Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Darksma Downloader... Is There An Easy To Remove It?


  • This topic is locked This topic is locked
5 replies to this topic

#1 esoteric_sai

esoteric_sai

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 23 March 2007 - 06:09 PM

Okay, so I'm a total n00b at this (don't hit!) and somehow, I got darksma. Yahoo Anti-Spy detects darksma, but AVG, McAfee and Advanced Spyware Remover don't detect anything whatsoever. I keep getting random popups, from adware removal program ads to online surveys, campusdirt.com etc

Before I ramble on in the typical n00b fashion, can someone please help me get darksma off my comp, tell me how to prevent getting it again, and do it in an easy way that I can understand? I've read some other forums helping other users to get darksma off but they've all been different for each user and I don't want to do anything wrong and mess things up more than they already are. Plus, they all sound pretty difficult and like I said, I don't know what half of them were talking about so I need someone to basically hold my hand through this whole thing. ^-^

Please help me right away! I read some other user forums where the darksma downloader did a lot of damage to people and I want to kill this thing before it turns into something really serious!

Any help in this is VERY much appreciated. ^__^

Logfile of HijackThis v1.99.1
Scan saved at 4:40:17 PM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\$NtUninstallKB909095$\spuninst\spuninst.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\Documents and Settings\Philena Dees\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - > - (no file)
O2 - BHO: (no name) - @> - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {8502dbab-bbf3-44e2-aea8-3cc0971b0bce} - C:\WINDOWS\system32\kbdcii.dll
O2 - BHO: (no name) -  - (no file)
O2 - BHO: (no name) - = - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AmeriRes Toolbar - {43CDDD56-4323-4b8b-8AA8-229411D7BD14} - C:\Program Files\AmeriRes 2.1\AmeriRes.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\tuvstu.dll",setvm
O4 - HKLM\..\Run: [AdKiller] C:\Program Files\Advanced Spyware Remover\AD Defender.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: kbdcii - C:\WINDOWS\SYSTEM32\kbdcii.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:49 AM

Posted 24 March 2007 - 09:14 AM

Hello esoteric_sai, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:49 AM

Posted 24 March 2007 - 10:37 AM

OK, esoteric_sai. Let's get started. :thumbsup:

IMPORTANT
I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (real-time) protection switched on, then those products which do not encrypt the virus strings within them can cause other antivirus products to cause false alarms. It can also lead to a clash as both products fight for access to files which are opened again: this is the resident/automatic protection. In general terms, the programs may conflict and cause:
- False Alarms - When the antivirus software tells you that your PC has a virus when it actually doesn't.
- System Performance Problems - Your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to Start > Control Panel > Add/Remove Programs and remove either your McAfee or AVG Anti-Virus (which is part of the Grisoft Internet Security Suite).
If you remove McAfee please understand you will have to install a new firewall as the McAfee one will have been uninstalled also.

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: ATF Cleaner download
Please download ATF Cleaner from the link below, but do not use the program yet.
Download ATF Cleaner

Step #2: updating the Sun Java Console
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #3: removing bad and/or rogue/suspect programs
You have Advanced Spyware Remover installed on your computer. Advanced Spyware Remover was listed on The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites because of concerns with false positives. Testing with the latest version of Advanced Spyware Remover indicates that the problems with earlier versions have been satisfactorily resolved. However, since the program was on it I recommend to uninstall it and use programs from the trustworthy list which can be viewed on the same page.
To uninstall the program, go to Start > Control Panel > Add/Remove Programs. Uninstall Advanced Spyware Remover if listed.

Step #4: VundoFix
You are infected with Vundo. Download VundoFix.exe to your Desktop to get rid of it.
Download VundoFix.exe

Once downloaded, double-click VundoFix.exe to run it.
Now please perform these instructions:
1. Click the button labelled "Scan for Vundo".
2. Once it's done scanning, click the button labelled "Remove Vundo".
3. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
4. When completed, it will prompt that it will reboot your computer. Click OK.

NOTE: It is possible that VundoFix encountered a file it could not remove. VundoFix will run on reboot, simply follow the above instructions starting from "Click the button labelled "Scan for Vundo"" when VundoFix appears upon rebooting.

Post the entire contents of C:\vundofix.txt in your next reply.

Step #5: HijackThis scan
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - > - (no file)
O2 - BHO: (no name) - @> - (no file)
O2 - BHO: (no name) - {8502dbab-bbf3-44e2-aea8-3cc0971b0bce} - C:\WINDOWS\system32\kbdcii.dll
O2 - BHO: (no name) -  - (no file)
O2 - BHO: (no name) - = - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\tuvstu.dll",setvm
O20 - Winlogon Notify: kbdcii - C:\WINDOWS\SYSTEM32\kbdcii.dll


If you uninstalled Advanced Spyware Remover as recommended, please put a checkmark by this entry as well if it is present:
O4 - HKLM\..\Run: [AdKiller] C:\Program Files\Advanced Spyware Remover\AD Defender.exe

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #6: file/folder deletion
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files (do not be concerned if they do not exist):
C:\WINDOWS\system32\kbdcii.dll
C:\WINDOWS\tuvstu.dll

If you uninstalled Advanced Spyware Remover as recommended, please delete this folder as well if it is present:
C:\Program Files\Advanced Spyware Remover <-- this folder

Step #7: running ATF Cleaner
You downloaded ATF Cleaner before. When still in Safe Mode, please follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program.
Reboot your computer back into normal mode.

Step #8: HijackThis scan
Scan with HijackThis again and post a new HijackThis log. Do not forget to post the VundoFix log as well.
Also let me know how your computer is running.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 esoteric_sai

esoteric_sai
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 24 March 2007 - 09:43 PM

Hello, and thank you for helping me. I appreciate it very much. ^__^

Okay, I did a Vundo scan just like you told me in step 4. The scan didn't come up with anything whatsoever. Just said "Done Searching for Files" it gave me the option to click OK. I did, it said "Done searching for files. No infected files were found"

While doing step 5, I didn't see
"O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\tuvstu.dll",setvm"

I also didn't see anything about Advanced Spyware Remover.

In step 6, the files you told me to delete did not exist, but you said not to worry if they didn't.

So I completed everything else you instructed me to do. Thank you for keeping it easy so I could understand. ^__^ I also just did a yahoo anti-spy (since it seemed to be the only program that would even detect darksma) and it came up clean. ^__^

Is that it? If so, thank you again sooooo much! I have another question though. Randomly, as I was on the net checking email, etc, these audio ads would come up on my computer. I'd close everything in ctl alt delete but the sound would continue. It was weird, everything from news broadcasts to the new Honda "The fit is go" ad to even random metal and psychobilly songs. It was all audio, no visual of what was going on. Since I did all the steps you guided me through, nothing has happened but it would usually take place around 2 AM my time so I'm not sure yet if I'll be having that problem again. Was darksma the cause of that as well?

Also, how did I get darksma? I know people usually get things like it by having p2p programs like bearshare, kazaa, morpheus, etc but I have nothing of the sort. This is still a new computer (4 days out of the box) and all I did was go to youtube, myspace, email, gamefaqs, thats about it. Would I have picked it up from one of those sites? I'm not stupid enough to click on their ads, so how did I get darksma? And is there a way to prevent myself from getting it again?

I'm sorry to keep bothering you with all these questions, but again, thank you for all the help you've given me so far. Thank you very, very much. ^__^






Logfile of HijackThis v1.99.1
Scan saved at 8:25:04 PM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Philena Dees\Desktop\VundoFix.exe
C:\Documents and Settings\Philena Dees\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AmeriRes Toolbar - {43CDDD56-4323-4b8b-8AA8-229411D7BD14} - C:\Program Files\AmeriRes 2.1\AmeriRes.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:49 AM

Posted 25 March 2007 - 11:57 AM

Hello there again.

Is that it? If so, thank you again sooooo much!

It looks like your system is clean. However, I want you to run some final scans to clean up any leftovers/remnants in order to make sure all traces of the infection are gone. Then you should be all set.

Randomly, as I was on the net checking email, etc, these audio ads would come up on my computer. I'd close everything in ctl alt delete but the sound would continue. It was weird, everything from news broadcasts to the new Honda "The fit is go" ad to even random metal and psychobilly songs. It was all audio, no visual of what was going on. Since I did all the steps you guided me through, nothing has happened but it would usually take place around 2 AM my time so I'm not sure yet if I'll be having that problem again. Was darksma the cause of that as well?

Malware in general is able to heavily infect systems. These audio ads could be the cause of malware, but you can't say that for sure. As far as I know, some legit instant messaging applications such as AIM produce very annoying audio ads as well. Do you have AIM installed?
As your system appears to be clean, please let me know if you still receive these ads.

Also, how did I get darksma? <...> And is there a way to prevent myself from getting it again?

That is one of the most common questions found when cleaning spyware or other malware. The most common answer is that you are probably not running the proper security software and that the security settings are too low on your machine. I recommend reading this article: How did I get infected?.
I will give you some general recommendations later in order to keep your computer clean and secure.

I'm sorry to keep bothering you with all these questions, but again, thank you for all the help you've given me so far. Thank you very, very much. ^__^

You are very, very welcome. Should you have any questions, just ask. :thumbsup:

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: AVG Anti-Spyware
Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update and configure the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5.

Now reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware.
8. Reboot your computer to boot back into normal mode and post the entire contents of the saved text file in your next reply.

Step #2: Panda ActiveScan
Please perform an online scan by running Panda's ActiveScan (click).
Follow these instructions:
1. Click on the Scan your PC button once you are on the Panda site. A new window will open.
2. On the newly presented screen, click the Check Now button.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your E-mail Address and click the Send button.
6. Select either Home User or Company.
7. Click the big Scan Now button. If it prompts to install an ActiveX component, allow it.
Panda Software will start downloading the files it requires for the scan. NOTE: This may take a couple of minutes!
8. When the download is complete, click on My Computer to start the scan.
9. When the scan completes - if anything malicious is detected - click the See Report button.
10. Click Save Report and save it to a convenient location easy to remember.
11. Post the entire contents of Panda's ActiveScan report here as a reply to this post.

Step #3: HijackThis scan
Scan with HijackThis again and post a new HijackThis log. (Do not forget to copy/paste the entire contents of the AVG Anti-Spyware and the Panda ActiveScan report here for review.)

Also let me know how your computer is running and if you still experience any problems.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:49 AM

Posted 23 April 2007 - 01:05 PM

Due to the lack of feedback, this topic is closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users