Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 Surferdude

Surferdude

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 March 2011 - 01:42 PM

I recieved a particularily nasty trojan and ran Malware. After removing the trojan which took all day, on start up I recieve the following message:
DLL/documents and settings/david eichner/local settings/ application data/drmnetvdm/smpwebsched.dll is not a valid windows image

Once you click OK I get another message:

error loading/david eichner/ local settings/application data/drmnetvdm/smpwebsched.dll % is not a valid win32 application

How do I reienstall or correct this bleeping situation.

Edited by Orange Blossom, 07 March 2011 - 01:44 PM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:25 PM

Posted 07 March 2011 - 02:21 PM

Can you post the logs from Malwarebytes?

#3 Surferdude

Surferdude
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 March 2011 - 03:01 PM

e-mail address removed to protect from spambots. ~ OB

I am not that sophisticated however outside this system I may be able too do it.

Can you post the logs from Malwarebytes?


Here is my e-mailremoved to protect from spambots. ~ OB

Edited by Orange Blossom, 07 March 2011 - 03:21 PM.


#4 Surferdude

Surferdude
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 March 2011 - 03:03 PM

e-mail address removed to protect from spambots. ~ OB

If you contact me outside this blog I might be able to send the logs. I don't know how to here. You of course can post my info if you wish.

Edited by Orange Blossom, 07 March 2011 - 03:23 PM.


#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:25 PM

Posted 07 March 2011 - 03:15 PM

Open the log file in Notepad then go to Edit and select all then go back to edit and copy. After that right click in the add reply text box and hit paste.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:25 PM

Posted 07 March 2011 - 03:23 PM

Hello Surferdude,

The logs appear in a notepad file. Copy the log from the notepad then paste the log into the text area when you create a reply.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 Surferdude

Surferdude
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 March 2011 - 03:41 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5777

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/17/2011 1:25:47 PM
mbam-log-2011-02-17 (13-25-47).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 317398
Time elapsed: 59 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus System 2011 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ANTIVIRUS SYSTEM 2011 (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscjm (Trojan.VB) -> Value: mscjm -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscj (Backdoor.Bot) -> Value: mscj -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus System 2011 (Trojan.FakeAlert) -> Value: AntiVirus System 2011 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Manager (Trojan.FakeAlert) -> Value: Security Manager -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiVirus System 2011\BackgroundScan (Rogue.AntivirusSystem2011) -> Value: BackgroundScan -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\david eichner\start menu\Programs\antivirus system 2011 (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011 (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\david eichner\application data\92877\mscjm.exe (Trojan.VB) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\92877\mscj.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011\antivirus__system__2011.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011\securitymanager.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\92877\bbzzkzz18.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011\securityhelper.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\local settings\Temp\google.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\local settings\Temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\local settings\Temp\w32rim_mem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\local settings\Temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\local settings\Temp\dfbleep.exe (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\microsoft\internet explorer\quick launch\antivirus system 2011.lnk (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\start menu\Programs\antivirus system 2011\antivirus system 2011.lnk (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\start menu\Programs\antivirus system 2011\activate antivirus system 2011.lnk (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\start menu\Programs\antivirus system 2011\help antivirus system 2011.lnk (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\start menu\Programs\antivirus system 2011\how to activate antivirus system 2011.lnk (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\start menu\Programs\antivirus system 2011.lnk (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\Desktop\antivirus system 2011.lnk (Rogue.AntiVirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011\icoactivate.ico (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011\IcoHelp.ico (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.
c:\documents and settings\david eichner\application data\antivirus system 2011\icouninstall.ico (Rogue.AntivirusSystem2011) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5575

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/22/2011 9:28:45 PM
mbam-log-2011-01-22 (21-28-45).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 311833
Time elapsed: 1 hour(s), 36 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:25 PM

Posted 07 March 2011 - 04:04 PM

Have you followed this guide: How do I remove Anti-Virus System 2011?

#9 Surferdude

Surferdude
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 March 2011 - 05:20 PM

Yes I have seen it and have used it many times I just never had dll file taken out by it. I am looking at how to reinstall the missing files because it caused my computer to refuse to start until I went to safe mode and started it from an earlier date which did not help restore the files.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:25 PM

Posted 11 March 2011 - 06:52 AM

Hello, most likely this is a leftover registry setting. In order to correct it, I need to see a more detailed log. I'll move this topic to the appropriate forum.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Surferdude

Surferdude
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 13 March 2011 - 11:00 PM

Hi Blonde. Sorry for the delay. I was traveling for work. I am afraid I do not know what a mirror is or how to do as you suggested. I feel silly being older but I only know enough about my computer to mess it once in awhile and reset the time or run virus ware.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:25 PM

Posted 14 March 2011 - 05:08 AM

Don't worry about it. :)
A mirror is a download link, so just click the link, download the file and run it as instructed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:25 PM

Posted 27 March 2011 - 04:58 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:25 PM

Posted 06 April 2011 - 07:00 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users