for pmkji and delete all files pertaining to it. it worked for me. GOOD LUCK!!!!!!!=] questions, fell free to ask

From: "punkdude600" <punkdude600.3gkvfe@DoNotSpam.com>

| hey guys. and truly thanks to LJD306, and brian. i am here to tell u i have also found
| a program that will delete the file, it is a free antivirus known as avg free edition.
| u can download it from http://www.free.avg.com. download the software, install and then
| do a quick scan of the file. it will imediately recognize the virus and delete it, but
| not the whole file. after avg is done, navigate to the file and it should be a white
| box for the icon instead of the default dll icon. now delete the file and wolah!!!empty
| recycle bin and the trojan is gone. ALSO:dont forget to search registry for pmkji and
| delete all files pertaining to it. it worked for me. GOOD LUCK!!!!!!!=] questions, fell
| free to ask -- punkdude600
| ------------------------------------------------------------------------ punkdude600's

It is a Trojan, not a virus and it's an old variant.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp