Darksma spyware removal

[dlee337]

Hello I have a darksma spyware downloader on my pc. I have ran my spyware in safe mode but when I reboot its still there. Can someone help please?Thanks.
Here is the hijack log.
View attachment 34481

 

[xxdanielxx]

you did the scan in Safe mode with network support. You need to do it in normal mode

 

[dlee337]

I couldnt get hijack under normal mode. had to go to safe mode to download hijack. O went back to normal mode and got the log here it is.

 

[xxdanielxx]

SmitfraudFix

• Download SmitFraudFix to your deskop
• reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infect files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)

----------------------------

ComboFix

• Download ComboFix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[dlee337]

ok here are the logs

 

[dlee337]

darksma is still there. I run spyware protector in safe mode but when reboot it comes back

 

[xxdanielxx]

Run Hijackthis and remove the items below

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: {84727468-5196-8c19-efd4-9aff11956643} - {34665911-ffa9-4dfe-91c8-691586472748} - C:\WINDOWS\system32\qkckyf.dll<-----scan this file
O4 - HKLM\..\Run: [BM6bdc5df7] Rundll32.exe "C:\WINDOWS\system32\vtygdqhm.dll",s
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

 

[dlee337]

Hi thanks for your help.The darksma spware seems to be gone.Its not there when I run my spyware detector. this file would not delete.
O4 - HKLM\..\Run: [BM6bdc5df7] Rundll32.exe "C:\WINDOWS\system32\vtygdqhm.dll",s
computer is alot better but when running IE computer drags some and sometimes I have to hit the refresh button on about every page. Didn't know if it had anything to do with that file not deleting.Here is another copy of my log for justin case. again thanks for all your help.

 

[xxdanielxx]

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b] Files to delete:
  C:\WINDOWS\system32\vtygdqhm.dll[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[dlee337]

Here is the log.

 

[xxdanielxx]

post a fresh hjt log

 

[Blind Dragon]

Launch OTMoveit2 and paste this into the list of files to be moved section

C:\WINDOWS\system32\vtygdqhm.dll

Then click the Red Moveit!

Attach the log just like before

*This isn't Avenger or Combofix buddy

 

[xxdanielxx]

Lol Just saw that:haha:
Files to delete:

 

[dlee337]

Ok, I ran OTMoveIT2 again and also ran HJ again. Logs are attached.
Thanks.

 

[Blind Dragon]

Try this: The file really may not be there daniel

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from Here or Here
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

FileASSASSIN

• Launch Malwarebytes' Anti-Malware
• Select the More Tools Tab
• Under FileASSASSIN select Run Tool
• Navigate to C:\WINDOWS\system32\vtygdqhm.dll
• Press Open

Attach the MBAM log with a fresh Hijackthis

 

[dlee337]

Ok here is the malware logan the hj log.
I could'nt find this file.
C:\WINDOWS\system32\vtygdqhm.dll

 

[dlee337]

When I reboot my computer a widow pops up saying
C:\WINDOWS\system32\vtygdqhm.dll did not start. file could not be found.

 

[Blind Dragon]

thats a good thing - i will let daniel finish up with you - but it just means the file is gone but the registry entry is still there telling the file to load - when it can find the file then you get the error

 

[xxdanielxx]

Open MBAM and on the top click on the Quarantined tab and delete everything there.

Please run an on-line virus scan at http://www.kaspersky.com/virusscannerKaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Also boot into safe mode by rebooting your computer then start taping the F8 key until you get the advance startup screen then select safe mode now run hijackthis and place a check next to the item below then reboot into normal mode and post a fresh hijackthis log

O4 - HKLM\..\Run: [BM6bdc5df7] Rundll32.exe "C:\WINDOWS\system32\vtygdqhm.dll",s

 

[dlee337]

OK done the online scan. took forever. and ran new hj log. here they are.

 

[dlee337]

I couldnt get it in a link so I had to paste it.
BitDefender Online Scanner







Scan report generated at: Fri, Aug 01, 2008 - 19:46:16









Scan path: C:\;D:\;















Statistics

Time


01:30:18

Files


374675

Folders


14469

Boot Sectors


4

Archives


5494

Packed Files


26561







Results

Identified Viruses


7

Infected Files


15

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


15







Engines Info

Virus Definitions


1412813

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


16

Archive plugins


43

Unpack plugins


7

E-mail plugins


6

System plugins


5







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Danny Lee\My Documents\My Videos\Setup.exe


Detected with: Adware.Zango.V

C:\Documents and Settings\Danny Lee\My Documents\My Videos\Setup.exe


Deleted

C:\Downloads\SpongeBobDDGESetup-dm[1].exe


Detected with: Adware.Trymedia.B.2

C:\Downloads\SpongeBobDDGESetup-dm[1].exe


Deleted

C:\Program Files\Real\RealArcade\GoogleInstApp.exe


Infected with: Trojan.Generic.105811

C:\Program Files\Real\RealArcade\GoogleInstApp.exe


Deleted

C:\Program Files\Real\RealArcade\Setup\setup_rac.exe=>(Embedded EXE o)


Infected with: Trojan.Generic.105811

C:\Program Files\Real\RealArcade\Setup\setup_rac.exe=>(Embedded EXE o)


Deleted

C:\Program Files\Real\RealArcade\Setup\setup_rac.exe


Update failed

C:\Program Files\SpongeBob SquarePants Diner Dash\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll


Infected with: Trojan.Delf.EZ

C:\Program Files\SpongeBob SquarePants Diner Dash\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll


Deleted

C:\Program Files\SpongeBob SquarePants Diner Dash\bfgt_silent_en.exe=>(CAB Sfx r)


Update failed

C:\QooBox\Quarantine\C\WINDOWS\system32\dDspopPH.dll.vir


Infected with: Trojan.Vundo.FBB

C:\QooBox\Quarantine\C\WINDOWS\system32\dDspopPH.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\dDspopPH.dll.vir


Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\faqalukr.dll.vir


Infected with: Trojan.Vundo.FCF

C:\QooBox\Quarantine\C\WINDOWS\system32\faqalukr.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\faqalukr.dll.vir


Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\ftcuppws.dll.vir


Infected with: Trojan.Vundo.FCF

C:\QooBox\Quarantine\C\WINDOWS\system32\ftcuppws.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\ftcuppws.dll.vir


Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\lJawvtRi.dll.vir


Infected with: Trojan.Vundo.FBB

C:\QooBox\Quarantine\C\WINDOWS\system32\lJawvtRi.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\lJawvtRi.dll.vir


Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtssr.dll.vir


Infected with: Trojan.Vundo.FBB

C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtssr.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtssr.dll.vir


Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\opnLEvtt.dll.vir


Infected with: Trojan.Vundo.FBB

C:\QooBox\Quarantine\C\WINDOWS\system32\opnLEvtt.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\opnLEvtt.dll.vir


Deleted

C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip=>lJawvtRi.dll


Infected with: Trojan.Vundo.FBB

C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip=>lJawvtRi.dll


Disinfection failed

C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip=>lJawvtRi.dll


Deleted

C:\QooBox\Quarantine\catchme2008-07-26_ 10215.32.zip


Updated

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000272.exe


Infected with: Trojan.Retapu.D

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000272.exe


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000272.exe


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000321.exe


Detected with: Adware.Trymedia.B.2

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000321.exe


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000322.exe


Infected with: Trojan.Generic.105811

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000322.exe


Deleted

 

[dlee337]

forgot to run the hj log after deleteing file in safe mode. here it is

 

[xxdanielxx]

your log looks clean

How is your computer running

TrendMicro™ HouseCall Java Scan

• Please go HERE to run the Trend Micro™ HouseCall Scan.
• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

 

[dlee337]

Hi, My computer seems to be working ok. I tried to run TrendMico. I clicked on launch house call and the page opens but will not load.

 

[dlee337]

My computer still seems to be working ok but my ca antivirus is poping up a virus alert when I run my spyware program. here is the alert
C:\System Volume Information Win32/Vundo.ASU