Solve : Help with trojan! No Internet Records?

1.	Solve : Help with trojan! No Internet Records?
Answer» On my computer I run Kaspersky and I get this problem: detected: Trojan program Trojan-Downloader.Win32.Hmir.almFile: c:\windows\system32\drivers\daml9.sys Kaspersky has deleted the file a couple of times but it comes back, seemingly when MS Outlook runs. Attached is the HijackThis record. [recovering space - attachment deleted by admin]I don't SEE any MALWARE in the log, you will need to go to this thread and work the steps in post 2 then post the logs back here.Why did you run Combofix? That isn't part of the instructions.I thought it MIGHT be helpful, I had run it before the original postOH and another symptom when I start looking for daml9.sys in the register the computer restarts.It didn't hurt anything and may be needed. Only it is the spanish version so a little hard to read in some perts. Quote when I start looking for daml9.sys What is daml9.sys? Not to be rude, it is good that you are trying to fix this but please stick to my instructions. Doing things outside of them will just confuse me and make this much harder in the long run. I need the Hijackthis log.Sorry for the confusion. I thought I'd give you all the logs I have.. Just to refresh what my problem is: On my computer I run Kaspersky and I get this problem: detected: Trojan program Trojan-Downloader.Win32.Hmir.alm File: c:\windows\system32\drivers\daml9.sys Kaspersky has deleted the file a couple of times but it comes back, when I try to open it in notepad, copy, paste, or anything it tells me that the file is being used. The hijackthis log is on the first post. Also, whenever I start looking for it on the registry the computer reboots, or when I set it to be deleted with Kaspersky it reboots without notice. I've been pretty successful with other malware until now. I've also looked for this trojan-downloader strand with only hits in an asian language.I need a new Hijackthis log from after RUNNING the other tools.Is Kaspersky updated? Do you have two antivirus installed? daml9.sys is a driver. C:\WINDOWS\system32\DRIVERS\daml9.sys Do you have an XP CD? If so, place it in your CD ROM drive and follow the instructions below: Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow) Let this run undisturbed until the window with the blue progress bar goes away SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file. If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System. Thanks.. this is a work computer and I'll run that tomorrow, thanks alot!You gotta help me here. Quote from: evilfantasy on April 07, 2008, 03:45:19 PM What is daml9.sys? Quote from: evilfantasy on April 07, 2008, 04:08:10 PM Is Kaspersky updated? Do you have two antivirus installed? daml9.sys appeared out of nowhere, it's stuck onto the /windows/system32/drivers/ folder. I've looked it up online and have found nothing on it. All I know it's linked to this trojan downloader hmir.alm which in turn i've only seen on asian sites. I've been trying to see what it is linked to in the registry but as SOON as I get close to finding it the computer crashes. I've uninstalled AVG and any other anti-virus and kaspersky is up to date.OK, lets try this. Scan Suspicious File(s) Please visit one of the following: (Multiple sites are given in case one is not working) (If more than one file needs scanned they must be done separately and logs posted for each one) Virustotal Jotti's malware scan VirSCAN.org Copy the file path in the code box below. Code: [Select]C:\WINDOWS\system32\DRIVERS\daml9.sys At the upload site, click once inside the window next to Browse. Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window. Next click Send File/Submit/Upload (depending on the site) Your file will possibly be entered into a queue which normally takes less than a minute to clear. This will perform a scan across multiple different virus scanning engines. Please wait for all of the scanning engines to complete. Copy and then Paste the results in the next reply. Interesting news my friend, I get an error message when I try to upload the file for scanning. I haven't had a chance to run sfc.exe, does it matter if I have windows sp1? Quote from: lefloresg80 on April 08, 2008, 02:14:25 PM I haven't had a chance to run sfc.exe, does it matter if I have windows sp1? Possibly, there have been loads of service packs released since SP1. Why don't you have SP2?

Answer»

On my computer I run Kaspersky and I get this problem:

detected: Trojan program Trojan-Downloader.Win32.Hmir.almFile: c:\windows\system32\drivers\daml9.sys

Kaspersky has deleted the file a couple of times but it comes back, seemingly when MS Outlook runs.

Attached is the HijackThis record.

[recovering space - attachment deleted by admin]I don't SEE any MALWARE in the log, you will need to go to this thread and work the steps in post 2 then post the logs back here.Why did you run Combofix?

That isn't part of the instructions.I thought it MIGHT be helpful, I had run it before the original postOH and another symptom when I start looking for daml9.sys in the register the computer restarts.It didn't hurt anything and may be needed. Only it is the spanish version so a little hard to read in some perts.

Quote

when I start looking for daml9.sys

What is daml9.sys?

Not to be rude, it is good that you are trying to fix this but please stick to my instructions. Doing things outside of them will just confuse me and make this much harder in the long run.

I need the Hijackthis log.Sorry for the confusion. I thought I'd give you all the logs I have..

Just to refresh what my problem is:

On my computer I run Kaspersky and I get this problem:

detected: Trojan program Trojan-Downloader.Win32.Hmir.alm File: c:\windows\system32\drivers\daml9.sys

Kaspersky has deleted the file a couple of times but it comes back, when I try to open it in notepad, copy, paste, or anything it tells me that the file is being used. The hijackthis log is on the first post.

Also, whenever I start looking for it on the registry the computer reboots, or when I set it to be deleted with Kaspersky it reboots without notice.

I've been pretty successful with other malware until now. I've also looked for this trojan-downloader strand with only hits in an asian language.I need a new Hijackthis log from after RUNNING the other tools.Is Kaspersky updated? Do you have two antivirus installed?

daml9.sys is a driver. C:\WINDOWS\system32\DRIVERS\daml9.sys

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage.
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

Thanks.. this is a work computer and I'll run that tomorrow, thanks alot!You gotta help me here.

Quote from: evilfantasy on April 07, 2008, 03:45:19 PM

What is daml9.sys?

Quote from: evilfantasy on April 07, 2008, 04:08:10 PM

Is Kaspersky updated? Do you have two antivirus installed?

daml9.sys appeared out of nowhere, it's stuck onto the /windows/system32/drivers/ folder. I've looked it up online and have found nothing on it. All I know it's linked to this trojan downloader hmir.alm which in turn i've only seen on asian sites.

I've been trying to see what it is linked to in the registry but as SOON as I get close to finding it the computer crashes.

I've uninstalled AVG and any other anti-virus and kaspersky is up to date.OK, lets try this.

Scan Suspicious File(s)

Please visit one of the following:
(Multiple sites are given in case one is not working)
(If more than one file needs scanned they must be done separately and logs posted for each one)

Copy the file path in the code box below.
Code: [Select]C:\WINDOWS\system32\DRIVERS\daml9.sys

At the upload site, click once inside the window next to Browse.
Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
Next click Send File/Submit/Upload (depending on the site)
- Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Please wait for all of the scanning engines to complete.
Copy and then Paste the results in the next reply.

Interesting news my friend, I get an error message when I try to upload the file for scanning.

I haven't had a chance to run sfc.exe, does it matter if I have windows sp1?
Quote from: lefloresg80 on April 08, 2008, 02:14:25 PM

I haven't had a chance to run sfc.exe, does it matter if I have windows sp1?

Possibly, there have been loads of service packs released since SP1.

Why don't you have SP2?

Solve : Help with trojan! No Internet Records?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment