windows explorer uploading&downloading

Welcome to Majorgeeks!

First run this Virtumonde aka Trojan Vundo Removal and do not attach the requested log right away. Run it multiple times until it comes up clean and then attach the final log later after doing all of the below.
Now please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • VundoFix
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis - make sure it is a new log obtained after completing all steps in the READ ME

NOTE: You can only attach 3 files in a single message so it will require that you use three messages to attach all of these logs!

 

Bad idea. You need to remove both of these. Bearshare has long been know to be a bundler of malware and BSplayer is an adware bundler. You should uninstall both of these and then re-run the CounterSpy scan and have it quarantine anything that it finds. Also please always attach the requested logs whether you think things are problems or not.


Continue by downloading a tool we will need

- Process Explorer


Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
ppmbppm.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
ppmbppm.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
ppmbppm.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1ECCD424-5A44-4DBD-80C2-75720BC72591} - c:\windows\system32\ppmbppm.dll
O2 - BHO: (no name) - {97F74268-45CE-4D2C-A320-2B33B0283AB3} - c:\windows\system32\isligkna.dll
O20 - Winlogon Notify: shavnhxe - C:\WINDOWS\SYSTEM32\ppmbppm.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I was afraid that this was going to happen. You have a newer type infection that has been seen only two other times and it is extremely difficult to remove. The only known way thus far to remove it (that is the only way without formatting) is to boot to the Recovery Console and use the command prompt.

Do you have your bootable copy of Windows XP SP2? If not, we will not be able to fix this.


You have now even picked up another bad driver (another .sys file). Here are the remaining bad files:

Code:

C:\WINDOWS\system32\
ppmbppm.dll   Jun 16 2007       75776  "ppmbppm.dll"
ppmbpp~1.bak  Jun 12 2007       75776  "ppmbppm.dll.bak"
 
C:\WINDOWS\system32\drivers\
himgdhhb.sys  Jun 13 2007       12416  "himgdhhb.sys"
yakudbrq.sys  Jun 18 2007       60416  "yakudbrq.sys"
  

I also suggest that you uninstall CounterSpy now since it is only a trial and it could complicate the removal process.

 

That's good it will make it easier for you to be able to follow the below instructions.

Code:

C:\WINDOWS\system32\
ppmbppm.dll   Jun 16 2007       75776  "ppmbppm.dll"
ppmbpp~1.bak  Jun 12 2007       75776  "ppmbppm.dll.bak"
 
C:\WINDOWS\system32\drivers\
himgdhhb.sys  Jun 13 2007       12416  "himgdhhb.sys"
yakudbrq.sys  Jun 18 2007       60416  "yakudbrq.sys"

Now read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will not be able to browser once starting the below.

1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
2. Then restart your computer
3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the "Recovery Console" by pressing R It is normally the middle item in the list. Press R
6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>

Now from this command prompt window, here are some things I want you to do. Enter the below commands (the commands are in bold black) in the order given. I will add comments in purple.

cd system32\drivers <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS>

del himgdhhb.sys
del yakudbrq.sys

If you get any error mesages while running the del command which should delete those two file then run the below two commands which will attempt to rename the files.


ren himgdhhb.sys
ren yakudbrq.sys


If the del and the ren do not work just type exit to leave the Recovery Console and boot into Windows and just come back here and tell me exactly what happened. Do not do any of the below!

If the above worked then continue with the below.


cd C:\WINDOWS\system32
del ppmbppm.dll
del ppmbppm.dll.bak

exit <--- this will exit the Recovery Console and boot to Windows

After booting into Windows, run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1ECCD424-5A44-4DBD-80C2-75720BC72591} - c:\windows\system32\ppmbppm.dll
O20 - Winlogon Notify: shavnhxe - C:\WINDOWS\SYSTEM32\ppmbppm.dll

Now exit HJT


Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

 

Well not really true. See the HJT log you posted. It shows the below:


O2 - BHO: (no name) - {1ECCD424-5A44-4DBD-80C2-75720BC72591} - c:\windows\system32\ppmbppm.dll (file missing)
O2 - BHO: (no name) - {97F74268-45CE-4D2C-A320-2B33B0283AB3} - c:\windows\system32\isligkna.dll
O20 - Winlogon Notify: shavnhxe - ppmbppm.dll (file missing)

Unless you attached a log that was run before you fixed those, you need to Fix all of those lines after closing all browser windows. Then reboot into safe mode and delete any of the below (if found). You need to look for the below files even if the above items are not found in your HJT log.

C:\WINDOWS\system32\efmitwph.dll
C:\WINDOWS\system32\gijwciel.dll
c:\windows\system32\isligkna.dll

Then reboot into normal mode and attach new logs from ShowNew and HJT.

 

You forgot to attach the new ShowNew log!

 

You did not delete the files I asked you to delete. And now another appeared. You must delete the below files:

Code:

C:\WINDOWS\system32\
efmitwph.dll  Jun 18 2007      750592  "efmitwph.dll"
gijwciel.dll  Jun 18 2007       92672  "gijwciel.dll"
gkxednrf.dll  Jun 18 2007      140288  "gkxednrf.dll"