HELP: winantiviruspro, et.al.

Well those logs did not help much other than the fact that GMER also picked up the timmhfhz.sys file I have been worried about all along. It also seems to have a problem opening the file and saying it does not exist when it already said it does exist. Malware must be corrupting/hiding the real file name some how. Way back when I asked you to put a copy into a ZIP file you could not do that either because it could not be found. You got a message: Warning: name not matched

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. In the command prompt window enter the below commands. Note that there is a space between dir and the *

cd c:\windows\system32
dir *.sys > c:\sysfile.txt

Attach the c:\sysfile.txt file to your next message.

Now download and install ExplorerXP Run it and navigate to the c:\windows\system32 folder and scroll down to look for the timmhfhz.sys file. Do you see it, does the name show exactly as timmhfhz.sys? Do you see any similar file names?

Put a copy of the c:\windows\system32\mmbammb.dll file into a ZIP file and attach that here. Do this before continuing with the below!


Now download install and updatePrevx then run a full scan and fix what it finds. See if you can save a log and attach it. Then also attach new logs from ShowNew and HJT.

 

Well the mmbammb.dll is exactly what I thought it was. It goes by many names:

• Generic4.OAW
• Packed.Win32.Morphine.a
• TR/Dldr.ConHook.Gen
• Trojan.Agent.AVQ
• Trojan.BHO.FY
• Trojan.Click.2330
• Trojan.Dldr.ConHook.Gen
• VirTool:Win32/Obfuscator.E
• W32/BHO.QG
• W32/Morphine.A!tr
• Win32/TrojanClicker.Delf.NAO
• Winlogonhook
• Win-Trojan/Morphine.79872.D

What I typically call it is Winlogonhook and the procedures we have been using have never failed before. So that leads me two the below conclusions:

• this infection has new components involved and requires new procedures that we have yet to discover on how to remove it.
• there is another infection that we have not detected that is reinfecting you. We have seen cases where Windows system files including explorer.exe have been infected and as soon as a PC is booted, reinfection occurs
• the procedures that I'm giving you are failing because some particular aspect of the steps are not being follow exactly. i.e., missing a single occurrence of any of the DLLs we try to unhook with Process Explorer will cause total failure. Also any of the DLLs could occur multiple times in the winlogon.exe, explore.exe, iexplore.exe, csrss.exe, or an other EXE that is running. All occurrences must be unhooked - killed - with Process Explorer. Missing any one is the same as not doing any of the steps at all.

Since we are not having any luck with the manual steps I have given you and also since Prevx1 does not remove something that it says it can remove, you are going to have to find your Windows XP SP1 CD. We need it to boot to the recover console and from there we will attempt to delete the files.

You other alternative is to backup your important information and reinstall your OS.

Uninstall Prevx1 now since it was useless.

 

I have another procedure similar to a past one but I noticed some other files to delete.

Exit ALL unnecessary processes before doing the below steps! Even kill your antivirus and firewall applications but unplug your cable to the internet first. Also only have one brower window open.

Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mmbammb.dll once and then click the kill button. After you have killed all of the mmbammb.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of mmbammb.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of mmbammb.dlland kill it. (If you do not find the dll, just continue on.)

Next double click on csrss.exe and again click once on each instance of mmbammb.dlland kill it. (If you do not find the dll, just continue on.)

Now check all other process that you see running in ProcessExplorer and look for mmbammb.dll in them too and kill any that are found. Let me know if you see any and where.

Now just exit Process Explorer.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select ay of following lines that still exist but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2A22DB24-1914-4E38-A2D8-FE16E237DF97} - c:\windows\system32\mmbammb.dll
O20 - Winlogon Notify: ihsadvma - C:\WINDOWS\SYSTEM32\mmbammb.dll

After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now attach the below new logs and tell me how the above steps went.

1. the Avenger log
2. a new log from RegistrySearch looking for 2A22DB24-1914-4E38-A2D8-FE16E237DF97
3. procdll.txt
4. GetRunKey
5. ShowNew
6. HJT

 

Your welcome but I'm not sure that it will work. That timmhfhz.sys file really bothers me and I would bet it is at the heart of this. Any luck finding your Windows XP CD?

 

Well I was guessing it would not work so I was correct. However you had some new malware show up too. One is an info stealing trojan. Do you do any banking or other financial related work from this PC?

You picked up this: Infostealer.Bzup

Please install this ZoneAlarmFree make sure you download it from one of the Major Geeks links and not the authors link. Install it and then reboot (which it will probably tell you that you need to do).

Now continue with the below (I'm ignoring the malware we have been working on - we need the Windows XP CD).

Run HijackThis and select ay of following lines that still exist but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll

After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now attach the below new logs and tell me how the above steps went.

1. the Avenger log
2. ShowNew
3. HJT

 

Also please do the below!

Click Start, Run and copy and past the below into the run box:

cacls c:\windows\system32\drivers\*.* > c:\aclist.txt

then click OK!

Afterwards attach the c:\aclist.txt file that was created here.

 

Is this something you just did recently? And yes you should be concerned since there is no way for us to know whether they were able to steal any info from you or not. If you have not done any banking, credit card related, paypal, .....etc , it is probably less of an issue. However they could have gotten login & passwords to anything at all that you connect to which again could lead to problems. What we typically say to users with any password stealing trojans is the below. It's up to you what action you with to take.

Check this out and see if anything in there helps:

http://forums.zonealarm.com/zonelabs/board/message?board.id=win_za_msgs&message.id=12502

 

Look in c:\windows\system32

Do you see a file named cacls.exe?

 

Click Start, Run and enter cacls c:\windows\system32\*.* and click OK! What happens?

You can read more about it in the below:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-080315-1729-99&tabid=1

 

If that happens then the other command I gave you in message # 63 should work! Make sure you have a space before and after the >

 

That's what should happen! Afterwards you need to look in the root folder of drive C for the aclist.txt log file. If you don't see the file attach a new log from ShowNew, and then do the below.

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. In the command prompt window enter the below:

cacls c:\windows\system32\winlogon.exe

What do you get? It should look something like the below:

Code:

c:\windows\system32\winlogon.exe BUILTIN\Users:R
                                 BUILTIN\Power Users:C
                                 BUILTIN\Administrators:F
                                 NT AUTHORITY\SYSTEM:F
                                 SUPERDELL\charlie:F  

We should be able to use it to boot to the recovery console. Before we try to do any real operations, let's do a dry run of booting to the recovery console and a couple other items from the command prompt which you will have after booting to the recovery console. However first before starting the below steps, create a new folder in the root of drive C and name the folder MGtmp. Thus you should have C:\MGtmp

Now read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will now be able to browser once starting the below.

1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
2. Then restart your computer
3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the "Recovery Console" by pressing R It is normally the middle item in the list. Press R
6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>

Now from this command prompt window, here are some things I want you to do. Enter the below commands in the order given. I will add comments in purple.

cd system32\drivers <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS>
copy timmhfhz.sys c:\MGtmp <--- this should copy the bad file to the folder we created
ren timmhfhz.sys timmhfhz.sys.bad <--- this will rename the file and hopefully prevent it from being used to reinfect your PC

exit <--- this will exit the Recovery Console and boot to Windows

Now put a copy of the c:\MGtmp\timmhfhz.sys file into a ZIP file and attach it here.

Also attach a new log from ShowNew. I want to see if the file recreated itself.

 

This is weird!!! What happens if you run the below from a command prompt:

cacls c:\windows\system32\drivers\*.*

 

It sounds possible that they did not send you a Windows XP boot disk but rather something else. With Windows running, access the CD drive from Windows Explorer. What files and folders do you see in the root of the CD?

 

That is what I suspected would happen but I was hoping it would not. It is almost like this file is corrupted in your file system.

 

Looks like the correct type files but that still does not mean that it is a bootable CD. I'm not sure if there is an easy way to check since that info does not show in file listings. Do you have another PC you could try booting from this CD?

It is starting to look more and more like you will need to reinstall since nothing we can easily do is working. We may be able to make boot disk with a utility like Ultimate Boot CD (Basic) I have not experimented with this though and I'm not sure of all of the capabilities after making it. Do you think this is something you can make after reading the info on the download page?

 

I would think it should be a bootable CD. If it works in another PC, then there may be something wrong with your existing CD drive and you may need to swap it temporarily with the one that works (if you find one that works).

That link I gave you is not going to make a Windows XP boot CD. It is a special diagnostics CD. You can read about it here: http://ubcd.sourceforge.net/

In reality, I'm not sure since this is some kind of new infection that seems to be related to Vundo and or Winlogonhook. It could just cause popups and other issues and slow your PC down. But it could also lead to multiplying infections which really cause more problems. I noticed that many files that got deleted started to come back over a period of reboots on your PC. So I would expect the infection to propagate.

The site is not setup to accept donations. If you would like, you can donate to me via Paypal but that is purely up to you.

 

If you have not already downloaded and started using the Ultimate Boot CD (Basic), it would probably better to use the more advanced and newer version:

Ultimate Boot CD

 

Have you had a chance to try booting the disk that Dell sent to you on another PC?

 

I feel your pain and aggravation! Sounds like the malware may have corrupted the file on the disk to prevent access to it. Did you also try the ren command to try and rename the file? If not, please do so.

Also run this once you are in the drivers folder:

attrib -r -h -s timmhfhz.sys

Then try to copy and also delete the file.

Then also from the Recovery Console run the below command and tell me what happens:

chkdsk

 

FYI: If you want to know more about the Recovery Console:

http://support.microsoft.com/kb/314058

Don't bother with this. If the recovery console will not allow you to delete it, this will not help.

 

Once more thing I just thought about! While in the Recovery Console, let's delete the other bad files and see what happens. Here is a set of commands to run.

cd C:\WINDOWS\SYSTEM32
del bmkudsqk.dll
del hcrjmtaz.dll
del llszanfs.dll
del mmbammb.dll
del plvwrthx.dll
del mmbammb.dll.bak

 

Good job! See how important it is to have a bootable copy of your Windows OS!!!! (Notice 4 exclamation points. ) I do see that some bad stuff has recreated itself in your temp folders. We need to get that cleaned up ASAP. If you look in your last newfiles.txt log you will see the below (along with other temp files):

Code:

"C:\WINDOWS\Temp\"
lduhgsmb.sys  Jun  6 2007        4480  "lduhgsmb.sys"
oljxvlla.dll  Jun  6 2007       51712  "oljxvlla.dll"
 
"C:\Documents and Settings\EditedUser\Local Settings\Temp\"
lduhgsmb.sys  Jun  6 2007        4480  "lduhgsmb.sys"
oljxvlla.dll  Jun  6 2007       51712  "oljxvlla.dll"
 

The below procedures should hopefully removed these before they get a chance to respawn.

Now run HJT and have it fix the below lines:
O2 - BHO: (no name) - {2A22DB24-1914-4E38-A2D8-FE16E237DF97} - c:\windows\system32\mmbammb.dll (file missing)
O20 - Winlogon Notify: ihsadvma - mmbammb.dll (file missing)

Then exit HJT and run the below!

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.


NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now reboot!

After reboot attach new logs from ShowNew and HJT!

That's because you entered the command wrong. Look in your newfiles.txt log and you will see that you copied the timmhfhz.sys file into a file named MGtmp that is in the C:\WINDOWS\SYSTEM32\DRIVERS\ folder where the original file was. Please see if you can put this MGtmp file into a ZIP file and attach it here. Once you get the ZIP file attached, delete the MGtmp file.

You tell me. When was the last time you had those eyes checked out?

 

Actually you could have easily not seen it. When new files are copied to a folder, they may appear in the folder at the very bottom of the file list and not in alpha order until you refresh the view.


Delete the below folder:
C:\Documents and Settings\EditedUser\Application Data\Viewpoint

Delete the below files:
C:\WINDOWS\SYSTEM32\DRIVERS\MGtmp
C:\WINDOWS\SYSTEM32\DRIVERS\MGtmp.zip

Did ATF-Cleaner run okay? I still see the below files in your Temp folders and they still have the same date:

Code:

"C:\WINDOWS\Temp\"
lduhgsmb.sys  Jun  6 2007        4480  "lduhgsmb.sys"
 
"C:\Documents and Settings\EditedUser\Local Settings\Temp\"
lduhgsmb.sys  Jun  6 2007        4480  "lduhgsmb.sys"

Try deleting these files manually and tell me what happens. If they delete without a problem. Reboot and check to see if they come back. If they do, put one in a ZIP file and attach it here.

 

By the way I checked out the timmhfhz.sys file and it isa form of Trojan.Win32.Delf.zj However I suspect it may be a newer form since it was so difficult to remove unlike the once in the below links.

See these: http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.Delf.zj&threatid=117267

http://www.sophos.com/security/analyses/trojdelfeqt.html


Run the RegSearch program (see msg # 41 ) and have it search for Microsoft RPC API Helper

Attach the log from RegSearch.

 

Yes, always. Since running cacls was actually hanging when it got to the timmhfhz.sys file, the program did not dump the write buffer to disk right away and thus the file was not appearing. When you did a reboot, that buffer was written because the program was now terminated. Thus the file would appear after the reboot and rightly seen in the file, it ends (i.e, hung) while processing the problem sys file.


Your log is clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can also remove any other special programs that were not mentioned above.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Yes the key was getting your bootable Windows CD. If you check back, it was around message # 22 where I started enquiring about having this CD. I knew it was going to be the only way to remove this.

You can always come back to visit us anytime. There is much to learn in all forums. And you may find the Lounge to be fun.


Surf safely!