HELP: winantiviruspro, et.al.

Yes the READ & RUN ME is long, but after we get finished you will have a clean and better performing PC.


Are any of the below programs paid versions or are the all free trials:
AVG Anti-Spyware 7.5
Spy Sweeper
SUPERAntiSpyware
ZeroSpyware Lite


You are using a lot of old outdated software and did not follow some directions in the READ ME.
Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 4 <-- in step 6 of the READ ME you should have uninstall this and installed the new version
KaZaA Lite v2.1.0 [K++ Edition] <-- should have been uninstalled in step 0 of the READ ME
Mozilla Firefox (1.0.4)
Spybot - Search & Destroy 1.2 <-- this version has not been using for over 3 years. You did not download from the READ ME.
SpyHunter
SpywareBlaster v3.4
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox


Now download and install the below proper versions of the tools you had:

• SpyBot-Search & Destroy
  • be sure to follow the directions in the READ ME for configuring
• SpyWare Blaster
  • Install it, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites.

Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.


Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ihsadvma.dll once and then click the kill button. After you have killed all of the ihsadvma.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ihsadvma.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of ihsadvma.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\peswnpab.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {2A22DB24-1914-4E38-A2D8-FE16E237DF97} - c:\windows\system32\mmbammb.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\tmp1FA.tmp.dll (file missing)
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [peswnpab] C:\WINDOWS\System32\peswnpab.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [peswnpab] C:\WINDOWS\System32\peswnpab.exe
O15 - Trusted Zone: http://www.myspace.com
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl30bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O20 - Winlogon Notify: ihsadvma - C:\WINDOWS\SYSTEM32\mmbammb.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{206D8E23-0952-1033-1022-020816020001}\Update.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe
C:\WINDOWS\SYSTEM32\CMMGR32.EXE
C:\WINDOWS\SYSTEM32\geeba.exe"
C:\WINDOWS\SYSTEM32\gpcaaaaa.exe
C:\WINDOWS\SYSTEM32\peswnpab.exe
C:\WINDOWS\SYSTEM32\pevaaaaa.exe
C:\WINDOWS\SYSTEM32\piidaaaa.exe
C:\WINDOWS\SYSTEM32\pipjtaaa.exe
C:\WINDOWS\SYSTEM32\shqaaaaa.exe
C:\WINDOWS\SYSTEM32\svchtoost.exe
C:\WINDOWS\SYSTEM32\ddayxwu.dll
C:\WINDOWS\SYSTEM32\hcrjmtaz.dll
C:\WINDOWS\SYSTEM32\mmbammb.dll
C:\WINDOWS\SYSTEM32\plvwrthx.dll
C:\WINDOWS\SYSTEM32\WS2_32.DLL
C:\WINDOWS\SYSTEM32\wsys.dll
C:\WINDOWS\SYSTEM32\main.sys
C:\WINDOWS\SYSTEM32\hcrjmtaz.dll.bak
C:\WINDOWS\SYSTEM32\mmbammb.dll.bak
C:\WINDOWS\SYSTEM32\plvwrthx.dll.bak
C:\WINDOWS\SYSTEM32\DRIVERS\TIMMHFHZ.SYS
C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\khefeb.dll
C:\WINDOWS\nnmlij.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\Program Files\Common Files\{206D8E23-0952-1033-1022-020816020001}
C:\Program Files\Common Files\WinAntiVirus Pro 2006

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Not according to your logs! I still see SuperAntiSpyware installed and running.

Everything we recommend is in the below link:

How to Protect yourself from malware!


We have a little more work to do. I'll post another fix later. Have to go out for a bit.

 

You missed it! You ShowNew log reveals the below:

"DisplayName"="SUPERAntiSpyware Free Edition"

Which means it is still installed?

You last HJT log shows the below which also means still installed:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Also the below folders still show:
C:\Documents and Settings\EditedUser\Application Data\SUPERAntiSpyware.com
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
C:\Program Files\SUPERAntiSpyware

If it does not appear in Add/Remove programs it means the uninstall did not work properly.

Let's continue with your malware fixes.


Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mmbammb.dll once and then click the kill button. After you have killed all of the mmbammb.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of mmbammb.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of mmbammb.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2A22DB24-1914-4E38-A2D8-FE16E237DF97} - c:\windows\system32\mmbammb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O20 - Winlogon Notify: ihsadvma - C:\WINDOWS\SYSTEM32\mmbammb.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.


Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\geeba.exe
C:\WINDOWS\SYSTEM32\bmkudsqk.dll
C:\WINDOWS\SYSTEM32\mmbammb.dll
C:\WINDOWS\SYSTEM32\WS2_32.DLL
C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys

C:\WINDOWS\SYSTEM32\DRIVERS\timmhfhz.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Are you sure you used Process Explorer as instructed to kill each instance of mmbammb.dll in winlogon.exe, explorer.exe, and iexplore.exe? Did you find instances of it?

 

Not yet! All of what I had you fix (even the files) came back. I believe you are one of the unlucky 5 or so people here right now with a fairly new type of infection which difficult to fix since there is no real good info yet on exactly where it spreads from. I myself have been suspecting an infection in valid system files like winlogon.exe and ndis.sys because I keep seeing new file dates on these files in the ShowNew logs. This seems to be one common factor.

Let's get some new scans.

First please download FindAWF by noahdfear and save it to your desktop:

Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.


Then download the attached Finder.zip file and extract the contents to the same folder where you put GetRunKey or ShowNew. Then first run FindWL.bat which will produce a log named findWD.txt in the folder where you put FindWL.bat. Attach the findWD.txt log.

Now run the FindND.bat file which will produce a findND.txt log and also attach it.

 

Your copy of McAfee is infected along with some other tools. You AOL software may even be infected. Do you need AOL to get online?

Let's start fixing this.

First goto Add/Remove programs and uninstall anything for McAfee and SuperAntiSpyware. They may not even show. Tell me if you do not see them.

See if you can delete the below folders:
C:\Program Files\SUPERAntiSpyware
C:\Program Files\McAfee.com
C:\MCAF7A4.tmp
C:\MCAF868.tmp
C:\WINDOWS\Installer\{C3C42F6E-EB61-4784-BC97-B0C64E163CED}
C:\Program Files\iTunes\bak
C:\Program Files\Messenger\bak
C:\Program Files\QuickTime\bak
C:\Program Files\MySpace\IM\bak
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Common Files\AOL\1166762781\ee\bak

Also uninstall Viewpoint Media Player which I previously asked you to uninstall. Try to avoid letting reinstall any software which may cause this to come back.


Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Now you will need to "Immunize" with Spybot & Spyware Blaster again because deldomains will remove all of the sites Spybot adds.)


I'm going to have you run a procedure below which will attempt to delete the infected winlogon.exe file and replace it with a good copy from your ServicePackFiles folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Download FixWL2.zip file to your Desktop.
• Now double click on FixWL2.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. FixWL2.bat and process.exe.
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the FixWL2.bat file to run the fix.
• It will create a log file named: c:\FixWL.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.

• Now rerun FindAWF and attach a new log.
• Now attach the c:\FixWL.txt file
• Now also attach new logs from ShowNew & HJT

 

Okay then let me ask the question a different way! Can we uninstall it, or do you need it for something. At least uninstall their Spyware Protection Service but preferably all of their junk!

Did you install BoratScreenSaver 1.0.0? Do you know for sure that it is clean?

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to McAfee.com McShield
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • McAfee SecurityCenter Update Manager
  • McAfee.com VirusScan Online Realtime Engine
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste McShield into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • mcupdmgr.exe
  • MCVSRte
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Put copies of the below two files into a ZIP file and attach the ZIP file here:
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

Please download Search.zip and extract the embedded search.bat file to the same folder as either ShowNew.bat or GetRunKey.bat. Then locate the search.bat file and double click on it. It will create a file named search.txt in the folder it is run from and the file will also open up in notepad. Attach the search.txt file to your next message.

Shutdown all unnecessary processes processes

Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mmbammb.dll once and then click the kill button. After you have killed all of the mmbammb.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
hcrjmtaz.dll
plvwrthx.dll

Next double click on explorer.exe and again click once on each instance of mmbammb.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
hcrjmtaz.dll
plvwrthx.dll

Next double click on iexplore.exe and again click once on each instance of mmbammb.dlland kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
hcrjmtaz.dll
plvwrthx.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2A22DB24-1914-4E38-A2D8-FE16E237DF97} - c:\windows\system32\mmbammb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\WINDOWS\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [NetGuard Lite] "C:\WINDOWS\NetGuard Lite.exe" -STARTUP
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.midasplayer.com/midasa.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O20 - Winlogon Notify: ihsadvma - C:\WINDOWS\SYSTEM32\mmbammb.dll
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\ZeroSpyware Lite.exe
C:\WINDOWS\NetGuard Lite.exe
C:\WINDOWS\SYSTEM32\hcrjmtaz.dll
C:\WINDOWS\SYSTEM32\mmbammb.dll
C:\WINDOWS\SYSTEM32\plvwrthx.dll
C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
C:\WINDOWS\SYSTEM32\DRIVERS\timmhfhz.sys
C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe
C:\Program Files\McAfee.com\Shared\bak\mcappins.exe
C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe
C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folders and delete if found:
C:\Documents and Settings\UserAccount\Application Data\SUPERAntiSpyware.com
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
C:\Program Files\SKYPE\PHONE\BAK
C:\Program Files\Common Files\Microsoft Shared\Web Folders\BAK
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\Shared\bak
C:\Program Files\McAfee.com\VSO\bak
C:\Program Files\McAfee.com

Now run Ccleaner!
Now run FindAWF again!

Now attach the below new logs and tell me how the above steps went.

1. The search.txt log
2. The new log from FindAWF
3. GetRunKey
4. ShowNew
5. HJT

 

The AOL Antispyware service is still trying to load. Let's fix it!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to AOL Spyware Protection Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteAOLService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot if it tells you it needs to.

Now please download the current version of ShowNew which I updated yesteday and attach a new log from it. You have more system files that are infected and we need to replace them. This log will give me some more info.

It's strange that now those to core.xxx files disappeared. Put the below file into a ZIP and attach it here:
C:\WINDOWS\SYSTEM32\DRIVERS\timmhfhz.sys

 

There is just one file that is still troubling me and I'm trying to get it replaced with an older copy. I'm not sure why it is not working on your system. I experimented on my PC and I can easily overwrite the file with a different copy. The file is C:\WINDOWS\system32\ws2_32.dll which is dated 04/06/2007. I'm trying to replace it with a copy that would not be infected but you don't appear to have any backups for some reason which is unusual. Normally one would be found as below (and maybe others too)

C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
C:\WINDOWS\SYSTEM32\DLLCACHE\ws2_32.dll

Search your PC for ws2_32 without the .dll and tell me what you find.


Now for your other problems, let's try another approach.

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt
• Now please attach the below logs
  • C:\avenger.txt
  • new ShowNew log
  • new HijackThis log

PS. When you tried to zip the timmhfhz.sys file, did you do it by just right clicking on it and selecting Add to ZIP?

 

Is the copy in C:\i386 named ws2_32.dll or is it named ws2_32.dl_ The underscore would indicate a compressed file.

If the file in c:\i386 is named ws2_32.dll, then copy it into the C:\windows\system32 folder overwriting the copy that is already there.

Try the right click method and tell me what happens!

Do you have a Windows XP boot CD?


Run Pocket Killbox and select File, Cleanup, Delete All Backups


Now please download ProcessDLL.zip and save to your desktop.

Extract the ProcessDll.exe file from inside and run it.

This will create a new file on your Desktop called procdll.txt

Attach this log as your next post.

 

Try it in safe mode. If that does not work, rename the file in system32 to ws2_32.bak and then copy the one from the i386 folder. Make sure it is correctly copied before rebooting.

You zipped the wrong file. I ask for timmhfhz.sys to be zipped.

Was it a Win XP SP2 CD? Did SP2 come on your PC or was it upgraded to SP2.

I was afraid of that. You need to get your updates from Microsoft. At least one (maybe more ) will refer to .NET . See if you can install just the .NET updates and then run Processdll.exe.

 

You did not indicate whether you follow my first step in message #24 for copying the ws2_32.dll file from the i386 folder into your system32 folder in safe boot mode. You need to get this file replaced. It is infected.

And you need to get the .NET update from Microsoft (do not try to get Win XP SP2 installed).

 

Also you did not attach the ZIP'ed file I requested. In message # 24 I said:

 

Okay then attach a new log from ShowNew.

 

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mmbammb.dll once and then click the kill button. After you have killed all of the mmbammb.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
bmkudsqk.dll

Next double click on explorer.exe and again click once on each instance of mmbammb.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
plvwrthx.dll
hcrjmtaz.dll
bmkudsqk.dll

Next double click on csrss.exe and again click once on each instance of mmbammb.dlland kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.


Now look for the below files and see if you can delete them:
C:\WINDOWS\system32\mmbammb.dll
C:\WINDOWS\System32\plvwrthx.dll
C:\WINDOWS\System32\hcrjmtaz.dll
C:\WINDOWS\System32\bmkudsqk.dll
C:\WINDOWS\SYSTEM32\mmbammb.dll.bak
C:\WINDOWS\SYSTEM32\WS2_32.bak

Then reboot and attach new logs from ProcessDLL and ShowNew.

 

Cannot be true! Check again! See in the log from ProcessDLL and you will see it listed under several processes (the ones I listed to check.) Make sure you are checking carefully!

Are you sure that WS2_32.bak could not be deleted? It is not being used by malware anymore since being renamed.

Repeat ALL steps after booting in safe mode and shutdown ALL unnecessary processes!


What is the below file?
C:\WINDOWS\SYSTEM32\DRIVERS\TERMDD.zip

 

I'm posting just to let you know I have not forgotten about you.

I'm not sure why the DLLs are not showing in Process Explorer when they clearly are hooked according to ProcessDLL.

I working up something to do but it is a little tricky since I will have to stop some Windows system processes from running. We will be shutting down smss.exe, winlogon.exe and explorer.exe. And we will be doing this in safe mode. When we shut down explorer.exe everything on your Desktop will disappear. That includes the Start button, system tray and all icons. I just informing you now so you are ready for this when it happens. This will make it more complex to run anything. Also shutting down winlogon.exe will make it impossible to shutdown Windows in a normal fashion. You will have to hold in the power button until the PC shuts off. Again I'm just letting you know this ahead of time. I still need to work up a procedure. You will have to remain offline with NO BROWSERs running. So when I give you a procedure, you will need to print it to have a copy to work from. We do not want any other unnecessary processes to be running.

In preparation for my procedure and to make things easier for us, I want you to create a folder in the root of your C drive. Simple name it chas Thus you should have C:\chas
I also want you to move or copy all the files from ProcessExplorer into this C:\chas folder. We will need to run ProcessExplorer later from a command prompt window and having it located here will make it easier to find and run. I will also be giving you other things to put into this folder so they can also be more easily run. Let me know when you ave this folder created and that you have ProcessExplorer's files all copied there.

I will try to get something put together sometime today or tonight.

 

Thanks! I will get to it! I just need to be home (not there now) so I can test a few things out before giving them to you. I should be able to get to them tonight.

Did you get ProcessExplorer into the folder I requested?

If so, click Start, Run, and enter cmd and click OKto open a command prompt. Then in the command prompt window enter the below so you will be familiar with these later when I will be asking you to do this.

cd C:\chas
procexp

The first command above should change the default directory (also called a folder) to c:\chas and then the second command should cause ProcessExplorer to open. Did this work for you?

 

Okay make sure you have done the prep steps in messages # 35 & # 37 before starting the below.

I recommend that you read thru ALL of the below before doing any steps. Make sure you understand how to do everything before starting. Ask questions if necessary.

• Download View attachment KillSys.zip to the c:\chas folder.
• Then extract the contents of the KillSys.zip file directly into the c:\chas folder.
• Now print the below instructions because you will need to boot into safe mode and have no browsers or any other applications open while performing the below steps. You must only run what I tell you to run.
• Now Boot into safe mode
• Now click Start, Run, and enter cmd and click OK to open a command prompt window and enter the below commands shown in black bold print. (NOTE: When you run KillSys.bat, your Desktop ocons, Start bar,....etc will disappear. If they do not, then STOP HERE! Come back and tell me!).
  • cd c:\chas
  • procexp
    • The procexp command should run Process Explorer.
    • In the top section of the Process Explorer screen double click on csrss.exe to bring up the csrss.exe properties screen.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of mmbammb.dll once and then click the kill button. After you have killed all of the mmbammb.dll under csrss.exe click ok. (If you do not find the dll, just continue on.)
  • KillSys.bat
  • RemFiles.bat

After running RemFiles.bat, hold in the power button on your PC until it shuts down.
Give it a minute after shutdown and then reboot into normal mode.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Download Registry Search (see the link titled RegSearch Download Link)

* Extract the files from Regsearch.zip into a folder.
* Doubleclick regsearch.exe to start the program.
* Enter timmhfhz in the top area of the form and then click "OK".
* Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply. Attach this before doing the below step or you will overwrite the first file.

Now repeat the above but search for mmbammb and attach this second log.

 

Okay user RegistrySearch two more times to seach for the below:

2A22DB24-1914-4E38-A2D8-FE16E237DF97

Attach this new log.

And then this:

ihsadvma

Attach this second log.

 

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mmbammb.dll once and then click the kill button. After you have killed all of the mmbammb.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of mmbammb.dll and kill it. (If you do not find the dll, just continue on.)



Next double click on csrss.exe and again click once on each instance of mmbammb.dlland kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select ay of following lines that still exist but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2A22DB24-1914-4E38-A2D8-FE16E237DF97} - c:\windows\system32\mmbammb.dll
O20 - Winlogon Notify: ihsadvma - C:\WINDOWS\SYSTEM32\mmbammb.dll

After clicking Fix, exit HJT.

Now reboot your PC into normal mode.


Now attach the below new logs and tell me how the above steps went.

1. a new log from RegistrySearch looking for 2A22DB24-1914-4E38-A2D8-FE16E237DF97
2. procdll.txt
3. GetRunKey
4. ShowNew
5. HJT

 

Why? That is not what was requested and is not useful. The scan was requested at the end of the procedure.


Download AproposFix by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and attach the log.txt file that has been created in the aproposfix folder.



Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.


Now I want to run one more rootkit scanner!

Please download GMER and save it to your desktop:

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
• Click the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.