Adware.virtumonde & pmjkj.dll

Please follow the steps below so we can work up a fix for your Virtumundo problem.



- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so. We will reboot later.

You main problem is a Virtumundo infection. Follow the steps below to fix it.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Please print these instructions out for use in Safe Mode with no networking and DO NOT RUN any browsers while doing these steps.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at. Iit should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\pmkjk.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\kjkmp.*

​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmkjk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Now please attach a new HJT log from normal mode.

 

Are you doing this after booting into safe mode? If so and it still does not work, I will provide you an older method of fixing this that I used before Vundofix became available.

 

That will not work and could just make it create new ones with different names. Wait for my next message I will give you a new procedure. You will need to download two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later when I give a procedure to use in my next message.

 

After getting those two files downloaded and installed, continue with the below.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of pmkjk.dll once and then click the kill button. After you have killed all of the pmkjk.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of pmkjk.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmkjk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini1
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\kjkmp.bak
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\kjkmp.bak2
C:\WINDOWS\system32\kjkmp.tmp
C:\WINDOWS\system32\pmkjk.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

You neglected to post a new HJT log!

Also tell me if you are having any other malware problems now.

 

The first step of the process says:

 

You're welcome. Your log is bascially clean but I just want to verify a few things on the O17 line of your HJT log. There are two IP addresses I want to know if you recognize them. Perhaps they are for your ISP:

Code:

 [url="http://samspade.org/t/whois?a=24.196.64.53;server=auto"][color=#0000ff]24.196.64.53[/color][/url] = [ [url="http://samspade.org/t/whois?a=24-196-64-53.static.mdsn.wi.charter.com;server=auto"][color=#0000ff]24-196-64-53.static.mdsn.wi.charter.com[/color][/url] ] 
 
  OrgName:	Charter Communications 
  OrgID:	  CC04 
  Address:	12405 Powerscourt Dr. 
  City:	   St. Louis 
  StateProv:  MO 
  PostalCode: 63131 
  Country:	US 
 
[url="http://samspade.org/t/whois?a=68.115.71.53;server=auto"][color=#0000ff]68.115.71.53[/color][/url] = [ [url="http://samspade.org/t/whois?a=vip.eau.wi.charter.com;server=auto"][color=#0000ff]vip.eau.wi.charter.com[/color][/url] ] 
 
  OrgName:	Charter Communications 
  OrgID:	  CC04 
  Address:	12405 Powerscourt Dr. 
  City:	   St. Louis 
  StateProv:  MO 
  PostalCode: 63131 
  Country:	US 

 

If they are your ISP, all is well! And then you should move on the the steps in the below link:

How to Protect yourself from malware!