psy

Spysweeper did it! As far as I can tell, pmnkl.dll and all of it's evil is gone. I'm usually ranting on about freeware anti spy/mal/adware software, but wow...I may actually buy this program.

So far, most of my searching didn't turn up anything for my case, but it seems this is caused by Vundo...a pretty bad Trojan with a lot of variants...however, there are a few programs to try: webroots spyware sweeper (has found vundo but is still scanning so...?), http://www.atribune.org/downloads/VundoFix.exe for VundoFix.exe which supposedly finds a lot of variants, and http://securityresponse.symantec.com/avcenter/FixVundo.exe for FixVundo from symantec...which didn't work for me, although it claimed to. It seems a key feature of this malware is to cause a popup every few clicks, especially to WinFixer or an IP address with an 'errors found click to scan' type of page being displayed. *note* spysweeper just finished scanning...it found a few things I knew about (keyloggers i was trying out), a couple I didn't, and it identified pmnkl.dll as an adware file.

Sadly enough...I didn't discover the infection with an antivirus (housecall.antivirus.com, bitdefender.com, and avg failed to identify it.), however, it's being loaded as a Browser Helper Object (according to BHO Demon). BHOD 'disables' the BHO, but oddly enough, it's active again at reboot. According to WhoLockMe.exe, it's been called into action by winlogon.exe (check your running processes). I cannot end winlogon as it is a 'critical' component of windows, and therefore I cannot delete pmnkl.dll (or rename or move) from within windows. It is also locked in safe mode. I tried booting to a live Knoppix CD to rename the file, but it calls it a 'read only file system' even though it's permissions are set to -rw-rw-rw. Anyone have any ideas beyond what i've tried? My next step may be to boot to my XP cd and reinstall windows on top of itself. I don't really want to do all that.