Another victim of Winfix

Sometimes the problems can be similar and sometimes not. If you have run ALL the steps in the READ ME FIRST, then continue with the below:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

While many programs will work Okay if installed like you chose below for MS Antispyware and HijackThis. It is a bad idea to do this. It is a much better practice to install them to their recommended default folders. That way they will not mistakenly overwrites similarly named files from other programs. Also, the way you installed them, makes them look suspiciously like malware using the same file names. Also, note that sometimes programs will not even work properly if installed into a folder where files from other programs exist. Here is what I'm referring to:
C:\Fix\gcasServ.exe
C:\Fix\gcasDtServ.exe
C:\Fix\HijackThis.exe

You main problem is a Virtumundo infection. There seem to be a lot of these lately. I really wonder where everyone is getting this from. Do you have any idea where this came from.

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of pmnnn.dll once and then click the kill button. After you have killed all of the pmnnn.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of pmnnn.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll

Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM32\nnnmp.ini
C:\WINDOWS\SYSTEM32\nnnmp.ini2
C:\WINDOWS\SYSTEM32\nnnmp.bak
C:\WINDOWS\SYSTEM32\nnnmp.bak2
C:\WINDOWS\SYSTEM32\nnnmp.tmp
C:\WINDOWS\SYSTEM32\pmnnn.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

You must make sure you follow the directions there exactly

The file must be saved with a .reg extension. Sounds like you saved it as a .txt file.

Also note if you stopped in the middle of the process to post this message, the fix probably will not work.