Trojan horse Agent.AMAW in C:\Windows\system32\avwa.dll

Apologies if I should just do as Mullah of the trojan horse.AMAW thread did, but it feels a bit like taking someone else's prescription medicine and I'm new here.

Trojan horse Agent.AMAW in C:\Windows\system32\avwa.dll
I wish I’d written this down as it actually happened BUT… (I luv big BUTs)
This HP-Compaq Pavilion a640.uk computer – a quixotic source of wonder and frustration to its owners, my octogenarian parents, and not much less of one to me, its main user, on my weekend visits - was scheduled to be enhanced with that new-fangled broadband yesterday (26 November 2008). So recently I figured I’d make it extra efficient, in honour of the expected new technology. It runs Windows Firewall, SpybotS&D 1.5.2 and AVG Free Edition and I update and scan every week. I routinely empty RecycleBin, delete IE’s Temporary Files, Cookies and History, and often scour unused space with Eraser. The week before last, to tidy up further, I downloaded (by dial-up) and ran Uniblue’s RegisterBooster and DriverScanner.
but soon after that – 20November 2008, I think – AVG Free Edition popped up with its first report of Trojan horse Agent.AMAW in C:\Windows\system32\avwa.dll. AVG Free Edition claimed to heal this but didn’t. (SpybotS&D found and fixed an instance of Smitfraud at about the same date.) Expecting better, I downloaded Malwarebytes’ Anti-Malware. I vaguely recall this found a second infected file (with a name like gillbilski – seeming to relate to an antique books website I’d surfed of late). I deleted that file but cannot lay a glove on avwa.dll. AVG Free Edition’s Threat announcement continued to pop-up, seemingly coinciding with each new application or web-page, whether I clicked Heal, Vault, Ignore or simply let it time-out. I resorted to a SystemRestore - your head is in your hands already, isn’t it? - taking the only available Restore Point of 18 November 2008. This only succeeded in crippling Malwarebytes’ Anti-Malware boot-up with a 16 bit MS-DOS Subsystem message: C:\ WINDOWS\system32\regsvr32.exe
C:\PROGRA~ 1\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed Dll initialization. Choose ‘Close’ to terminate the application
So I consulted MajorGeeks’ website.
As recommended, I did basic computer maintenance, slimming Programs and My Documents, and then employing CCleaner and IObit SmartDefrag. Subsequently I’ve uninstalled Avast (unused) and remnants of Symantec.
 Step 1: House Cleaning & Setup: I found no named malware programs; did jettison a SunJava file; confirmed Msconfig is on Normal Startup; emptied some apparent quarantine files BUT forgot AVGFree Edition’s vault.
 Step 2: Enable viewing of Hidden Files ..: check! Did some repeat file deleting in Administrator Account via Safe Mode’s fish-eye view, seeing nothing malicious.
 Step 3: Select and Run cleaning link
Windows XP Cleaning Procedures
 Step 1 Downloading Tools: Ah. This is where I started colouring-in outside the lines a bit and retracing missed spots in the join-the-dots. SUPERAntiSpyware downloaded okay. Spybot S&D I knew I already had, yet your edition on offer is version 1.6 (mine 1.5.2) so I started a new session with my ISP (I’m dial-up, remember, 2 hour limit) and began the download. After 42 minutes it stalled at 89% and on 51 minutes it failed at the same mark. I did get it at a second attempt BUT – knowing I had my old version, updated that day – not yet. Next came combofix.exe and MGTools.exe BUT not necessarily in that order because watching downloads dribbling in at 6kBps had proved mind-numbing. (Are you sure you should keep pulling your hair out, like that?) I also replaced my non-starter Malwarebytes’ Anti-Malware with a fresh one.
 Step 2 Installing Tools and Running Scans: Hmmm. Since their logs are time-coded, you’ll see that these ran in higgledy-piggledy order too. SUPERAntiSpyware had no problem. SpybotS&D went well enough BUT when? Malwarebytes’ Anti-Malware fell at the first although not quite like its forerunner. A machine-code blackboard blipped momentarily, before the following Error panel appeared: C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll. Unable to register the DLL/OCX: RegSvr32 failed with exit code 0x1. ‘Retry’ and ‘Ignore’ made no headway, so ‘Abort’ was used. Around about then, it occurred to me to empty AVG Free Edition’s Virus Vault. After that, combofix.exe was okay, if memory serves, and MGTools seemed fine – BUT for the fact that, reading ahead beforehand (phrenology, anyone?), I imagined that its Error Message Type 2 guidance might help Malwarebytes Anti-Malware. So, after backing up the Registry, I tried the suggested Regedit.exe fix on HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\VirtualDevice Drivers\VDD. This succeeded to the extent that when I tried again to run Malwarebytes Anti-Malware it got fractionally further before a new set of error messages aborted the boot-up. Namely: vbAccelerator SGrid II control. Run-time Error ‘0’ and then Malwarebytes Anti-Malware Run-time Error ‘440’ Automation Error.
 Step 3 Still having Problems. Of course! I’m delaying broadband connection pending your confirmation that my malware infections have no bearing. Disrespectul of the demise of Malwarebytes’ Anti-Malware, AVG Free Edition keeps gleefully informing me about the ever-present C:\Windows\system32\avwa.dll. Trojan horse Agent.AMAW. It won’t surprise me if that’s still there simply because I didn’t do as MajorGeeks expected. At least I didn’t run the scans more than once. Sorry that the attached logs are a man down and probably not in the order of succession you prefer, however I’m confident and grateful that your wiser (if somewhat mistreated) heads will find some astute advice for me. And no BUTs.
Neilm. 27November2008

 

Hello chaslang, and thanks for being there.
I am poised to 'Do a system scan only' with C:\MGtools\analyse.exe but do not have the line
O2 - BHO: (no name) - {8570287D-A970-2D7C-66F5-834B196649DF} - (no file)
Shall I proceed on just the other three lines?

 

I see from a printout (Search fails to find its source file on my pc) of 'hijackthis notepad log 25-11-08 1518' that three days ago I had an
O2 - BHO: offersfortoday browser enhancer - {8570287D-A970-2D7C-66F5-834B196649DF} - C:\WINDOWS\system32\gijilrdyll.dll (file missing)

This, I now realise, is the file I meant in my original post, as in: "I vaguely recall this [Malwarebytes’ Anti-Malware] found a second infected file (with a name like gillbilski – seeming to relate to an antique books website I’d surfed of late). I deleted that file but cannot lay a glove on avwa.dll."
Does this help?

 

Masterful advice, chaslang!
Logs attached.
I am holding my breath. No sign of AVG's Agent.AMAW Threat warning, even though I opened fresh web-pages and a new application simply to goad it.
These last two days (since combofix's initial run, perhaps significantly) this Tesco.net dial-up connection keeps having to run through its range of numbers before it recognises one (1470126308454****00) that it had previously failed to. But as I switch to TalkTalk broadband as soon as you sign off on me, that's no biggie.
Many thanks - I'm so pumped I'm gong to try out my first ever slimies - similes - drat, I've over-reached myself.

 

:-o I have failed, o master chaslang, and brought shame upon the sacred sisterhood.
I gave HJT a handful of chances but to no apparent effect upon
O2 - BHO: (no name) - {4D87BB8C-8D29-4880-82FC-CDFCF6E68D97} - C:\WINDOWS\system32\avwa.dll
Latest log attached. (I'm still better off now than when I opened the thread.)

 

Good morning, chaslang, and thanks again for you attention.
My thumbs-up icon should really be a fingers-crossed.
I got the Registry Editor success message, so C:\ MGlogs.zip is attached.
If the logs don’t read as you hope it may be because, after the success message, I was surprised not see the filename fixBHO.reg listed in the c:\systems32\registry window. The filename slot (left of the Open button) was empty, so it’s not as if it was there waiting to be confirmed. I clicked on Desktop to see if fixBHO.reg was listed as being there (I can see the icon) and was told that the location was not accessible. So I back-arrowed; then clicked Open – predictably nothing noticeable occurred; next I clicked Cancel to close the c:\systems32\registry window. The remaining c-prompt blackboard told me regedit exited on FRONTROOM with error code 0, which I’m guessing is good.
But it wasn’t until after all that that I ran C:\MGtools\GetLogs.bat. Now that I’ve made my excuses, I’ll leave.

 

You see how much I have learned at your feet, chaslang? I knew that last cock-up was my fault.
I think I got seduced by the smilies - I'm now concentrated on the important stuff.
New MGlogs.zip file herewith. Ta.

 

Greetings, chaslang.
Groanings, chaslang.

Post#13 was unlucky. As unlucky as Posts #7, #9 and #11.
Attached are my latest SAS log and MGlogs.zip file compiled per Post#13.

There is no Malwarebytes’ Antimalware log. In my pc’s present bad mood, newly downloaded Malwarebytes’Antimalware will not install even though mbam.exe is renamed mb.exe.
“C:\Program Files\Malwarebytes’ Antimalware\mbamext.dll
Unable to register DLL/OCX: Regsvr32 failed with exit code 0x1”
(This failure is as was the case on 27 November 2008. This time round I have not tried to adapt the MajorGeeks’ MGTools Error Message Type 2 advice).

Also attached is an earlier (renamed) MGlogs.zip file, because I re-ran your instructions from Posts #7, #9 and #11 before following Post #13. The outcome was no different so far as I could see - but I do not read the logs.

Otherwise on balance things are working less alarmingly than immediately pre-chaslang. AVG’s formerly irrepressible pop-up warning of Trojan horse Agent.AMAW in C:\Windows\system32\avwa.dll has not been seen at all of late.

Currently there are trivial issues which I would mention only because they may have a significance to you that is entirely lost on me. Stuff like the fact that I’ve begun this reply a couple of times “on site” in the thread and got bombed out as “not logged in”. (Perhaps for dawdling, per MajorAttitude’s orientation advice about “waffle”? Or “breathing” as I know it.) All of that is in a separate post-attachment because I doubt it you’ll need to bother with it. And hope you won’t.

Thanks for your patience and persistence.

 

Uh-oh. It’s that desperate, is it, chaslang?

Just to prove MBAM used to work here, and in case it sheds some light, I’ve attached its log from November25th.

Sorry the second attachment is a Word doc but that’s the only way I could think of to incorporate screengrabs. I only compiled it because I figure if I grasp at enough straws I’ll get sufficient bales to make a haystack and can start looking for a needle in it.

Best of luck.

PS Change of plan - word.doc too big! MBAM only here.

 

Sorry, chaslang. I didn’t intend this romp in the hay to be quite this separate from the previous one.

Re. your enquiry “how are things working on your PC?”
neilm waffle.doc is a litany of trivia that was to have included screengrabs but they don’t fit 97.7 kb.

Best of luck gleaning the wheat from the chaff. (My waffle is gluten-free).

 

TDSSserv.sys not found.
TLI?
Cheers, chaslang.
neilm

 

I don't envy you, chaslang.

Rio8Drv.sys Usb Driver Coyright (C) S3/Diamond Multimedia Systems 2000
does not look familiar to me. According to its Properties it was modified on 12February 2004 - which is approximately when the pc was purchased.
I don't have an RIO USB device or anything from Diamond Multimedia.

c:\windows\system32\drivers\daiuhelk.sys
C:\WINDOWS\system32\avwa.dll
are in the attached zip file.

C:\Qoobox\Quarantine\C\WINDOWS\system32\_avwa_.dll.zip
is no longer there. C:\Qoobox\Quarantine\C\WINDOWS\system32 is empty. Should I re-run a program to recapture it, and if so which?

TMI, anyone?
re USB devices: other makes' USB flash drives often used; digital camera occasionally; USB V2.0 4-port mini hub owned but unused; USB 2.0 network bridge cable failed on its only outing (the linked pc probably needed USBv1).
re multimedia devices: 5-year-old WinTV card in situ since August 08 has never worked (is always told that another application is using the window it wants and, seeking updated drivers to help, Driver Detective discouraged me with chipset driver jargon before saying the system didn't have the resources to cope with what i was trying to install).

So then, not envy, chaslang; but appreciation, certainly.

 

Hello, chaslang.
If that Happy Christmas I wished you depends on Malwarebytes’ AntiMalware running on this pc, there is no Santa Claus. Only three yule logs attached.

With Windows Firewall and AVG7.5 disabled so as not to impede a fresh download of Malwarebytes’ AntiMalware, and allowing Winlogon etc. changes to the register, whether mbam-setup.exe goes under its own name or that of mbam.exe, I still get;
Error C:\ProgramFiles\Malwarebytes’ AntiMalware\mbamext.dll Unable to register the DLL/OCX: RegSvr32 failed with exit code 0x1

Clicking ‘Retry’ achieves nothing and ‘Ignore’ generates these:
vbAccelerator SGridII Control runtime error ‘0’:
Malwarebytes’ AntiMalware runtime error ‘440’: Automation error

Is there an alternative to Malwarebytes’ I should run?
Mentioning alternatives; Happy Hannukah and/or Holidays?

 

chaslang wrote; "Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work."
Registry Editor wrote; " Information in C:\Documents and Settings\Owner\Desktop\fixme.reg has been successfully entered into the register"

Now to download The Avenger by Swandog46, and save it to my Desktop...

 

:confused Ho Ho Woe, chaslang.
As Santa’s little helper, I seem to be being very little help at all.

When avenger.exe rebooted the pc, pop-ups appeared containing the following (The Notepad ! is in a yellow triangle. The Windows X is in a red circle):

“Untitled – Notepad
Notepad ! The Process cannot access the file because it is being used by another process.”

“Windows - No Disk
X Exception Processing Message c0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c”


avenger.exe did not delete c:\Windows\System32\avwa.dll
Neither can I. I am told;
"Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use."

avenger.exe did not delete c:\Windows\System32\drivers\daiuhelk.sys
Neither can I. . I am told;
"Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use."

When I cursor over the avwa.dll file it says "created 16/11/2008 11.47" which seems weird for a file supposedly modified 11/02/2004 19.34.
When I cursor over the daiuhelk.sys file it says "created 22/06/2004 22.27" which seems weird for a file supposedly modified 11/02/2004 19.01

Meanwhile avenger.txt has been writing for an hour, and is 40million Kb long (by very far the biggest file on the hard-drive) and growing. You usually give notice when processes will take a long time so I’m suspicious. And there’s no way you want me attaching and sending a file that size, is there? Therefore, I bail out – not easily. Ctrl Alt Del is required to exit the view of the C drive contents, including the still-building avenger.txt, and, from the sound of it, it is still writing when I turn off the pc.

This happens again when I delete, download and run The Avenger seven hours later. I didn’t change any check-boxes, honest. Furthermore, avenger.txt recommences writing from its beginning whenever the pc is re-booted. I presume it would fill the hard-drive if the pc was on for long enough. I have again (by deletion) uninstalled The Avenger for peace of mind.

If required, I’ll persist, or begin again (I have a system restore point per, and prior to, Resetting Registry and File Permissions). I’m just here now for reassurance. But don’t delay your seasonal celebrations to respond to this in a hurry. Except for non-co-operation with this fix, the pc is working well.
Many thanks for your efforts to date. Better luck in 2009.
neilm.

 

chaslang, you really shouldn't have. Especially as I didn't send you anything on Christmas Day.

But in response to your msg #28

Just the same as in Normal mode. The avenger.txt file snowballs. Backin Normal mode I ran Avenger again and tried shutting down the pc a.s.a.p. after the Avenger reboot just to cut avenger.txt off small enough to send you a sample for investigation but my smallest zip file is 6.7Mb! avenger.txt was always "too large for Notepad" , and Word believed "there is a serious disk error on file avenger.txt"

Neither Avenger nor I can delete C:\WINDOWS\system32\avwa.dll or
C:\windows\system32\drivers\daiuhelk.sys

I can delete everything in C:\WINDOWS\TEMP
but in C:\Documents and Settings\Owner\Local Settings\Temp two files defy deletion:
Perflib_Perfdata_764 "is being used by another..."
rmrwhtwy.dat "access is denied"

I've tried to second-guess you here, which is probably a no-no. Anyway, in addition to the TWO quoted search strings:
4D87BB8C-8D29-4880-82FC-CDFCF6E68D97
awva
I added avwa in case "awva" was a typo.

Logs attached. In view of your dedication to the cause, mistletoe might have been more appropriate.

 

My New Year Resolution to "do EXACTLY as chaslang says" broke on the first try. combofix.exe from READ & RUN ME had expired and, true to form, I picked the wrong option by not running the limited-capability version, so had to download it again and (in drag&dropping WindowsXP-KB310994-SP2-Home-Bootdisk-ENU.exe into it) I (had to?) let it run again BEFORE CFscript.txt was drag&dropped into it. Hence the 'before' and 'after' logs attached.
Also - there's always an also - Combofix.exe insisted the AVG7.5 was active so I (had to?) let it Combofix.exe run at my own risk.

I'm sure the only Grisoft files on this pc are avgse.dll and avgupsvc.exe and those only because access is denied when I try to delete them. Before New Year (29 December 2008 23.00) I tried unsuccessfully to replace AVG7.5 with AVG8 (from MajorGeeks - the 1400 version that solves the 1399 glitches). I got this:
AVG Free 8.0 build 176 (11/25/2008)
Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005
Trying to re-install AVG7 got me:
AVG Setup
Installer initialization failed due to following error:
Error: Initialization of the language file "C:\Program Files\Grisoft\AVG7" failed.
General failure.
And now the system boots-up reporting:
Could not initialize AVG Anti-Virus kernel interface. Application cannot run.
So I've been running without virus protection - I thought.

I’m wondering if I featured as a chaslang New Year Resolution at all. And whether it just broke too.

 

chaslang
I have only just noticed that avwa.dll and daiuhelk.sys are gone!
Suddenly 2009 IS a happy new year.
Do you have a forum advising how to make that thumbs-up thank-you icon a million-times bigger, so it fits what you deserve?
Cheers, neilm

 

Another successful campaign medal is poised to be pinned on your chest, chaslang, with a special commendation for your survival of friendly fire.
AVG Free 7.5.524 is now re-installed and giving my pc a clean bill of health.
I await final instructions.