I have Darksma virus, can anyone help?

Status
Not open for further replies.
A

aress

Posts: 17   +0
Hi all,

I'm new to this forum. Found it after Googling the web to find out what this horrible "Darksma" virus is, that has just recently invaded my PC. I have a recovery partition of 5GB, which I used, but that didn't get rid of it. I really need to get rid of this horrible virus as soon as I can, as I work from my PC.

I'm using my laptop to post, so any advice you can give me would be very much appreciated.

Thanks for your time!

Ron
 
Ok, thanks. I've followed that link, and downloaded all the software. I'll get to work right away, and post the requested logs later this evening.

Thanks for your help so far!

Ron

Hi again,

I started up my PC, and plugged in the Ethernet cable. Here's what has happened so far;

1743 - Switched on PC, and Norton Protection Center asked to check for virus updates, so I plugged the Ethernet cable back in, and allowed the updates to be downloaded.

1746 - A window pops up, asking me to intall "Antivirus XP 2008", with only the option to "Agree and install", no option to disagree, no close button. I CTRL+ALT+DEL and End Program.

1747 - Norton blocks an intrusion attempt.

1748 - I tell Norton to do a Virus and Spyware scan, meantime, I unplug the Ethernet cable.

1750 - After a "Quick Scan", Norton reports that nothing was found.

1751 - I tell Norton to do a Full System Scan.

1753 - Norton is scanning a file called "Backdoor.Sdbot.AR!dr", and is freaking out! It has stopped on this file, but sounds like it is still working.

1754 - Norton scans several "Backdoor" files, all within the start-up area! "Banco.B", "Infostealer", "Sality", "Trojan.Horst", "Trojan.Perfcoo", TONS of Adware and Spyware flickers past, "TrustyHound", "SpyBouncer", "AlfaCleaner", "888bar", "Elodu", "SpyAnywhere", "Webguardian", and those are jut the ones I caught the names of before they vanished! And even so, Norton still shows "Total security risks detected: 0"!

1802 - I open Firefox (PC is still offline), and delete all saved passwords. Norton is still scanning, currently at 42,000 files. I have just under 700,000 files on my PC.

...I have to go out for a couple of hour now, but I'll leave Norton running, and my PC offline. I just hope no further damage gets done, as it's looking pretty bad!

Ron
 
Ron, we can't do anything until we see the logs.
1746 - A window pops up, asking me to intall "Antivirus XP 2008", with only the option to "Agree and install", no option to disagree, no close button. I CTRL+ALT+DEL and End Program.
Click to expand...
Do NOT install under any circumstances. This is malware! It will show up in the logs.

but I'll leave Norton running, and my PC offline.
Click to expand...
You do not need Norton running if you're offline. It's going to continue to interrupt you if you do. But enable it before you go back online.
 
Hi, I decided not to leave Norton running while I was out, as leaving my PC on unsupervied might have allowed the naughty virus to play. I do want to ask, though, the page within Techspot, linked above, requests that all Realtime Monitoring Programmes be disabled during running of the malware softwares, however, it does state that when I do run the Malwarebytes' Anti-Malware programme, it needs to be online to check for updates. Is it wise to have my infected PC online, with the Darksma virus present, and Norton diabled?

Ron
 
If an update is found, it will download and install the latest version.
Click to expand...
You are getting all tangled up over the 'update' issue.

When you first download Malwarebytes, check for update then.

These are the programs that have 'real time' protection that had to be temporarily disabled:
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs
Click to expand...
The only reason I told you to disable Norton is because it is interfering with running the malware programs. Let the one scan finish, deal with what is found.
 
Hey,

sorry I haven't gotten back to you sooner, I've been moving house this week. Blimmin' Darksma happened at the worst time! (Is there a good time?)

My infected PC and non-infected Laptop are still at the old place, so I'll run those programs while I'm packing stuff for moving, and I'll post the logs here.

Hope you can still help me!

Thanks,

Ron
 
Run the malware programs and post the logs when you're settled. Advise of current and any additional problems, okay?
 
Hi,

I completed a scan with Malwarebytes' Anit-Malware, but I accidentally clicked "save log file" instead of asking it to remove what it found, is there any way I can tell it to remove what's in the saved logfile? Or will I need to run the scan again?

Thanks,

Ron
 
Hi,

I will post them but the PC is still working. I ran the Anti-Malware software, and I did a second scan, and then removed all item. I am now running SUPERAnti Spyware, which has now been running for 1h 30m, and has found 2 items. Once I have completed all the tasks I will post the logs, and I hope you can help me from there!

Thanks,

Ron

Ok, I have followed all your instructions, here are the log files. Unfortunately, thi website will not allow me to upload the log file for "mbam-log-2008-09-04 (22-01-06).txt", as it apparently exceeds the 100kb limit!

Hope you can help!

Thanks,

Ron.

Tried again to attach the log file "mbam-log-2008-09-04 (22-01-06).txt", but the forum won't let me, as the file is 117k, and the limit on filesize is 100k!

Any other way I can get this file to you?

Ron
 
VundoFix:
Please download VundoFix.exe from here: http://vundofix.atribune.org/ Save to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.


I'm going to check and see if we can get mbam on here.
 
Hi,

I downloaded and ran VundoFix, which found and successfully deleted four items. I have attached the VundoFix logfile. I have also split the "mbam-log-2008-09-04 (22-01-06).txt" file into two, smaller files so that I could avoid the paltry 100kb upload limit!

Let me know what I should do next. I have already noticed my PC is a lot faster now, and there are no pop-ups or fake Anti-Spyware programs hassling me.

Ron
 
If you looked at the mbam logs, you will have seen the great amount of malware files it deleted. The majority of these has the source from video egg:

VideoEgg is a web-based publishing service that allows users to capture video content from virtually any device and format and publish it to the web.

The manufacturer defines itself as:
VideoEgg is the pioneering video ad network for online communities. We connect brands to consumers with video and rich media across a network of more than 200 leading video and gaming sites, social networks and applications.
Click to expand...
However:
In June 2008, VideoEgg and one of its partner websites, hi5, were sued in the United States by EMI recording labels and music publishers. The plaintiffs allege that both services are liable for copyright infringement, due to videos uploaded by hi5 users through the VideoEgg application, and seek injunctions against the allegedly infringing activity.[7]
Click to expand...
I see entries such as this associated with your Vundo infection:
aol_watermark.png
bebo_tv_watermark.png
camcorders_title.png
dropshadow_bottom_left.png
Click to expand...

A PNG file (Portable Network Graphics) is a bitmapped image format. IT appears that you did download LClock, ViStart and ViOrb. These are lefitimate apps, but it depends on where you got them. For your safety, I suggest you have HijackThis remove the following:
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\
Click to expand...
Again, for your safety, remove:
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
Click to expand...
btdna.exe is a bittorrent executable. Bittorrent is basically a file sharing technology. File sharing programs can be dangerous.

Additionally, have Hijack Remove these:
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
(Windows XP)
O20 - Winlogon Notify: ebbddccceed - C:\WINDOWS\system32\ebbddccceed.dll
Click to expand...

To remove: Please re-open HiJackThis and scan. Check the boxes next to all the entries to be removed as above. Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and Reboot.

Run HijackThis to scan again and post the log here.
 
Hi,

sorry for the delay in getting back to you - have just moved house, and had to wait for the new broadband to get up and running!

I have carried out all of your instructions. Please find attached my latest Hijack This log file. I must say, the PC seems to be running a lot better now.

Let me know what to do next, and thank you so much for your help so far, it is very much appreciated.

Ron
 
You still have way too much loading at startup. Going through your logs is a very time consuming! Do you understand that you do not need to have everything start on boot, that all those programs that DO start on boot will run in the background, using resources, RAM and slowing you down? It is too timely to go through it all but consider the following:

You do NOT need ANY of these programs doing automatic updates! Go either into the Control Panel (Java) or All Programs, open the program and disable the auto-update features:
Java: O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
HP: O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
Google: O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Real Player: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Alc. Dev: O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
Click to expand...

The Media and Players don't need to start at boot. Manually stat when needed:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Click to expand...

Still on: you are the only one on the internet who has this process running! That can't be good. Have you been checking to have HijackThis remove it?
O20 - Winlogon Notify: ebbddccceed - C:\WINDOWS\system32\ebbddccceed.dll
Click to expand...
You have all these Toolbars loading. Your two biggest enemies are time and space. you have exceeded both. Consider removing:
Yahoo! Toolbar
Google Toolbar
Winamp Toolbar
Windows Live Toolbar
Norton Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
Adobe: O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
Click to expand...
Your Adobe is out of date. Current version is v9.
If you decide to clean some of this up, have HijackThis remove the entries. Then boot into Safe Mode, go to Start Menu and UNCHECK the programs you don't need to start.

Go to the Control Panel> Add/Remove Programs and uninstall ALL programs you don't use.
Boot into Normal Mode. Run one more HijackThis and attach log.
When done, I will have you clean up the tools we used and remove old restore points.

By the way, you don't need to quote my reply- it will be on the board.
 

Hi,

right, I've followed your instructions as best I can. Real Player doesn't seem to work at the moment, possibly due to the amount of malware removal I've done recently. I'll have to re-install Real Player to carry out the actions you mentioned.

Also, I should mention that I use Firefox, but Internet Explorer is also on my system somewhere. The only toolbar I use on Firefox is the Yahoo one, as it notifies me of new mail. I suspect that all the other toolbars belong to Internet Explorer, which I never use.

I couldn't find a way to disable some auto-update features.

I have removed the auto-starts for media players, using HJT.

Also deleted "O20 - Winlogon Notify: ebbddccceed - C:\WINDOWS\system32\ebbddccceed.dll " using HJT.

Please find attached my latest HJT log file.

Thanks,

Ron.
 
This may assist you finding and stopping all the unnecessary processes that are starting at boot:
AutoRuns for Windows v9.34
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

The processes I have in quotes in Post #16 (including the Toolbars)can be stopped. IF they are on IE which you're not using, why waste you time and space running them?
When you reinstall Real Player, be sure the auto-update feature is not enabled. and here is another updater you can stop:
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
isuspm.exe is a process that belongs InstallShield from Macrovision. The process automatically checks for the latest updates online
Click to expand...

This is back again:
O20 - Winlogon Notify: ebbddccceed - C:\WINDOWS\system32\ebbddccceed.dll
Try going into Safe Mode:
Right click on Start> Explore> Windows system 32> delete ebbddccceed.dll if it's there.

Otherwise, your log is okay. If you can stop some of those unnecessary startups, you will be amazed at how much faster the system loads!

We can remove the cleaning tools now:
OTCleanit! by Oldtimer
Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) Click the CleanUp! button.
It will go through the list and remove all of the tools it finds and then delete itself (requiring a reboot).

This is a good time to clear your existing system restore points and establish a new clean restore point:
o Go to Start > All Programs > Accessories > System Tools > System Restore
o Select Create a restore point, and OK it.
o Next, go to Start > Run and type in cleanmgr
o Select the More options tab
o Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

Let us know if you need more help.
 
Hi,

I'll get to work on your last post shortly, but there is one other issue that is concerning me. When you mentioned tasks running in the background, I remembered that ever since the removal of all the malware and viruses, there is one process that seems to be running constantly, taking up 40 - 50% of my CPU's workload. My PC goes through hours at a time, chugging away to itself, with the hard-drive light orange (busy). I did a CTRL+ALT+DEL, and checked processes, and it's this one that's constantly running: "HelpSvc.exe". It's really slowing my PC down immensely. Do you know what program it belongs to? Should I remove it?

Will get back to you regarding your last post, about removing the clean-up tools.

Thanks,

Ron
 
Please see this information regarding the handling of the Microsoft Help Center Service :

http://searchtasks.answersthatwork.com/tasklist.php?File=HelpSVC

There are only specific ties you should see it in the Task Manager. Microsoft did acknowledge this was a problem because it is a high CPU user and could drastically slow a system down. However, it was supposedly fixed on SP2.

You can change the Startup Type to Manual though if it is set on Automatic:
Control Panel> Administrative Tools> Services> right click on HelpSvc> Properties> change dialog box for Startup to Manual> Stop the Service> Apply> OK.

Now it 'should' only start when needed. Many Services are set to Automatic when a computer ships. Some need to be on Auto, but many can be changed to Manual and some can be disabled. One must be cautious in changing Services as the Dependencies tab must always be checked and those Services taken into consideration.
 
Hey,

I located the file "ebbddccceed.dll" in the System 32 folder, but every time I try to delete it, Windows says it is in use by another program, which I must first shut down to be able to delete it! Any idea what program it may be?

Ron
 
Ron, I could not identify ebbddccceed.dll. Try doing a right click on the file> Properties> see if you can get any information there. I didn't even get a suggested spelling correction from Google- only you post comes up with it.
 
Bobbye said:
This is back again:
O20 - Winlogon Notify: ebbddccceed - C:\WINDOWS\system32\ebbddccceed.dll
Try going into Safe Mode:
Right click on Start> Explore> Windows system 32> delete ebbddccceed.dll if it's there.
Click to expand...

I am finding it difficult to get rid of this file. I've tried deleting it, both in safe mode, and normal Windows, and each time, it says it cannot be deleted, as it is currently in use by another program. I right-clicked the file in the Windows System 32 folder, and selected properties, I have attached screen grabs of what the results were.

Ron
 
Well, wee need to find the application that this process is an 'extension' for. (Properties)

Best to search by date- see what was done on 'Created Date' of 27 June, 2007:
Search> Files & Folders> Scroll down to and check 'Specify dates'> change box to read 'Created date'> put 6/27/2007 in box date boxes> be sure search is set for Local Drive- usually C> Search.

Look on the right screen. Do you see anything installed on that date? Anything at all? IF you don't bring up anything helpful using the 'created date', start new Search and use 'modified date'> put 7/10/2008 in date box and search.

This reads as an application extension.I can't ID it it but if we can find the application itself, we may be able to handle this process by disabling that app.
 
Bobbye said:
Look on the right screen. Do you see anything installed on that date? Anything at all? IF you don't bring up anything helpful using the 'created date', start new Search and use 'modified date'> put 7/10/2008 in date box and search.
Click to expand...

Hi,

sorry it's taken me w while to respond, been busy moving house. Anyway, I searched my hard drive for any programs installed on 27/06/07, and it seems that IE7 was installed on that day. I have attached a jpeg of the results...

Thanks,

Ron
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
464
eriksnyman1
E
N
Google Sheets as database. Design advice
Replies
0
Views
145
NicMarshallBBT
N
Squid Surprise
Threadripper 7980x Build - occasional black screen?
Replies
5
Views
160
Squid Surprise
Squid Surprise

Latest posts

Back