Help With Win32 Darksma O !

[PhilliePhan]

Hi GM,

I put together something on the fly that will give us a look at some settings that may have been altered by malware.

Please download the attached peekaboo.zip and Extract peekaboo.bat to your Desktop.
-- DoubleClick peekaboo.bat to run it and a Log (peek.txt) should pop up
-- Please attach peek.txt for me

PP

[Glassman]

Alrighty...ran WinPFind and your peekaboo bat and here are the logs.

One note...AVG antivirus found another trojan while running WinPfind. I should have put it in the vault, but I went ahead and got rid of it. I believe it was .../system32/rasadhlp ??? I just can't recall. Im sure AVG logged it; so let me know if you want to see it again. Also, i could not get the online scan to work; when i download the ActiveX control, the screen reverts to the intro screen, with no button to initiate the scan.

GM

[PhilliePhan]

Hi GM,

Man, staring at those logs is making my head hurt!!

I cannot find anything in them pointing to your problem. I see a couple items that are remnants of smitfraud, but I think most of that baddie was removed some time ago prior to running s!ri's fix...

Have you tried doing a System Restore? It might be a good idea if we regroup and take a few steps back. Let's try to restore to a point before you noticed the problem and go from there.
Sure, it may bring back some problems, but at least we'll be able to see them and deal with them...

Let me know what you think.

PP

-- BTW: Did you find anything when you did the below?
Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you may see a checked entry called Security Info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

[Glassman]

Yeah, this problem is wierd!

The smitfraud leftovers are from my first cleaning, maybe a re-infection?? What is interesting is that I have found something bad after using each program, almost every time. WinPfind didn't turn up anything that I could see, but AVG found a hidden trojan while Pfind was scanning!

I tried a system restore when the problem first showed itself, with no success. I went ahead and dumped my restore points after that (probably should not have ) because I had bad stuff located there (or linked to restore.)

And I did check under Customize Desktop, and all I noticed under the web tab was the home page. Is what you are refering to elsewhere on the page? I can't read anything else besides what is in the box.

I am beginning to think I may have a hardware issue here, although I was infected by several things. If this is the case it would be a wierd coincidence!

If you have any more suggestions, I will gladly accept them.
I am going to look at my connections and do some hardware testing when I get a chance. Is it possible that some bad code was able to actually fry a componant relating to video?

Thanks...can't say it enough!

GM

[Glassman]

Well I tried using an alternate moniter, but same problem. So we can rule out a moniter or connection issue. The video card itself could be suspect, but I doubt that it is the culprit. The display problems and error messeges began at the same time I received notice that my computer had been invaded by a nasty trojan. After following your advice I found several bad guys. I wanted to rule out most of the hardware; if all else fails I'll take another look at the card.

But I just have a feeling there is something hiding in there....

GM

[PhilliePhan]

Hi GM - I won't have time to check back until tonight, but here's another thing to try:

-- Download combofix.exe

Run combofix and follow the prompts. Don't do anything on your machine while it is running or it may freeze.
It will produce a logfile - please submit that for me.

Will check in tonight (hopefully with an idea or two).

-- There are different schools of thought on System Restore. These days, I prefer to flush it after a fix. During a fix, a bad restore point is better than none at all......

-- Have you tried sfc?

PP


-------------------------------------------------------------------------------------------------------------------------------

The smitfraud leftovers are from my first cleaning, maybe a re-infection??

I doubt re-infection. I didn’t realize at first that what I saw were remnants from a prior cleaning.

And I did check under Customize Desktop, and all I noticed under the web tab was the home page.

I think you’re OK there.

I am beginning to think I may have a hardware issue here, although I was infected by several things. If this is the case it would be a wierd coincidence!

Not weird at all! I have seen a few instances where this unfortunate coincidence occurred. With experience comes the wisdom and patience to keep an open mind. Admittedly hard to do when malware is in the foreground!

If you have any more suggestions, I will gladly accept them.
Thanks...can't say it enough!

Happy to try to help!

There are a number of options left to us, if you want to pursue them. Also, I’d like to give sfc a whirl and see if any system files are borked.

But I just have a feeling there is something hiding in there....

That could be – We’ll have a go with a couple other tools after combofix.exe

We may be dealing with residual damage to the registry – I just need to figure out which keys have been added or modified.

Worst case scenario, we could find that you compy is clean, but the residual damage is unfixable. In that case, it would probably be safe to back up sensitive data to a DVD and then flatten the hard drive and reformat. A bit of a hassle, but you’d still have all important data.....

Have a good weekend! I’ll be around (lotta football to watch!)

PP

[Glassman]

Ok, here is the combofix log. I have thought of sfc, but would like to wait until doing that restore. If I have to I will...

GM

[PhilliePhan]

Haven't given log a full look, but these
2006-10-25 15:15 617354 ---hs---- C:\WINDOWS\system32\klnmp.bak2
2006-10-24 10:43 529285 ---hs---- C:\WINDOWS\system32\klnmp.bak1
are painfully obvious VUNDO!

-- Was going to ask you to do a GMER rootkit scan, but they are under a DDOS attack and unavailable right now. So, I think we'll try F-Secure's Blacklight.



But First, please do this:

1- Move combofix.exe to the Desktop (if it is not already there)
2- Then Click Start > Run > and copy&paste the following command into the box:

"%userprofile\desktop\combofix.exe" /v klnmp

Let the tool run as before and post the new log.

I'm cutting out for the night - will try to check back tomorrow. If you are up to doing the Blacklight scan, feel free. Instructions should be well posted at the F-Secure site.

Best luck
PP

[Glassman]

Here is the new combofix log. Blacklight turned up nothing.

GM

[PhilliePhan]

Here is the new combofix log. Blacklight turned up nothing.

Well . . . looks like the VUNDO was just a remnant like the smitfraud. You'll need to manually delete these remnants.

C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.bak1

For the life of me, I cannot find anything in these logs! I am at a loss.

I'm thinking sfc might be a good idea. Something is definitely borked, but whatever did it (if malware) isn't present any longer.


BTW - What scanner popped up the Darksma reference?

PP