Hey Forum!

I was running NOD32 and got this message.

A variant of Win32/Adware.Virtumonde.FP application found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click “Leave” to continue and subsequently run the cleaning of all disks. System memory infection originated from file C:\WINDOWS
System32\pmnli.dll


I also have tried Avast Free and DrWeb... both found viruses in memory and recommended to reboot and then they would fix (or remove) on rebooting, but it seems like I STILL have some in memory (or at least just this one).

So... any ideas of how to get rid of this?

Thanks!

SEAS

you could try with superantispyware and/or vundofix, they offer good results in removing this.

if you know the particular process which happens to be the malware file, then use task manager to terminate it. If that doesn't work, try some more "advanced" termination:

IceSword -> http://www.antirootkit.com/software/IceSword.htm
DarkSpy -> http://www.softpedia.com/get/Antivirus/DarkSpy-Anti-Rootkit.shtml
APT -> http://www.diamondcs.com.au/freeutilities/apt.php

Hi SEAS (no pun intended)

What I have read about this malware it looks like you need expert advice from a dedicated spyware removal forum, somewhere like HijackThis - Tom Coyote - Bleeping computer etc.

Have look here at bleeping computers instructions ;)
http://www.bleepingcomputer.com/forums/topic18610.html

As I remember Eset have removal tool for that malware. You should contact their support or Macros.

You can not kill Vundo process from memory with Taskbar because it is often loaded with winlogon.exe process.

Scan in safe mode. Also between reboots..power down PC complete for a few seconds. Soft reboots allow stuff to still run in RAM.

Even physically pull the power cord for a couple minutes.

Thanks guys for your hellp!

So far I'm going down the list of recommendations step by step. I'm please to say that SUPERantispyware FREE found another 180 or so that NOD32 didn't. Now it's on to the other fixes that were recommended!

However after cleaning... I'm getting "Error loading C:\WINDOWS\system32\kfkhydle.dll the specific module cannot be found"

Is this something I need or what?

Thanks!

SEAS

P.S. I was also going to run Windows XP Pro repair after all of this (to see if there's somethings that got killed acccidently). Is that something that is recommended or not?

{QUOTE-> Hey Forum!

I was running NOD32 and got this message.

A variant of Win32/Adware.Virtumonde.FP application found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click “Leave” to continue and subsequently run the cleaning of all disks. System memory infection originated from file C:\WINDOWS
System32\pmnli.dll


I also have tried Avast Free and DrWeb... both found viruses in memory and recommended to reboot and then they would fix (or remove) on rebooting, but it seems like I STILL have some in memory (or at least just this one).

So... any ideas of how to get rid of this?

Thanks!

SEAS <-QUOTE}

If you never turn the power off on your computer, ANY data stored in "volitile" memory [memory which holds data only while power is flowing to the motherboard, where physical memory resides, [such as malware and viruses] will remain there.

So, once viruses and other malware are removed by programs such as NOD32, you MUST TURN THE MACHINE OFF to get them completly "killed." This will remove any residual malware code still stored in volitile memory.

NOD32 almost always does a cold boot [that is, all power to the machine is turned OFF, and the machine reboots freshly] after any malware removal operations. If it doesn't, you must configure NOD32 to either ask for a manual cold boot, or do an automatic cold boot.

If the virus returns after a cold reboot, it was obviously NOT completely sanitized by your AV product.

Removing an electronic virus is much like removing a virus from one's body. If he/she leaves a single virus in his/her body, or one goes back into an environment heavily-laden with the virus after it is removed from the body , even though the illness caused by the virus is in complete remission, it will eventually return, and usually returns in a more virulent state.

Sometimes, the best solution is to re-partition and format your drives, and reinstall your OS, making sure you do this using OS installation media which cannot be rewritten [don't use copies of OS installation media!!!] Then start using safe surfing habits [stay away from P2Ps, Porn sites, and "warez" sites] CONSISTENTLY!!!. Also stay away from sites which originate from the former Soviet Union, and NEVER click on links from unknown senders in your e-mail.

Thanks YeOldeStonecat, zapjb, orthocros2007, and the rest!

I unplugged my PC... let it sit for a while... then plugged back in. I then scanned with SUPERanitSpyWare Free and there was no more viruses in memory.

I STILL get the RUNDELL Error " C:\WINDOWS\system32\kfkhydle.dll". Does anyone have any suggestions for this?

SEAS

try going to the msconfig in the startup tab and see if that file is there, ore use autoruns from microsoft to identfy that. then uncheck it

It's funny how some times ya just have to pull the plug.

Anyways for your dlll error. On XP I use RegistryBooster.

http://www.liutilities.com/products/registrybooster/

They have a free scan. Don't know if it fixes free. Try it.

The full registered version fixed a dll error for me that nothing, no other program, no manual editing would fix.

{QUOTE-> I STILL get the RUNDELL Error " C:\WINDOWS\system32\kfkhydle.dll". Does anyone have any suggestions for this?
<-QUOTE}

You need to touch in the registry either manually or with special tools to delete the reg key.

Since you got Virtumonde infection , you can go through the folloling instructions given by Blackspear

{QUOTE-> This is required to remove detection of 4 tools that we are about to download and use, these tools may be detected by NOD32 if you have “Potentially Dangerous Applications” (version 2.5) or "Potentially unwanted and unsafe applications" (version 2.7) ticked within NOD32.

1. Please go to the NOD32 Control Centre (Start> All Programs> Eset> NOD32 Control Centre)
2. Click on AMON> Setup> Options (tab)
3. Untick “Potentially Dangerous Applications” (version 2.5) or "Potentially unwanted and unsafe applications" (version 2.7).
4. Click on OK.
5. Click on IMON> Setup> Miscellaneous (tab)> Scanner Setup> Setup (tab)
6. Untick “Potentially Dangerous Applications” (version 2.5) or "Potentially unwanted and unsafe applications" (version 2.7).
7. Click on OK.
8. Click on OK


When the process below is complete, please place a tick back in “Potentially Dangerous Applications” (version 2.5) or "Potentially unwanted and unsafe applications" (version 2.7).


Please follow the instructions found at the following 4 websites:

VundoFix here: http://www.atribune.org/content/view/24/2/

SmitfraudFix here: http://www.bleepingcomputer.com/forums/topic17258.html

Look2Me Destroyer here: http://www.atribune.org/content/view/28/2/

Fix Wareout here: Fix Wareout here: http://forums.majorgeeks.com/showthread.php?t=95472


When the process above is complete, please place a tick back in “Potentially Dangerous Applications” (version 2.5) or "Potentially unwanted and unsafe applications" (version 2.7).

Please complete the process below to ensure this does not happen again:

Check your settings against those found in the following NOD32 Tutorial: http://www.wilderssecurity.com/showthread.php?t=37509


AFTER this run a scan by following these steps:

1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
2. Click on NOD32.
3. Click on Run NOD32.
4. Click on “Scan and Clean”.
5. Reboot your Computer into “Safe Mode”.
6. Click on Start> All Programs> ESET> NOD32
7. Click on “Scan and Clean”.
8. Check the scan results. <-QUOTE}


HiTech_boy

{QUOTE-> It's funny how some times ya just have to pull the plug.

Anyways for your dlll error. On XP I use RegistryBooster.

http://www.liutilities.com/products/registrybooster/

They have a free scan. Don't know if it fixes free. Try it.

The full registered version fixed a dll error for me that nothing, no other program, no manual editing would fix. <-QUOTE}

Downloading Now! ;D

I'll keep everyone posted as well.

BTW - Does anyone here on this forum have a project studio and use their PC for recording?

SEAS

Say... how does RegistryBooster compare with Regcure?

Here's Regcure's link http://www.regcure.com/lp/11/?uid=k0lxs

A friend of mine emailed that to me to try the other day but hadn't gotten around to it yet.

BTW - RegistgryBooster found 837 problems. Just made a backup... now going to try to fix!

Thanks again everyone!

SEAS 8)

{QUOTE-> You need to touch in the registry either manually or with special tools to delete the reg key. <-QUOTE}

I'll do this as well HiTech_boy! Just to make sure everythings is GONE!!!

SEAS

Hey zapjb!

RegCure found like 1,495 or so (but who knows if it's better or worse that RegistryBooster ya know?)

What about the free one CCLEANER?

SEAS

Imo/e stay away from cc.


And don't go crazy w/reg fixers. Is your dll problem fixed?

If so. I'd reboot, use comp at least10-15mins. Repeat 2-3x. If everthings well.

I then would make an image & or clone & test it.


Btw experience has taught me if you fool with reg fixers too much you'll f up your OS. And you won't know what program or what action of yours caused it. Or how to fix it.

{QUOTE-> Imo/e stay away from cc.


And don't go crazy w/reg fixers. Is your dll problem fixed?

If so. I'd reboot, use comp at least10-15mins. Repeat 2-3x. If everthings well.

I then would make an image & or clone & test it.


Btw experience has taught me if you fool with reg fixers too much you'll f up your OS. And you won't know what program or what action of yours caused it. Or how to fix it. <-QUOTE}

I'll reboot now and see. I BELIEVE the .dll problem is solved!

BRB! ;)

SEAS

YEP! The .dll is gone.

SEAS

{QUOTE-> Say... how does RegistryBooster compare with Regcure? <-QUOTE}

RegCure is a ParetoLogic braded product. For some reason, I remember ParetoLogic = bad. Something to do with extortionware at some point I believe.

As far as other alternatives go, the best Registry cleaner job I've seen was by AmustSoft Registry Cleaner 3.11 . It's the last version that had a fully functional trial. Google it and give it a go, it has done the most consistently thorough and safe job of cleaning out dead entries of any cleaner I've worked with. It beats CCleaner over the head with a shovel.

If Op doesn't have a backup solution....

{QUOTE-> RegCure is a ParetoLogic braded product. For some reason, I remember ParetoLogic = bad. Something to do with extortionware at some point I believe.

As far as other alternatives go, the best Registry cleaner job I've seen was by AmustSoft Registry Cleaner 3.11 . It's the last version that had a fully functional trial. Google it and give it a go, it has done the most consistently thorough and safe job of cleaning out dead entries of any cleaner I've worked with. It beats CCleaner over the head with a shovel. <-QUOTE}

Thanks AshG!

AmustSoft has a 3.5 version out now.

Here's the link.
http://www.amustsoft.com/registrycleaner/download/

Trying it out now :)

SEAS

{QUOTE-> Thanks AshG!

AmustSoft has a 3.5 version out now.
<-QUOTE}

Yes, with a crippled/lss functional trial. 3.11 still removes all the baddies with minimal nag.

{QUOTE-> Yes, with a crippled/lss functional trial. 3.11 still removes all the baddies with minimal nag. <-QUOTE}

I tried Amust 3.5 and it got rid of 35 for me for free (and of course gave me a $19.95 offer to get rid of the rest) HA!

Altogether it found less than some of the others (like 635 or so).

RegCure found the most... however, a lot of the RegCure finds were a bunch of "File/Path References" and that didn't seem like the important stuff to me (like I'm some expert right?) HA!

Going to try 3.11 now!

SEAS

Hmmmm... having problems finding Amust 3.11. Might have to just get the 3.5 (I think there's a special for $19.95)

I'll keep checking!

SEAS

{QUOTE-> Imo/e stay away from cc.


And don't go crazy w/reg fixers. Is your dll problem fixed?

If so. I'd reboot, use comp at least10-15mins. Repeat 2-3x. If everthings well.

I then would make an image & or clone & test it.


Btw experience has taught me if you fool with reg fixers too much you'll f up your OS. And you won't know what program or what action of yours caused it. Or how to fix it. <-QUOTE}

i totally agree zapjb:thumb:
i think the two registrys cleaners i used to use weekly is what screwed up this pc.
lodore

{QUOTE-> if you fool with reg fixers too much you'll f up your OS. And you won't know what program or what action of yours caused it. Or how to fix it. <-QUOTE}

This will end up with OS reinstallation ;D

{QUOTE-> This will end up with OS reinstallation ;D <-QUOTE}

NOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!! :o

Keep The Faith!!!! ;D


SEAS

BTW - Here's my VirtumundoBegone report!

[07/16/2007, 17:56:16] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jamie\Desktop\VirtumundoBeGone.exe" )
[07/16/2007, 17:56:22] - Detected System Information:
[07/16/2007, 17:56:22] - Windows Version: 5.1.2600, Service Pack 1
[07/16/2007, 17:56:22] - Current Username: Jamie (Admin)
[07/16/2007, 17:56:22] - Windows is in NORMAL mode.
[07/16/2007, 17:56:22] - Searching for Browser Helper Objects:
[07/16/2007, 17:56:22] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[07/16/2007, 17:56:22] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/16/2007, 17:56:22] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/16/2007, 17:56:22] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[07/16/2007, 17:56:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/16/2007, 17:56:22] - No filename found. Continuing.
[07/16/2007, 17:56:22] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/16/2007, 17:56:22] - BHO 6: {FB852192-B30E-C081-2257-9F5B502163B4} ()
[07/16/2007, 17:56:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/16/2007, 17:56:22] - No filename found. Continuing.
[07/16/2007, 17:56:22] - Finished Searching Browser Helper Objects
[07/16/2007, 17:56:22] - Finishing up...
[07/16/2007, 17:56:22] - Nothing found! Exiting...


SEAS

{QUOTE-> This will end up with OS reinstallation ;D <-QUOTE}
Concur.

{QUOTE-> Concur. <-QUOTE}
And I thought you were on MY SIDE!!!! >:(

HA!! :D

SEAS 8)

{QUOTE-> And I thought you were on MY SIDE!!!! >:(

HA!! :D

SEAS 8) <-QUOTE}
Ime is what I'm going by.

You have no stated backup solution. Neither a tested image nor a tested clone.

And you're trying every reg fixer under the sun.

And you're new here.

Btw welcome. ;D

And you'll get help here when the inevitable ime happens.

{QUOTE-> Ime is what I'm going by.

You have no stated backup solution. Neither a tested image nor a tested clone.

And you're trying every reg fixer under the sun.

And you're new here.

Btw welcome. ;D

And you'll get help here when the inevitable ime happens. <-QUOTE}

Actually.... I've only tried 3 registry fixers... RegistryBooster (you're choice), RegCure, and Amust. No actions have been taken, only testing them to see what they did or did not find. Still not decided on which one to purchase! ;D

As far as a backup solution, I have XP Pro and was planning on using my System Restore (if needed).

So far my system is working WAY better! :thumb:

SEAS

P.S. What is "Ime"... In my experience?

{QUOTE-> Actually.... I've only tried 3 registry fixers... RegistryBooster (you're choice), RegCure, and Amust. No actions have been taken, only testing them to see what they did or did not find. Still not decided on which one to purchase! ;D
<-QUOTE}
In my opinion, RegSupreme is the best registry cleaner available today http://www.macecraft.com/regsupreme/ that you can try free for 30days

{QUOTE-> P.S. What is "Ime"... In my experience? <-QUOTE}
Yep ;D

{QUOTE-> In my opinion, RegSupreme is the best registry cleaner available today http://www.macecraft.com/regsupreme/ that you can try free for 30days


Yep ;D <-QUOTE}


Thanks Macstorm!

I'll check out RegSupreme as well. :thumb:

BTW - One thing I did try about a month ago (before my system got compromised) was NTREGOPT NT Registry Optimizer. It's freeware as well.

Here's the link!
http://www.larshederer.homepage.t-online.de/erunt/

Has anyone had any experience with this one?

SEAS

Hey Macstorm!

I see they have a RegSupreme and RegSupreme Pro. Both say "Free to try with no Limitations"

Have you tried the pro?

SEAS 8)

Forget these auto cleaners. Download RegSeeker, enter missing file name and search the registry. Most likely it will find it and its on you to delete that.
Just watch out for malwares that use exact system nams so you won't cripple it more than malware itself! Using program "Autoruns" is also a good choice for cleaning such leftovers.

{QUOTE-> BTW - One thing I did try about a month ago (before my system got compromised) was NTREGOPT NT Registry Optimizer. It's freeware as well.

Here's the link!
http://www.larshederer.homepage.t-online.de/erunt/

Has anyone had any experience with this one?

SEAS <-QUOTE}
Yep, I use ERUNT and NTREGOPT. I usually use ERUNT before an install to backup the registry. NTREGOPT is suppose to defrag the registry. It's funny you mentioned it as I just did that less than an hour ago.

I'm not one of the experts here, but I use these programs hoping that if I screw up, or something that I install fails, ERUNT will save my bacon or lessen my burden.

{QUOTE-> Yep, I use ERUNT and NTREGOPT. I usually use ERUNT before an install to backup the registry. NTREGOPT is suppose to defrag the registry. It's funny you mentioned it as I just did that less than an hour ago.

I'm not one of the experts here, but I use these programs hoping that if I screw up, or something that I install fails, ERUNT will save my bacon or lessen my burden. <-QUOTE}

Thanks for your reply innerpeace (love your user name btw).

I haven't tried ERUNT, but sounds like a good idea for backing up your registry.

What about creating a system restore point using XP? Will this do the same as ERUNT?

SEAS

I've been reading the FAQ's regarding ERUNT and one thing they said was this:

Question: Should I disable Windows XP’s System Restore function when using ERUNT?

Answer: Yes! Though System Restore backs up more than just the registry, the registry is essentially all you need to revert your system to a previous state. Advantages of ERUNT over System Restore are that each restore folder is standalone and independent of the others, minimizing the risk of restore failures, and that a restore can easily be done from outside Windows. Also, ERUNT backups usually take up less hard drive space than System Restore’s restore points and may be individually deleted at any time.

SEAS

{QUOTE-> Hey Macstorm!

I see they have a RegSupreme and RegSupreme Pro. Both say "Free to try with no Limitations"

Have you tried the pro?

SEAS 8) <-QUOTE}
No.
I started 2 years ago with the standalone regsupreme and then jumped to the full set jv16powertools (which includes the reg cleaner and other utilities). I couldn't live without them.
I suggest you to double check the detailed key features of the software available from the maker (main page). I think you'll need only RegSupreme.

Also do as Rejzor said and use 'autoruns' http://www.microsoft.com/technet/sysinternals/SystemInformation/Autoruns.mspx to get rid of such unneeded invalid startup entries.

No, ERUNT covers more ground. Their site and or manual give a good description of why it suppose to be better/different. http://www.larshederer.homepage.t-online.de/erunt/erunt.txt This manual is detailed and I have a copy sitting next to me in case crap hits the fan.

I do usually do a system restore and use ERUNT before a new install. I mainly do this because I don't have a working back-up system yet. I just consider ERUNT as another layer of system protection similar to the layers of protection in my security setup. Geez, I'm starting to double up on everything ::) , I need a vacation from Wilders :P .

Edit: I see you looked into ERUNT. Disregard my link.

{QUOTE-> Actually.... I've only tried 3 registry fixers... RegistryBooster (you're choice), RegCure, and Amust. No actions have been taken, only testing them to see what they did or did not find. Still not decided on which one to purchase! ;D

As far as a backup solution, I have XP Pro and was planning on using my System Restore (if needed).

So far my system is working WAY better! :thumb:

SEAS

P.S. What is "Ime"... In my experience? <-QUOTE}
Ok. Full disclosure would've helped.

"No actions have been taken" Ok, thattakes the wind out of a lot I've said. How did you solve the dll problem?

And you're correct about ime.

I don't believe you'll find many here who consider system restore a comprehensive backup solution. Tested images & tested clones are comprehensive backup solutions.

Good luck & stick around. It's friendly & informative here.

No offence to anybody but this thread was started because of Vundo/Virtumonde infection and stubborn DLL but it turned out to how to clean-up Windows Registry and support back-up solutions , with tons of suggestions how to clean registry when computer is/was infected , which is very unprofessional way of any attempts to clean an infected machine . Such a load of registry cleaners/extreme game with back-up software will only lead the OP to Windows reinstallation , I am sure . :wacko:

{QUOTE-> Ok. Full disclosure would've helped.

"No actions have been taken" Ok, thattakes the wind out of a lot I've said. How did you solve the dll problem?

And you're correct about ime.

I don't believe you'll find many here who consider system restore a comprehensive backup solution. Tested images & tested clones are comprehensive backup solutions.

Good luck & stick around. It's friendly & informative here. <-QUOTE}

Thanks zapjb for your reply! ;) I tried to reply back yesterday morning but I got a popup that said I used up all my post for one day! ::)

Yes! I really like this forum and people like you have been very helpful! :thumb:

As far as the dll problem, after I ran SUPERanitSpyWare it was gone.

I also ran ERUNT then RegSupreme Pro and everything is 100% and doing fine! ;D

Thanks everyone for all your help! :)

SEAS 8)

Hello

I note that some comments were made about Paretologic, and I welcome the opportunity to explain.

It is true that in 2002, ParetoLogic was included in Spyware Warrior's Rogue Applications list. As a new company that engaged affiliates as its main channel of sales at the time, ParetoLogic had not yet formulated policies and guidelines for appropriate affiliate marketing of its products. Though most of the ParetoLogic affiliates conducted themselves in an appropriate manner, there were some that used marketing and/or advertising tactics that were not well accepted by the Internet community. This situation was remedied in 2003 at which time ParetoLogic was removed from Spyware Warrior’s list.

Since that time,

• Established in 2004, ParetoLogic is a member in good standing with the Better Business Bureau
• ParetoLogic and its CEO have been the recipient of several awards including Entrepreneur of the Year, Emerging Technology Company of the Year, and Innovative Excellence
• ParetoLogic currently has seven products on the market, several of which have received public acclaim and awards
• ParetoLogic products are available in eight languages in seventy countries around the world
• ParetoLogic offers a 60 day money back guarantee on all of its products
• ParetoLogic has a dedicated Customer Support Team. Their genuine desire to help people out often results in them helping customers with general computer use and maintenance issues and has garnered ParetoLogic a large number of loyal customers.

If you require assistance with any Paretologic Product, please send an email to helpdesk@paretologic.com.

Kindest Regards
Laura
Paretologic Liason

{QUOTE-> If you never turn the power off on your computer, ANY data stored in "volitile" memory [memory which holds data only while power is flowing to the motherboard, where physical memory resides, [such as malware and viruses] will remain there.

So, once viruses and other malware are removed by programs such as NOD32, you MUST TURN THE MACHINE OFF to get them completly "killed." This will remove any residual malware code still stored in volitile memory.
<-QUOTE}

Was just about to post virtually the same thing. This is a simple remedy that eludes many people. After you have removed the malware, do NOT reboot your computer. Don't even shut it down, turn it off by the button. Even unplug the power cord for 1 min. so there's no power going into the computer at all. This will remove the nasties from your memory.

Of course this measure is only needed if you've got something nasty, and the Vundo variants are known to be extremely shiesty.

There are many variants of Vundo/Virtumonde adware that gets injected to the Windows32 system folder. There are many AV and AS programs that say that they can remove the adware stuff. I used VUNDOFIX from atribune.org which was one of the earliest programs that target that type of infestation. But there are variants where the utility will not work. Personally, I would generate a Hijackthis log and post the information on a tech support site for assistance. If you have a rootkit variant of this spyware, then you probably need to use other spyware cleaning utilities.

For the most part, Vundo is an ad spam program. It changes its name within the Operating System files every time you boot up so that detecting it is harder. The older variants used a flaw in the Java software to infect PCs, but the newer ones may have mutated to other ways to infect PCs.