My computer is infected with Darksma and my CPU usage is at 99-100%. I have ran all the programs suggested and can't get rid of it. My Hijackthis log and uninstall list is attached. AVG is coming up with nothing, but my CA detects it. Please let me know if you need any other logs. Thanks so much for any help anyone can give me.
Infected with Darksma
- Thread starter Michelle061775
- Start date
- Status
momok
Posts: 2,127 +6
Hi,
Your system is infected with a trojan and possibly some other malware
Download the Pocket Killbox from HERE (http://www.bleepingcomputer.com/files/killbox.php. Extract it but don`t run it yet.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Run AVG antispyware scan and quarantine the items. See HERE for instructions.
Click on start > Run, and type the services.msc. Press Enter.
Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
sstrol.dll
runtfs32.exe
ie_updater.exe
iass.exe
Close the services window.
Open your task manager by pressing the ctrl, alt and delete keys, or alternatively, ctrl + shift + escape. Click on the processes tab and end the following processes, if found:
partnership.dll
winload.dll
honewabe.dll
tmp9.tmp.dll
runtfs32.exe
ie_updater.exe
iass.exe
Close
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
O2 - BHO: (no name) - {7DA93366-EEB8-4A78-8F61-B0B98D7A1BFA} - C:\Program Files\Outlook Express\honewabe.dll
O2 - BHO: 0 - {B277D0C9-0C71-41E8-368A-08E5428DFCFB} - (no file)
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - (no file)
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\sstrol.dll",realset
O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O21 - SSODL: SgfTBcerjme - {E475A4AE-4EDF-0E04-6FBE-72BCBBD0D529} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O23 - Service: McDetect.exe - LT - (no file)
O23 - Service: McTskshd.exe - LT - (no file)
O23 - Service: mcupdmgr.exe - LT - (no file)
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\michelle\My Documents\ie_updater.exe (file missing)
O23 - Service: System Version S (SvS) - Unknown owner - C:\WINDOWS\system32\iass.exe (file missing)
I also advise you to remove all other O16 entries related to game1.pogo.com if you do not frequent the site.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Documents and Settings\michelle\My Documents\ie_updater.exe
C:\WINDOWS\system32\iass.exe
Run the killbox file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter:
C:\WINDOWS\system32\winload.dll
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\WINDOWS\sstrol.dll
C:\Program Files\Outlook Express\honewabe.dll
C:\WINDOWS\system32\tmp9.tmp.dll
Rehide your OS files after reboot.
Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.
<edit> deleted the part on turning off system restore. Thanks Howard.
Your system is infected with a trojan and possibly some other malware
Download the Pocket Killbox from HERE (http://www.bleepingcomputer.com/files/killbox.php. Extract it but don`t run it yet.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Run AVG antispyware scan and quarantine the items. See HERE for instructions.
Click on start > Run, and type the services.msc. Press Enter.
Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
sstrol.dll
runtfs32.exe
ie_updater.exe
iass.exe
Close the services window.
Open your task manager by pressing the ctrl, alt and delete keys, or alternatively, ctrl + shift + escape. Click on the processes tab and end the following processes, if found:
partnership.dll
winload.dll
honewabe.dll
tmp9.tmp.dll
runtfs32.exe
ie_updater.exe
iass.exe
Close
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
O2 - BHO: (no name) - {7DA93366-EEB8-4A78-8F61-B0B98D7A1BFA} - C:\Program Files\Outlook Express\honewabe.dll
O2 - BHO: 0 - {B277D0C9-0C71-41E8-368A-08E5428DFCFB} - (no file)
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - (no file)
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\sstrol.dll",realset
O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O21 - SSODL: SgfTBcerjme - {E475A4AE-4EDF-0E04-6FBE-72BCBBD0D529} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O23 - Service: McDetect.exe - LT - (no file)
O23 - Service: McTskshd.exe - LT - (no file)
O23 - Service: mcupdmgr.exe - LT - (no file)
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\michelle\My Documents\ie_updater.exe (file missing)
O23 - Service: System Version S (SvS) - Unknown owner - C:\WINDOWS\system32\iass.exe (file missing)
I also advise you to remove all other O16 entries related to game1.pogo.com if you do not frequent the site.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Documents and Settings\michelle\My Documents\ie_updater.exe
C:\WINDOWS\system32\iass.exe
Run the killbox file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter:
C:\WINDOWS\system32\winload.dll
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\WINDOWS\sstrol.dll
C:\Program Files\Outlook Express\honewabe.dll
C:\WINDOWS\system32\tmp9.tmp.dll
Rehide your OS files after reboot.
Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.
<edit> deleted the part on turning off system restore. Thanks Howard.
Thanks for the reply. The link is not working. I went to that site and could not find it either. Please help..
Ok. Found it. Doing the steps now. Thanks.
Ok. Now when I try to run Killbox, it tells me KillBox.exe is not a valid Win32 application. Why is this happening?
Ok. Found it. Doing the steps now. Thanks.
Ok. Now when I try to run Killbox, it tells me KillBox.exe is not a valid Win32 application. Why is this happening?
Tedster
Posts: 5,746 +14
howard_hopkinso
Posts: 21,238 +17
OK. I have completed the steps. My logs are attached. Thanks for all help!
howard_hopkinso
Posts: 21,238 +17
You`re running an outdated version of HJT and have not renamed it as per THESE instructions.
Delete all files in AVG Antispyware and Combofix quarantine.
Post fresh HJT, and Combofix logs. Please note: It`s the actual Combofix log I need to see, not the Combofix quarantine log.
Have you recently uninstalled McAfee?
Regards Howard
This thread is for the use of Michelle061775 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Delete all files in AVG Antispyware and Combofix quarantine.
Post fresh HJT, and Combofix logs. Please note: It`s the actual Combofix log I need to see, not the Combofix quarantine log.
Have you recently uninstalled McAfee?
Regards Howard
This thread is for the use of Michelle061775 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
