TechSpot

Darksma spyware removal

By dlee337
Jul 25, 2008
  1. Hello I have a darksma spyware downloader on my pc. I have ran my spyware in safe mode but when I reboot its still there. Can someone help please?Thanks.
    Here is the hijack log.
    View attachment 34481
     
  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    you did the scan in Safe mode with network support. You need to do it in normal mode
     
  3. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    I couldnt get hijack under normal mode. had to go to safe mode to download hijack. O went back to normal mode and got the log here it is.
     
  4. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    SmitfraudFix

    • Download SmitFraudFix to your deskop
    • reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infect files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)

    ----------------------------

    ComboFix

    • Download ComboFix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  5. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    ok here are the logs
     
  6. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    darksma is still there. I run spyware protector in safe mode but when reboot it comes back
     
  7. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    Run Hijackthis and remove the items below

    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)
    O2 - BHO: {84727468-5196-8c19-efd4-9aff11956643} - {34665911-ffa9-4dfe-91c8-691586472748} - C:\WINDOWS\system32\qkckyf.dll<-----scan this file
    O4 - HKLM\..\Run: [BM6bdc5df7] Rundll32.exe "C:\WINDOWS\system32\vtygdqhm.dll",s
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
     
  8. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    Hi thanks for your help.The darksma spware seems to be gone.Its not there when I run my spyware detector. this file would not delete.
    O4 - HKLM\..\Run: [BM6bdc5df7] Rundll32.exe "C:\WINDOWS\system32\vtygdqhm.dll",s
    computer is alot better but when running IE computer drags some and sometimes I have to hit the refresh button on about every page. Didn't know if it had anything to do with that file not deleting.Here is another copy of my log for justin case. again thanks for all your help.
     
  9. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b] Files to delete:
      C:\WINDOWS\system32\vtygdqhm.dll[/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  10. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    Here is the log.
     
  11. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    post a fresh hjt log
     
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Launch OTMoveit2 and paste this into the list of files to be moved section

    Code:
    C:\WINDOWS\system32\vtygdqhm.dll
    Then click the Red Moveit!

    Attach the log just like before

    *This isn't Avenger or Combofix buddy ;)
     
  13. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    Lol Just saw that:haha:
    Files to delete:
     
  14. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    Ok, I ran OTMoveIT2 again and also ran HJ again. Logs are attached.
    Thanks.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Try this: The file really may not be there daniel

    [​IMG]Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware from from Here or Here
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    FileASSASSIN
    • Launch Malwarebytes' Anti-Malware
    • Select the More Tools Tab
    • Under FileASSASSIN select Run Tool
    • Navigate to C:\WINDOWS\system32\vtygdqhm.dll
    • Press Open



    Attach the MBAM log with a fresh Hijackthis
     
  16. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    Ok here is the malware logan the hj log.
    I could'nt find this file.
    C:\WINDOWS\system32\vtygdqhm.dll
     
  17. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    When I reboot my computer a widow pops up saying
    C:\WINDOWS\system32\vtygdqhm.dll did not start. file could not be found.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    thats a good thing - i will let daniel finish up with you - but it just means the file is gone but the registry entry is still there telling the file to load - when it can find the file then you get the error
     
  19. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    Open MBAM and on the top click on the Quarantined tab and delete everything there.

    Please run an on-line virus scan at http://www.kaspersky.com/virusscanner[b][color=blue]Kaspersky OnLine Scan[/color][/b] or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

    Also boot into safe mode by rebooting your computer then start taping the F8 key until you get the advance startup screen then select safe mode now run hijackthis and place a check next to the item below then reboot into normal mode and post a fresh hijackthis log

    O4 - HKLM\..\Run: [BM6bdc5df7] Rundll32.exe "C:\WINDOWS\system32\vtygdqhm.dll",s
     
  20. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    OK done the online scan. took forever. and ran new hj log. here they are.
     
  21. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    I couldnt get it in a link so I had to paste it.
    BitDefender Online Scanner







    Scan report generated at: Fri, Aug 01, 2008 - 19:46:16









    Scan path: C:\;D:\;















    Statistics

    Time


    01:30:18

    Files


    374675

    Folders


    14469

    Boot Sectors


    4

    Archives


    5494

    Packed Files


    26561







    Results

    Identified Viruses


    7

    Infected Files


    15

    Suspect Files


    0

    Warnings


    0

    Disinfected


    0

    Deleted Files


    15







    Engines Info

    Virus Definitions


    1412813

    Engine build


    AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

    Scan plugins


    16

    Archive plugins


    43

    Unpack plugins


    7

    E-mail plugins


    6

    System plugins


    5







    Scan Settings

    First Action


    Disinfect

    Second Action


    Delete

    Heuristics


    Yes

    Enable Warnings


    Yes

    Scanned Extensions


    *;

    Exclude Extensions




    Scan Emails


    Yes

    Scan Archives


    Yes

    Scan Packed


    Yes

    Scan Files


    Yes

    Scan Boot


    Yes








    Scanned File


    Status

    C:\Documents and Settings\Danny Lee\My Documents\My Videos\Setup.exe


    Detected with: Adware.Zango.V

    C:\Documents and Settings\Danny Lee\My Documents\My Videos\Setup.exe


    Deleted

    C:\Downloads\SpongeBobDDGESetup-dm[1].exe


    Detected with: Adware.Trymedia.B.2

    C:\Downloads\SpongeBobDDGESetup-dm[1].exe


    Deleted

    C:\Program Files\Real\RealArcade\GoogleInstApp.exe


    Infected with: Trojan.Generic.105811

    C:\Program Files\Real\RealArcade\GoogleInstApp.exe


    Deleted

    C:\Program Files\Real\RealArcade\Setup\setup_rac.exe=>(Embedded EXE o)


    Infected with: Trojan.Generic.105811

    C:\Program Files\Real\RealArcade\Setup\setup_rac.exe=>(Embedded EXE o)


    Deleted

    C:\Program Files\Real\RealArcade\Setup\setup_rac.exe


    Update failed

    C:\Program Files\SpongeBob SquarePants Diner Dash\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll


    Infected with: Trojan.Delf.EZ

    C:\Program Files\SpongeBob SquarePants Diner Dash\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll


    Deleted

    C:\Program Files\SpongeBob SquarePants Diner Dash\bfgt_silent_en.exe=>(CAB Sfx r)


    Update failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\dDspopPH.dll.vir


    Infected with: Trojan.Vundo.FBB

    C:\QooBox\Quarantine\C\WINDOWS\system32\dDspopPH.dll.vir


    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\dDspopPH.dll.vir


    Deleted

    C:\QooBox\Quarantine\C\WINDOWS\system32\faqalukr.dll.vir


    Infected with: Trojan.Vundo.FCF

    C:\QooBox\Quarantine\C\WINDOWS\system32\faqalukr.dll.vir


    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\faqalukr.dll.vir


    Deleted

    C:\QooBox\Quarantine\C\WINDOWS\system32\ftcuppws.dll.vir


    Infected with: Trojan.Vundo.FCF

    C:\QooBox\Quarantine\C\WINDOWS\system32\ftcuppws.dll.vir


    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\ftcuppws.dll.vir


    Deleted

    C:\QooBox\Quarantine\C\WINDOWS\system32\lJawvtRi.dll.vir


    Infected with: Trojan.Vundo.FBB

    C:\QooBox\Quarantine\C\WINDOWS\system32\lJawvtRi.dll.vir


    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\lJawvtRi.dll.vir


    Deleted

    C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtssr.dll.vir


    Infected with: Trojan.Vundo.FBB

    C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtssr.dll.vir


    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtssr.dll.vir


    Deleted

    C:\QooBox\Quarantine\C\WINDOWS\system32\opnLEvtt.dll.vir


    Infected with: Trojan.Vundo.FBB

    C:\QooBox\Quarantine\C\WINDOWS\system32\opnLEvtt.dll.vir


    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\system32\opnLEvtt.dll.vir


    Deleted

    C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip=>lJawvtRi.dll


    Infected with: Trojan.Vundo.FBB

    C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip=>lJawvtRi.dll


    Disinfection failed

    C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip=>lJawvtRi.dll


    Deleted

    C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip


    Updated

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000272.exe


    Infected with: Trojan.Retapu.D

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000272.exe


    Disinfection failed

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000272.exe


    Deleted

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000321.exe


    Detected with: Adware.Trymedia.B.2

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000321.exe


    Deleted

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000322.exe


    Infected with: Trojan.Generic.105811

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000322.exe


    Deleted
     
  22. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    forgot to run the hj log after deleteing file in safe mode. here it is
     
  23. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    your log looks clean :)

    How is your computer running

    TrendMicro™ HouseCall Java Scan
    • Please go HERE to run the Trend Micro™ HouseCall Scan.
    • Click Scan now. It's free!
    • Read and put a Check next to Yes I accept the terms of use.
    • Click the Launching HouseCall>> button.
    • Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
    • You may receive a Security Warning about the TrendMicro Java applet, click YES.
    • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
    • Please be patient while it installs, updates, and scans your system.
    • Once the scan is complete, it will take you to the summary page.
    • Under Cleanup options, choose clean all detected infections automatically.
    • Click the Clean now>> button.
    • If anything was found you may be prompted to run the scan again, you can just close the browser window.
     
  24. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    Hi, My computer seems to be working ok. I tried to run TrendMico. I clicked on launch house call and the page opens but will not load.
     
  25. dlee337

    dlee337 TS Rookie Topic Starter Posts: 28

    My computer still seems to be working ok but my ca antivirus is poping up a virus alert when I run my spyware program. here is the alert
    C:\System Volume Information Win32/Vundo.ASU
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.