TechSpot

Infected with Darksma

By Michelle061775
Apr 12, 2007
  1. My computer is infected with Darksma and my CPU usage is at 99-100%. I have ran all the programs suggested and can't get rid of it. My Hijackthis log and uninstall list is attached. AVG is coming up with nothing, but my CA detects it. Please let me know if you need any other logs. Thanks so much for any help anyone can give me.
     

    Attached Files:

  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your system is infected with a trojan and possibly some other malware

    Download the Pocket Killbox from HERE (http://www.bleepingcomputer.com/files/killbox.php). Extract it but don`t run it yet.

    You may wish to copy and paste these instructions on notepad for easier reference later.


    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Run AVG antispyware scan and quarantine the items. See HERE for instructions.

    Click on start > Run, and type the services.msc. Press Enter.

    Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    sstrol.dll
    runtfs32.exe
    ie_updater.exe
    iass.exe

    Close the services window.


    Open your task manager by pressing the ctrl, alt and delete keys, or alternatively, ctrl + shift + escape. Click on the processes tab and end the following processes, if found:

    partnership.dll
    winload.dll
    honewabe.dll
    tmp9.tmp.dll
    runtfs32.exe
    ie_updater.exe
    iass.exe

    Close

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
    O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
    O2 - BHO: (no name) - {7DA93366-EEB8-4A78-8F61-B0B98D7A1BFA} - C:\Program Files\Outlook Express\honewabe.dll
    O2 - BHO: 0 - {B277D0C9-0C71-41E8-368A-08E5428DFCFB} - (no file)
    O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - (no file)
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\sstrol.dll",realset
    O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O20 - Winlogon Notify: A3dxq - C:\WINDOWS\
    O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
    O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
    O21 - SSODL: SgfTBcerjme - {E475A4AE-4EDF-0E04-6FBE-72BCBBD0D529} - (no file)
    O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
    O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
    O23 - Service: McDetect.exe - LT - (no file)
    O23 - Service: McTskshd.exe - LT - (no file)
    O23 - Service: mcupdmgr.exe - LT - (no file)
    O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\michelle\My Documents\ie_updater.exe (file missing)
    O23 - Service: System Version S (SvS) - Unknown owner - C:\WINDOWS\system32\iass.exe (file missing)

    I also advise you to remove all other O16 entries related to game1.pogo.com if you do not frequent the site.

    Navigate in Windows Explorer and delete the following files and folders in bold.
    C:\Documents and Settings\michelle\My Documents\ie_updater.exe
    C:\WINDOWS\system32\iass.exe

    Run the killbox file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter:
    C:\WINDOWS\system32\winload.dll
    C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
    C:\WINDOWS\sstrol.dll
    C:\Program Files\Outlook Express\honewabe.dll
    C:\WINDOWS\system32\tmp9.tmp.dll

    Rehide your OS files after reboot.

    Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.

    <edit> deleted the part on turning off system restore. Thanks Howard.
     
  3. Michelle061775

    Michelle061775 TS Rookie Topic Starter

    Thanks for the reply. The link is not working. I went to that site and could not find it either. Please help..

    Ok. Found it. Doing the steps now. Thanks.

    Ok. Now when I try to run Killbox, it tells me KillBox.exe is not a valid Win32 application. Why is this happening?
     
  4. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. The bleeping computer link hasn`t been working properly for a few days.

    Regards Howard :)
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I made some slight amendments to the my post (noticed slight errors). Do take note of the steps.


    Regards,
    Your friendly Momok =)
     
  7. Michelle061775

    Michelle061775 TS Rookie Topic Starter

    OK. I have completed the steps. My logs are attached. Thanks for all help!
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re running an outdated version of HJT and have not renamed it as per THESE instructions.

    Delete all files in AVG Antispyware and Combofix quarantine.

    Post fresh HJT, and Combofix logs. Please note: It`s the actual Combofix log I need to see, not the Combofix quarantine log.

    Have you recently uninstalled McAfee?

    Regards Howard :)

    This thread is for the use of Michelle061775 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...