TechSpot

[Resolved] Darksma removal-need help

By phoenix21
May 2, 2007
Topic Status:
Not open for further replies.
  1. Hey,I hope someone can help me.I cant get rid of this downloader and Im fed up with the popups and all.I downloaded CCleaner,Adaware SE personal,AVG Anti-spyware,Spybot S&E,and HiJackThis v2.Please help
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    First off,thank you for taking the time to help me.Next AVG antirootkit found nothing.HJT is as follows-
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Please repost the requested logfiles as attachments. See HERE.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    Ok I think I figured it out This is the HJT results
     
  6. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    And here is the AVG antispyware results
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You need to rename HijackThis_v2.exe as per the instructions. You also need to post the rest of the requested files.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ALCMTR.EXE
    IPClient.exe
    kmufm.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)

    O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

    O4 - HKCU\..\Run: [kmuf] C:\Program Files\Common Files\kmuf\kmufm.exe

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Common Files\kmuf<Delete the entire folder.
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\windows\ALCMTR.EXE
    C:\Program Files\MyWebSearchWB<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    OK I think this is it

    Also the antirootkit found nothing again
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You didn`t attach a fresh Combofix log as requested.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Post the Avenger log as well as fresh AVGAntispyware, Combofix and HJT logs.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

  10. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    heres the results of avenger

    heres the HJT results

    Finally heres the combofix results
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    It seems like the C:\Program Files\Common Files\kmuf\kmufm.exe doesn`t want to go. Please do the following exactly.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\Program Files\Common Files\kmuf\kmufm.exe
    * Click Open
    * Please let me know the results.

    6. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
     
  12. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    here is the avenger results

    and here is HJT
    Also I could not find the kmufm.exe file.I even tried searching files and folders but nothing turned up
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    This is very stubborn. let`s see if we can get rid of it this time, if not we`ll have to try doing it manually.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    heres the avenger results

    and heres the HJT results-am I doing something wrong
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No, you`re not doing anything wrong, it`s just proving difficult to get rid of the kmufm.exe file. Just a quick note: You can attach more than one logfile in the same post, so there`s no need to make separate posts for each logfile. ;)

    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Click edit and choose find. Type kmufm into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to kmufm and display them in the righthand pane. Right click on any such kmufm.exe entries and choose delete.

    Now click edit again and choose find next. Again, delete any entries that reference kmufm.

    Repeat the above, until no more kmufm entries are found.

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    ok heres the HJT results-thanks for the tip also
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Excellent, that got it. Your HJT log is now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of phoenix21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    thanks alot howard youve helped quite a bit
     
  19. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    process issues on xp

    Hey guys Im having a problem,My computer is running an insane amount of processes and I dont really know what to do.Im afraid if I remove them I might screw something up so its best to check with the experts.I posted in my old thread because I forgot how to start a new one ?? By the way,Merry Christmas.
     
  20. momok

    momok TS Rookie Posts: 2,272

    No problems, post a HijackThis log and I'll check it for you. =)
     
  21. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    heres the hijackthis file
     
  22. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Fix these entries in HJT:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

    O2 - BHO: (no name) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - (no file)
    O2 - BHO: (no name) - {A7041431-366E-4DC4-AE83-748F6794ED28} - \
    O2 - BHO: (no name) - {AA1D742B-3E13-4AFB-8210-E46F4A55FADF} - \
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (file missing)
    O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
    O4 - Startup: MP3 Rocket (Minimized).lnk.disabled
    O4 - Startup: MP3 Rocket (silent).lnk.disabled
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = ?

    Your HJT is clean, but you do indeed have several processes running. You could choose to disable some of them from startup, if that helps. I suggest disabling these (in fact I would recommend uninstalling and disabling all toolbars in my opinion they are useless and slow the system unnecessarily) Disabling these entries are entirely your choice though:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

    All O9 and O16 entries.


    For information to speed up your system, please read this thread HERE.
     
  23. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    I fixed the entries you advised but by disabling from startup did you mean fix checked on hijackthis or do I need to run msconfig and remove them that way
     
  24. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Usually fixing the entries in HijackThis will be sufficient to remove legitimate registry start up keys. If they reappear, let me know. How's your system running?

    Regards,
    momok
     
  25. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    It seems fine,It was a little slow before I fixed those entries.It feels more normal now
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.