Darksma spyware removal

By epadams4
Jul 7, 2008
Topic Status:
Not open for further replies.
  1. After noticing different weird popups and not being allowed to go click on "My Documents" or "My Computer" I think I have been infected with the Darksma spyware. I run my spybot and it does not detect it. I run my CA and it detects it. I remove it (quarantine it as well) but this does no good. I also notice each time I need to reboot my computer it acts as though it has been shut it down incorrecty and then it tells me the auto check cannot be found therefore it will skip it. Help please?
  2. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. epadams4

    epadams4 Newcomer, in training Topic Starter

  4. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    first of all you have multiple firewalls you have CA Firewall with HIPS and you have Comodo - you should uninstall one of them

    -------------------------------------------------------------------

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
      O2 - BHO: (no name) - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - (no file)
      O2 - BHO: {becc6c07-f738-3f38-1454-6358e9031692} - {2961309e-8536-4541-83f3-837f70c6cceb} - C:\WINDOWS\system32\jjrrwx.dll
      O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
      O2 - BHO: (no name) - {41B93B44-DC12-44C0-ADE8-BC74D61495AE} - C:\WINDOWS\system32\qoMghgHa.dll (file missing)
      O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
      O2 - BHO: scriptproxy - {6D0386B3-FD72-488E-9740-90355AE21735} - C:\WINDOWS\system32\slonyx.dll
      O2 - BHO: (no name) - {78DFB90E-788E-4093-81EB-EB825ED741A7} - C:\WINDOWS\system32\cbXRllJY.dll (file missing)
      O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
      O2 - BHO: (no name) - {AAD9B129-6614-4577-A8BF-2EDD44198847} - C:\WINDOWS\system32\ljJDWQKd.dll (file missing)
      O4 - HKLM\..\Run: [28dda69c] rundll32.exe "C:\WINDOWS\system32\eievanow.dll",b
      O4 - HKLM\..\Run: [BM2bee9500] Rundll32.exe "C:\WINDOWS\system32\fvopfrgy.dll",s
      O20 - Winlogon Notify: ddcYrQhH - C:\WINDOWS\

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    --------------------------------------------------------------------------

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b]C:\WINDOWS\system32\jjrrwx.dll
      C:\WINDOWS\system32\qoMghgHa.dll
      C:\WINDOWS\system32\slonyx.dll
      C:\WINDOWS\system32\cbXRllJY.dll
      C:\WINDOWS\system32\ljJDWQKd.dll
      C:\WINDOWS\system32\eievanow.dll
      C:\WINDOWS\system32\fvopfrgy.dll
      C:\WINDOWS\system32\ddcYrQhH[/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ----------------------------------------------------------------------------

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    -------------------------------------------------------------------------

    Go to add/remove programs and uninstall Viewpoint

    -------------------------------------------------------------------------

    Run a fresh Hijackthis run

    -------------------------------------------------------------------------
    Attach here:
    1) OTMoveit2 log
    2) MBAM log
    3) New Hijackthis log
  5. epadams4

    epadams4 Newcomer, in training Topic Starter

    The logs are attached. (i really appreciate this.)
  6. epadams4

    epadams4 Newcomer, in training Topic Starter

    Malware Log

    Here is the malware log.
    Thanks again.
  7. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    How is your system running now?

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    ---------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  8. epadams4

    epadams4 Newcomer, in training Topic Starter

    it seems to be running okay..thank you...i am attacthing the Kaspersky Online report 2
  9. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    OTMoveit2 by OldTimer
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b]C:\Program Files\vol_toolbar
      C:\WINDOWS\addins\MyspaceViewer.exe
      C:\WINDOWS\MyspaceViewer.exe
      C:\WINDOWS\system32\aujlgkbp.dll
      C:\WINDOWS\system32\epcvry.dll
      C:\WINDOWS\system32\fvtlpbqb.dll
      C:\WINDOWS\system32\gvgrjgje.dll
      C:\WINDOWS\system32\gvwelpid.dll
      C:\WINDOWS\system32\ktromd.dll
      C:\WINDOWS\system32\mcacmtaj.dll
      C:\WINDOWS\system32\psyekxpl.dll
      C:\WINDOWS\system32\qbrywdwj.dll
      C:\WINDOWS\system32\rdhwnc.dll
      C:\WINDOWS\system32\ssuape.dll
      C:\WINDOWS\system32\tshrxvqt.dll
      C:\WINDOWS\system32\xyqevkxw.dll
      C:\WINDOWS\system32\yjdoqkmf.dll[/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Also attach a new hijackthis ran afterwards
  10. epadams4

    epadams4 Newcomer, in training Topic Starter

    Here are the files from move it:
    C:\Program Files\vol_toolbar moved successfully.
    C:\WINDOWS\addins\MyspaceViewer.exe moved successfully.
    C:\WINDOWS\MyspaceViewer.exe moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\aujlgkbp.dll
    C:\WINDOWS\system32\aujlgkbp.dll NOT unregistered.
    C:\WINDOWS\system32\aujlgkbp.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\epcvry.dll
    C:\WINDOWS\system32\epcvry.dll NOT unregistered.
    C:\WINDOWS\system32\epcvry.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\fvtlpbqb.dll
    C:\WINDOWS\system32\fvtlpbqb.dll NOT unregistered.
    C:\WINDOWS\system32\fvtlpbqb.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\gvgrjgje.dll
    C:\WINDOWS\system32\gvgrjgje.dll NOT unregistered.
    C:\WINDOWS\system32\gvgrjgje.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\gvwelpid.dll
    C:\WINDOWS\system32\gvwelpid.dll NOT unregistered.
    C:\WINDOWS\system32\gvwelpid.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\ktromd.dll
    C:\WINDOWS\system32\ktromd.dll NOT unregistered.
    C:\WINDOWS\system32\ktromd.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\mcacmtaj.dll
    C:\WINDOWS\system32\mcacmtaj.dll NOT unregistered.
    C:\WINDOWS\system32\mcacmtaj.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\psyekxpl.dll
    C:\WINDOWS\system32\psyekxpl.dll NOT unregistered.
    C:\WINDOWS\system32\psyekxpl.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\qbrywdwj.dll
    C:\WINDOWS\system32\qbrywdwj.dll NOT unregistered.
    C:\WINDOWS\system32\qbrywdwj.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\rdhwnc.dll
    C:\WINDOWS\system32\rdhwnc.dll NOT unregistered.
    C:\WINDOWS\system32\rdhwnc.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssuape.dll
    C:\WINDOWS\system32\ssuape.dll NOT unregistered.
    C:\WINDOWS\system32\ssuape.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\tshrxvqt.dll
    C:\WINDOWS\system32\tshrxvqt.dll NOT unregistered.
    C:\WINDOWS\system32\tshrxvqt.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\xyqevkxw.dll
    C:\WINDOWS\system32\xyqevkxw.dll NOT unregistered.
    C:\WINDOWS\system32\xyqevkxw.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\yjdoqkmf.dll
    C:\WINDOWS\system32\yjdoqkmf.dll NOT unregistered.
    C:\WINDOWS\system32\yjdoqkmf.dll moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07092008_150656

    and here are the logs from move it and hijack
  11. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    how is your computer now? can you access My documents ect?
  12. epadams4

    epadams4 Newcomer, in training Topic Starter

    Yes. Things seem normal and a whole lot faster. I haven't noticed anything weird when I need to reboot either. Thanks a lot. Does this mean I am all clear?
  13. epadams4

    epadams4 Newcomer, in training Topic Starter

    Darksma still there.

    Ok, i thought things were ok. I shut my computer down and it stills acts as if I shut it down incorrectly. The blue "check disk or auto run" screen comes up and says that it will skip a check because it cannot be found. If you would like the correct message, I will try to get it before it goes away.

    I then ran a quick scan with my CA and said DARKSMA.downloader was there, just like before. I don't understand, did i do something wrong?

    Also the windows security center is not detecting that I have my CA virus protection.

    Thanks.
     
  14. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    1) I need the exact message as it could be 2 different things

    2) What location did it find the infection - the reason I ask is because it may have been in an old restore point or another programs quarantine

    3) We need to disable it from connecting - The trojan connects to the IP address 83.149.105.144 and sends identification information. It may then receive configuration data in return. It has the ability to use the returned information to download and execute files.

    4) Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please attach the C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
  15. epadams4

    epadams4 Newcomer, in training Topic Starter

    Will run Vundo

    I am about to run Vundo, but I wanted to first give you the exact message that appears. This message appears last after the Dell Screen (1st), then The Windows XP screen(2nd) and then this message appears (3rd): systemsroot\windows\system32autochk.exe program not found skipping autochk

    I should also mention that over the weekend I tried to do a system restore (i could only go back to June 30, 2008) but the system told me repeatedly it could not restore to that date or any other date I tried after that.
  16. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.