TechSpot

[Resolved] Darksma removal-need help

By phoenix21
May 2, 2007
Topic Status:
Not open for further replies.
  1. momok

    momok TS Rookie Posts: 2,272

    Glad to be of help. Should you face any further problems feel free to post back here.
  2. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    having problems with popups and spyware.Ive tried adaware,ccleaner,avg and spybot search and destroy.Ive posted a hjt logfile if that helps.Thanks
  3. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O2 - BHO: (no name) - {8A33755E-9637-4688-82D3-D72638314BB5} - C:\WINDOWS\system32\ddayx.dll
      O2 - BHO: (no name) - {8bf169a8-4d63-4307-bafe-6f022b5a5f7d} - (no file)
      O2 - BHO: {0ce8b8fe-af52-ef38-c5a4-97cebc5071da} - {ad1705cb-ec79-4a5c-83fe-25faef8b8ec0} - C:\WINDOWS\system32\maksuowi.dll
      O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\iifdcdd.dll
      O4 - HKLM\..\Run: [6013e15f] rundll32.exe "C:\WINDOWS\system32\ruquhhco.dll",b
      O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost .exe -all
      O20 - Winlogon Notify: iifdcdd - C:\WINDOWS\SYSTEM32\iifdcdd.dll

      Close HJT.

    4. Navigate in Windows Explorer and delete the following files and folders in bold.

      C:\WINDOWS\system32\ruquhhco.dll
      C:\WINDOWS\SYSTEM32\iifdcdd.dll
      C:\WINDOWS\system32\maksuowi.dll

    5. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


    Regards,
    momok =)

    This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    here are hjt,combofix,and avg
  5. momok

    momok TS Rookie Posts: 2,272

    Your AVG log shows "No action taken" for all items. Please run the scan again, then set all actions to "quarantine". Next, save the log and repost here.

    It seems you got your system terribly infected. I would suggest the easiest way which is a reformat of your entire system. It is also safer, especially if you use it for banking or online shopping and other related activities which require sensitive financial information.

    Post a fresh ComboFix and AVG log in your next reply.
  6. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    Here is the avg and combofix logfile,sorry it took so long to post
  7. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayx.exe
      O2 - BHO: (no name) - {A7B171F9-6AE6-405C-890E-8D2ED6884C1F} - C:\WINDOWS\system32\ddayx.dll
      O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\iifdcdd.dll
      O20 - Winlogon Notify: iifdcdd - C:\WINDOWS\SYSTEM32\iifdcdd.dll

      Close HJT.

    4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    5. Save this as CFScript on the desktop.
    6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    8. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    I will upload the avg log as soon as I get it.
    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

    and heres the avg log
  9. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
      R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
      F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhg.exe
      O2 - BHO: (no name) - {51920EDE-E80D-40F0-A617-3EF85412ECB8} - C:\WINDOWS\system32\pmkhg.dll

      Close HJT.

    4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    5. Save this as CFScript on the desktop.
    6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    8. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    I had to reformat my computer.The system became unstable so I figured it would be easier and safer.Thanx for the help though.Can I get you to help rremove some of the unused processes.There are close to 60 running now and I dont know what can safely be turned off.Ill post HJT so you can see what I mean
  11. momok

    momok TS Rookie Posts: 2,272

    Hi,

    That is a very wise choice. The infection we were dealing with attacks random .exe files on your computer and adds spaces to the end of the filenames. Eg,

    ctfmon .exe
    KHost .exe
    Ltmoh .exe
    avgas .exe
    pinger .exe

    There may have been other files that we do not know of being infected, which potentially means we could miss them out in the cleaning process. These files would then reinfect you all over again should they be run.

    --------------------------------------------------------------

    Here are some processes that are less often used and are likely to be unnecessary, and the corresponding HijackThis entries to fix. (You are free to leave them enabled, however, if you wish to keep them)

    Processes:
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\system32\TPSMain.exe

    HijackThis entries: (be sure to fix those in bold)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe <- To fully disable this, you need to enter services.msc to set its startup to disabled.

    For information to speed up your system, please read this thread HERE.


    Regards,
    momok
     
  12. phoenix21

    phoenix21 TS Rookie Topic Starter Posts: 22

    Thank you for all the help.Ill take care of those entries and Im already happier with how my computers doing.Thanks alot

    I also checked out the link to speed up my system.Awesome
  13. momok

    momok TS Rookie Posts: 2,272

    Glad that worked. Enjoy your "new" system.

    Thread closed as the problem appears to have been resolved. Should the original starter require it to be reopened, please PM a mod.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.