How do I delete an infected file?

[Minhiscus]

My antivirus program, Nod32, is detecting an infected file, but I am not able to delete it.  The name of the file is called pmnkl.dll located in C:windowssystem32 folder.  When I try to delete it, it says that the file is in use by another program, so I am unable to delete it.  I tried restarting in safe mode, but I still can't delete the file with the same error message.  I tried using Hijack this and Killbox to delete the file also at startup, but they dont' work as well .  Does anybody know how to solve my problem? Thank you very much.

[lorne]

Look in task manager for a process that shouldn't be there or is named similar to that and kill it than delete it. You will probably also have to clean whatever entries it made in the registry.

[Minhiscus]

how do i do that?  I tried ending all of the processes that i could including explorer.exe and try to delete the file with command prompt but i still couldn't.

[resopalrabotnick]

the problem is that even deleting the file will not necessarily solve the problem, as the memory resident part of the malware will likely just recreate it, sometimes even with a different name/location. some av's can detect but cannot remove certain ifections. best bet in this case is to either look at the av's diagnosis and id of the little critter and see if there is a removal program for exactly that critter available, or using a different av to see if that will get it.

[psy]

Sadly enough...I didn't discover the infection with an antivirus (housecall.antivirus.com, bitdefender.com, and avg failed to identify it.), however, it's being loaded as a Browser Helper Object (according to BHO Demon). BHOD 'disables' the BHO, but oddly enough, it's active again at reboot. According to WhoLockMe.exe, it's been called into action by winlogon.exe (check your running processes). I cannot end winlogon as it is a 'critical' component of windows, and therefore I cannot delete pmnkl.dll (or rename or move) from within windows. It is also locked in safe mode. I tried booting to a live Knoppix CD to rename the file, but it calls it a 'read only file system' even though it's permissions are set to -rw-rw-rw.

Anyone have any ideas beyond what i've tried? My next step may be to boot to my XP cd and reinstall windows on top of itself. I don't really want to do all that.

[psy]

So far, most of my searching didn't turn up anything for my case, but it seems this is caused by Vundo...a pretty bad Trojan with a lot of variants...however, there are a few programs to try: webroots spyware sweeper (has found vundo but is still scanning so...?), http://www.atribune.org/downloads/VundoFix.exe for VundoFix.exe which supposedly finds a lot of variants, and http://securityresponse.symantec.com/avcenter/FixVundo.exe for FixVundo from symantec...which didn't work for me, although it claimed to.

It seems a key feature of this malware is to cause a popup every few clicks, especially to WinFixer or an IP address with an 'errors found click to scan' type of page being displayed.

*note* spysweeper just finished scanning...it found a few things I knew about (keyloggers i was trying out), a couple I didn't, and it identified pmnkl.dll as an adware file.

[psy]

Spysweeper did it! As far as I can tell, pmnkl.dll and all of it's evil is gone.

I'm usually ranting on about freeware anti spy/mal/adware software, but wow...I may actually buy this program.

[raptors892004]

Spysweeper did it! As far as I can tell, pmnkl.dll and all of it's evil is gone.

I'm usually ranting on about freeware anti spy/mal/adware software, but wow...I may actually buy this program.

Yea.. Spysweeper is good.. And its got the realtime spyware protection feature which is really useful as well