Help with trojan! No Internet Records

[lefloresg80]

On my computer I run Kaspersky and I get this problem:

detected: Trojan program Trojan-Downloader.Win32.Hmir.alm   File: c:\windows\system32\drivers\daml9.sys

Kaspersky has deleted the file a couple of times but it comes back, seemingly when MS Outlook runs.

Attached is the HijackThis record.

[recovering space - attachment deleted by admin]

[evilfantasy]

I don't see any malware in the log, you will need to go to this thread and work the steps in post 2 then post the logs back here.

[evilfantasy]

Why did you run Combofix?

That isn't part of the instructions.

[lefloresg80]

I thought it might be helpful, I had run it before the original post

[lefloresg80]

OH and another symptom when I start looking for daml9.sys in the register the computer restarts.

[evilfantasy]

It didn't hurt anything and may be needed. Only it is the spanish version so a little hard to read in some perts.

when I start looking for daml9.sys

What is daml9.sys?

Not to be rude, it is good that you are trying to fix this but please stick to my instructions. Doing things outside of them will just confuse me and make this much harder in the long run.

I need the Hijackthis log.

[lefloresg80]

Sorry for the confusion. I thought I'd give you all the logs I have..

Just to refresh what my problem is:

On my computer I run Kaspersky and I get this problem:

detected: Trojan program Trojan-Downloader.Win32.Hmir.alm   File: c:\windows\system32\drivers\daml9.sys

Kaspersky has deleted the file a couple of times but it comes back, when I try to open it in notepad, copy, paste, or anything it tells me that the file is being used. The hijackthis log is on the first post.

Also, whenever I start looking for it on the registry the computer reboots, or when I set it to be deleted with Kaspersky it reboots without notice.

I've been pretty successful with other malware until now. I've also looked for this trojan-downloader strand with only hits in an asian language.

[evilfantasy]

I need a new Hijackthis log from after running the other tools.

[evilfantasy]

Is Kaspersky updated? Do you have two antivirus installed?

daml9.sys is a driver. C:\WINDOWS\system32\DRIVERS\daml9.sys

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage.
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

[lefloresg80]

Thanks.. this is a work computer and I'll run that tomorrow, thanks alot!

[evilfantasy]

You gotta help me here.

What is daml9.sys?

Is Kaspersky updated? Do you have two antivirus installed?

[lefloresg80]

daml9.sys appeared out of nowhere, it's stuck onto the /windows/system32/drivers/ folder. I've looked it up online and have found nothing on it. All I know it's linked to this trojan downloader hmir.alm which in turn i've only seen on asian sites.

I've been trying to see what it is linked to in the registry but as soon as I get close to finding it the computer crashes.

I've uninstalled AVG and any other anti-virus and kaspersky is up to date.

[evilfantasy]

OK, lets try this.

Scan Suspicious File(s)

Please visit one of the following:
(Multiple sites are given in case one is not working)
(If more than one file needs scanned they must be done separately and logs posted for each one)

• Virustotal
  
• Jotti's malware scan
  
• VirSCAN.org

Copy the file path in the code box below.

Code: [Select]

C:\WINDOWS\system32\DRIVERS\daml9.sys

• At the upload site, click once inside the window next to Browse.
  
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
  
• Next click Send File/Submit/Upload (depending on the site)
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

[lefloresg80]

Interesting news my friend, I get an error message when I try to upload the file for scanning.

I haven't had a chance to run sfc.exe, does it matter if I have windows sp1?

[evilfantasy]

I haven't had a chance to run sfc.exe, does it matter if I have windows sp1?

Possibly, there have been loads of service packs released since SP1.

Why don't you have SP2?

[lefloresg80]

my original cd's were sp1 haven't bought any since

[evilfantasy]

Go to C:\combofix.txt and post that log please.

Also already you have SP2.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:44 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

[lefloresg80]

Hey!

I just wanted to thank Evilfantasy for all the help. I finally was able to use xp cd to go in and delete the .sys file and I haven't had any problems since! Thanks!

Luis

[evilfantasy]

Go to Start > Run and type combofix /u <<Note the space between combofix and /u then click OK.

This will uninstall combofix and all of it's files and folders. It isn't a tool that should be kept on any computer indefinitely.