TechSpot

Darksma Virus. Please Help.

By roman090109
Nov 9, 2008
  1. Hi everyone. I'm new here and I just discovered I have a Darksma virus. CA keeps showing and everytime I quarantine it, but it keeps coming up. Help is very much appreciated!
     
  2. roman090109

    roman090109 TS Rookie Topic Starter

    hijack file

    ok i attached the hijack this file can someone please help me?
     
  3. mflynn

    mflynn TS Rookie Posts: 2,655

    Hello roman090109

    Welcome aboard!

    Reboot clean run no other Apps.

    Go here and do all 8 Steps carefully and completely!
    The 8 steps: http://www.techspot.com/vb/topic58138.html

    Attach all the logs.

    Then Reboot to Safe Mode only (not with networking) and run MalwareBytes and SAS Full Scans again until they either come up clean or find something they can not clean.

    Then reboot back to normal and attach yet another HJT log.

    Mike
     
  4. roman090109

    roman090109 TS Rookie Topic Starter

    logs

    I attached the malware and sas logs as well, and now im gonna boot in safe mode and do the scans again. It seems to be going a lot faster now but for some reason Darksma keeps coming up everytime I do a CA scan even though my system seems fine.
     

    Attached Files:

  5. mflynn

    mflynn TS Rookie Posts: 2,655

    Wow you were eaten up!

    You are doing a great job.

    Just don't shortcut and do all my instructions carefully step by step

    Make sure when back from safe mode to post a HJT log this time along with the new logs from MWBAM and SAS.

    Mike
    EDIT Ignore CA for the time being!
     
  6. roman090109

    roman090109 TS Rookie Topic Starter

    ok, here are the logs after scaninng.
     

    Attached Files:

  7. mflynn

    mflynn TS Rookie Posts: 2,655

    See you are online.

    5 minutes for next post.

    Mike
     
  8. roman090109

    roman090109 TS Rookie Topic Starter

    yes i'm online. i think everything's all right now, but im not exactly sure.
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only select and remove all the below.

    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL zyqbvc.dll
    O18 - Filter hijack: text/html - {8b2f7558-6566-4816-bb78-e5b9703e64c5} - (no file)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    MWBAM log was not clean.

    Update it again then run again attach log.

    Reboot immediatly post new HJT log!

    Mike
     
  10. roman090109

    roman090109 TS Rookie Topic Starter

    ok, here are the new logs.
     
  11. roman090109

    roman090109 TS Rookie Topic Starter

    i think (and hope) everything's ok now,....CA isnt showing it anymore,......
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Looks good except for the below.

    Run HJT Scan only select for removal the below.

    O2 - BHO: (no name) - Software - (no file)
    O18 - Filter hijack: text/html - {8b2f7558-6566-4816-bb78-e5b9703e64c5} - (no file)
    O20 - Winlogon Notify: gebbbax - gebbbax.dll (file missing)

    Reboot and 1 more HJT log, I think the last.

    Mike
     
  13. roman090109

    roman090109 TS Rookie Topic Starter

    ok here is the new log.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Roman

    I think you are in good shape.

    But there is one more item

    O18 - Filter hijack: text/html - {8b2f7558-6566-4816-bb78-e5b9703e64c5} - (no file)

    That did not clear and if we assume it may come back to bite us.

    And by now you know I am thorough don't you. I hope that is what you wanted and expected.

    The below is way easier than it looks but we need to do it.

    The below looks big and complex but just step thru my steps.

    Reboot clean run no Apps!

    Download SDFix to Desktop among other things it runs GMER and Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into regular Safe Mode (not with networking)

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SDFix. Double-click to enter SDFix.

    Double-click to execute RunThis.bat. Type Y to begin.

    SDFix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished, hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.

    Attach the Report.txt file to your next post.

    =========================================
    Immediately without executing other Apps do the following

    Download OTScanIt:

    http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe

    Close all Apps and Browsers

    Download and save to Desktop and Dbl Click to extract the files to an OTScanIt Folder.

    If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

    Enter the OTScanit folder and run OTScanit.exe.

    In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

    Top Left click Run Scan.

    The scan can take some time so allow it time.

    Then finished a log will open, save log, post back as an Attachment.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...