Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Remove Downloader.delf.bdh Infected Dll


  • Please log in to reply
14 replies to this topic

#1 Stevio

Stevio

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 18 April 2008 - 10:41 AM

Greetings all,

I recently started using AVG free edition on my laptop (running XP Media Centre edition) and it has discovered an infected file in WINDOWS/System32 folder called dmbandu.dll

Trouble is, AVG can't do anything with it. It puts it in the virus vault over and over again and says it will delete on rebooting but the original file remains in the System32 folder and I just end up with copies of it in the virus vault. I have rebooted in safe mode with system restore switched off and tried to delete it but nothing works. There was also another file in System32 called dmbandu.bak which I did manage to delete with KillBox - but KillBox is unable to delete the troublesome dmbandu.dll either.

Have run Spybot, Ad Aware, Kaspersky online scanner, ESET online scanner, RogueScanner (obviously not at the same time!) plus one or two others as recommended on the AVG forum and they don't even pick up the file at all. This made me think it might be a false-negative but it definitely looks like malware as it was created last month and has no info about the file when you look at its properties. And just the fact that it seems to be undeletable suggests it's suspicious.

Can anybody advise me as to the next step? I'm tearing my hair out now as nothing seems able to touch it :thumbsup:

Thank you!

BC AdBot (Login to Remove)

 


#2 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 18 April 2008 - 10:44 AM

Whoops! I did of course mean false-positive! Long day at work! :thumbsup:

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 18 April 2008 - 11:28 AM

do you want to try a couple of other scans to see if THEY flag it up?
try asquared
http://www.emsisoft.com/en/software/free/

from
http://download6.emsisoft.com/a2FreeSetup.exe

and superantispyware from http://www.superantispyware.com/superantis...efreevspro.html

its exe here http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

I suggest you download and install both, fully update the definitions, reboot the computer in to safe mode and launch each from their desktop icons;

you need to do a fully deep scan with asquared and a complete system scan with superantispyware

each program will produce a log/report; when you have rebooted into normal mode after both scans are run please post back here the results for the team to check ?

run each scan separately; depending on how much is on the compute these scans CAN take up to four hours to run ...so be prepared........

#4 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 18 April 2008 - 05:27 PM

Many thanks for the advice. OK have run both programs - asquared found one piece of spyware and Superantispyware just found four cookies. I moved digstream.exe to quarantine but the dmbandu.dll still remains so must be unrelated.

Should I go the HijackThis route now?

Here's the asquared log:

a-squared Free - Version 3.5
Last update: 18/04/2008 19:02:19

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 18/04/2008 19:21:22

C:\Program Files\DIGStream\digstream.exe detected: Riskware.Downloader.Win32.DigStream

Scanned

Files: 184323
Traces: 175148
Cookies: 17
Processes: 14

Found

Files: 1
Traces: 0
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 18/04/2008 21:21:51
Scan time: 2:00:29

C:\Program Files\DIGStream\digstream.exe Quarantined Riskware.Downloader.Win32.DigStream

Quarantined

Files: 1
Traces: 0
Cookies: 0

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 18 April 2008 - 08:28 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 19 April 2008 - 02:39 PM

Many thanks boopme. I ran the program and it found several malware items. I rebooted as instructed and they are now gone. However, dmbandu.dll still lives on!

Here's the log:

Malwarebytes' Anti-Malware 1.11
Database version: 656

Scan type: Quick Scan
Objects scanned: 32625
Time elapsed: 9 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Steve\Desktop\xB-Browser_2.0.0.12b.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\filter.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\hb14c.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\options.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\prx992h.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Steve\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

#7 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 19 April 2008 - 05:02 PM

Update! Looks like I'm all clear :flowers:
The dmbandu.dll file is now showing as a legitimate Microsoft file and not picked up as a threat by AVG any more. A new dmbandu.dll.bak had appeared and was picked up by AVG but Killbox took care of that with a reboot. Have run full scan and no threats detected any longer.

Thank you so much for the help. It's so cool that forums like this exist. :thumbsup:

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 20 April 2008 - 09:27 PM

Great news and good job!!
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 April 2008 - 11:03 AM

OK did all that and nothing is cropping up with AVG now. Am still a bit puzzled by that dmbandu.dll file though. Even though it now says it's a Microsoft file whereas it didn't before, I still can't delete it. As it was only created on March 23rd and the other couple of dmband-related dll's were shown as being created way back in like 2003 or something I can't help but still be suspicious of it. It attaches itself to winlogon and explorer.exe at startup which I think is why it is always locked and I can't delete it.

Any thoughts? I just want to zap it completely!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 23 April 2008 - 09:54 PM

Let's run it thru here and get a report on the file(s). submit them here and post back what they say.
Jotti's malware scan
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 24 April 2008 - 04:41 PM

Thanks for sticking with me! OK here are the reports:

Service load:
0% 100%
File: dmbandu.dll
Status:
INFECTED/MALWARE
MD5: 056b2a52946b50aaba0906b5c966b08a
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 24 Apr 2008 21:36:17 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/EncPk-CL

VirusBuster
Found nothing
VBA32
Found nothing

Last file scanned at least one scanner reported something about: msnsasırt.exe (MD5: c02eba2571d5600f4cd839814ec4cd9d, size: 906752 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Dropper.ErPack.AD
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 24 April 2008 - 09:53 PM

Hello again Stevio,you're welcome. I have read alot on this trojan now. I read where AVG should remove it. Obviously not a reality for some reason. But Let me ask have you scanned with AVG from safe mode? Have you run the Superantispyware scan also from safe mode. That scan log is also one I'd like to see.
Mal/EncPk-CL is a program packed with a protection system typically used by malware authors. This could make it hard to remove.
I'd like you to then do the SUPER scan and this SDFix scan. Return 2 logs,please. Hopefully this is it.

How to use SDFix

NOTES:
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Getting the Super scan log
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

After the SDFix has finished the SDFix log will automatically be opened in notepad.
Please copy and paste the Scan Log results in your next reply.

Tell us how things are now.

Edited by boopme, 24 April 2008 - 09:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 26 April 2008 - 07:00 PM

Hi Boopme

I did indeed run both programs in safe mode previously and have just done so again - both came up totally clear. I then ran SDFix as per instructions and again all is clear so no need to post the logs. I guess if none of these progs are finding anything wrong with that dll now then maybe it's been rendered harmless? What do you think?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 26 April 2008 - 08:38 PM

Well things are good then, since all symptoms are gone and no dll errors just do these and you should be good to go.
Clean up the junk files laying arount with ATF Cleaner then redo the restore point as instructed above. Good luck.

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Stevio

Stevio
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 27 April 2008 - 06:59 AM

All done :flowers:

Thank you again. You've been a great help! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users