[Resolved] Darksma removal-need help
- Thread starter phoenix21
- Start date
- Status
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Regards,
momok =)
This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
- Boot into safe mode under your normal user name. See how HERE
- Next turn on "Show all files and folders, including hidden and system". See how HERE
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {8A33755E-9637-4688-82D3-D72638314BB5} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {8bf169a8-4d63-4307-bafe-6f022b5a5f7d} - (no file)
O2 - BHO: {0ce8b8fe-af52-ef38-c5a4-97cebc5071da} - {ad1705cb-ec79-4a5c-83fe-25faef8b8ec0} - C:\WINDOWS\system32\maksuowi.dll
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\iifdcdd.dll
O4 - HKLM\..\Run: [6013e15f] rundll32.exe "C:\WINDOWS\system32\ruquhhco.dll",b
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost .exe -all
O20 - Winlogon Notify: iifdcdd - C:\WINDOWS\SYSTEM32\iifdcdd.dll
Close HJT.
- Navigate in Windows Explorer and delete the following files and folders in bold.
C:\WINDOWS\system32\ruquhhco.dll
C:\WINDOWS\SYSTEM32\iifdcdd.dll
C:\WINDOWS\system32\maksuowi.dll
- Reboot into normal mode and rehide your protected OS files.
Regards,
momok =)
This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Your AVG log shows "No action taken" for all items. Please run the scan again, then set all actions to "quarantine". Next, save the log and repost here.
It seems you got your system terribly infected. I would suggest the easiest way which is a reformat of your entire system. It is also safer, especially if you use it for banking or online shopping and other related activities which require sensitive financial information.
Post a fresh ComboFix and AVG log in your next reply.
It seems you got your system terribly infected. I would suggest the easiest way which is a reformat of your entire system. It is also safer, especially if you use it for banking or online shopping and other related activities which require sensitive financial information.
Post a fresh ComboFix and AVG log in your next reply.
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Regards,
momok =)
This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
- Boot into safe mode under your normal user name. See how HERE
- Next turn on "Show all files and folders, including hidden and system". See how HERE
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayx.exe
O2 - BHO: (no name) - {A7B171F9-6AE6-405C-890E-8D2ED6884C1F} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\iifdcdd.dll
O20 - Winlogon Notify: iifdcdd - C:\WINDOWS\SYSTEM32\iifdcdd.dll
Close HJT.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
- Save this as CFScript on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
- Reboot into normal mode and rehide your protected OS files.
Regards,
momok =)
This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I will upload the avg log as soon as I get it.
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
and heres the avg log
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
and heres the avg log
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Regards,
momok =)
This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
- Boot into safe mode under your normal user name. See how HERE
- Next turn on "Show all files and folders, including hidden and system". See how HERE
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhg.exe
O2 - BHO: (no name) - {51920EDE-E80D-40F0-A617-3EF85412ECB8} - C:\WINDOWS\system32\pmkhg.dll
Close HJT.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
- Save this as CFScript on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
- Reboot into normal mode and rehide your protected OS files.
Regards,
momok =)
This thread is for the use of phoenix21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I had to reformat my computer.The system became unstable so I figured it would be easier and safer.Thanx for the help though.Can I get you to help rremove some of the unused processes.There are close to 60 running now and I dont know what can safely be turned off.Ill post HJT so you can see what I mean
momok
Posts: 2,127 +6
Hi,
That is a very wise choice. The infection we were dealing with attacks random .exe files on your computer and adds spaces to the end of the filenames. Eg,
ctfmon .exe
KHost .exe
Ltmoh .exe
avgas .exe
pinger .exe
There may have been other files that we do not know of being infected, which potentially means we could miss them out in the cleaning process. These files would then reinfect you all over again should they be run.
--------------------------------------------------------------
Here are some processes that are less often used and are likely to be unnecessary, and the corresponding HijackThis entries to fix. (You are free to leave them enabled, however, if you wish to keep them)
Processes:
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\TPSMain.exe
HijackThis entries: (be sure to fix those in bold)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe <- To fully disable this, you need to enter services.msc to set its startup to disabled.
For information to speed up your system, please read this thread HERE.
Regards,
momok
That is a very wise choice. The infection we were dealing with attacks random .exe files on your computer and adds spaces to the end of the filenames. Eg,
ctfmon .exe
KHost .exe
Ltmoh .exe
avgas .exe
pinger .exe
There may have been other files that we do not know of being infected, which potentially means we could miss them out in the cleaning process. These files would then reinfect you all over again should they be run.
--------------------------------------------------------------
Here are some processes that are less often used and are likely to be unnecessary, and the corresponding HijackThis entries to fix. (You are free to leave them enabled, however, if you wish to keep them)
Processes:
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\TPSMain.exe
HijackThis entries: (be sure to fix those in bold)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe <- To fully disable this, you need to enter services.msc to set its startup to disabled.
For information to speed up your system, please read this thread HERE.
Regards,
momok
- Status
