Help With Win32 Darksma O !

[Glassman]

Darksma O, apparently a pretty rare breed of Darksma, is proving hard to remove from my system. This version has affecting my display by giving me a screen full of a dash-like pattern. I can barely read whats on the screen, so it is very dificult to work! Would someone be willing to view my Hijack log and steer me in the right direction?

Thanks!

[PhilliePhan]

Hi Glassman,

-- Please RENAME hijackthis.exe as per the instructions in the Read Me Sticky Post I linked below. Then, give us a fresh scanlog.

-- Also, do the AVG Anti-Spyware scan as directed in the link and submit that log as well.

ATTENTION: Read Me Before Posting For Help!!

Judy or I will check back as time permits

PP

[Glassman]

Right now i'm running PC Tools AOSS; it seemed worth a try. Although the screen has remained screwed-up while running it. It seems to be detecting some problems, but the question is: can it fix them? I may cancel early to run AVG (I have not done so yet). Regardless, i'll follow your suggestions and post the info; thanks alot for your help!

GM

[PhilliePhan]

Regardless, i'll follow your suggestions and post the info; thanks alot for your help!

Happy to try to help

Let us know if you have any trouble with the AVG scan - the instructions are kinda spread out. You might want to do the Online Kaspersky as well, but we should be able to get by with just HJT and AVG for the time being.

PP

[Glassman]

I was able to finally complete all scans. Of course, AVG got hits where other programs didnt. Here are the logs...thanks again!

GM

[PhilliePhan]

Hi GM,

Let's do this first:

-- Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

-- Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C:.

Please post that log for me

IMPORTANT: Do NOT run any other options until you are asked to do so!


PP

[PhilliePhan]

Hi GM - I won't have time to check back until tonight, but here's another thing to try:

-- Download combofix.exe

Run combofix and follow the prompts. Don't do anything on your machine while it is running or it may freeze.
It will produce a logfile - please submit that for me.

Will check in tonight (hopefully with an idea or two).

-- There are different schools of thought on System Restore. These days, I prefer to flush it after a fix. During a fix, a bad restore point is better than none at all......

-- Have you tried sfc?

PP


-------------------------------------------------------------------------------------------------------------------------------

The smitfraud leftovers are from my first cleaning, maybe a re-infection??

I doubt re-infection. I didn’t realize at first that what I saw were remnants from a prior cleaning.

And I did check under Customize Desktop, and all I noticed under the web tab was the home page.

I think you’re OK there.

I am beginning to think I may have a hardware issue here, although I was infected by several things. If this is the case it would be a wierd coincidence!

Not weird at all! I have seen a few instances where this unfortunate coincidence occurred. With experience comes the wisdom and patience to keep an open mind. Admittedly hard to do when malware is in the foreground!

If you have any more suggestions, I will gladly accept them.
Thanks...can't say it enough!

Happy to try to help!

There are a number of options left to us, if you want to pursue them. Also, I’d like to give sfc a whirl and see if any system files are borked.

But I just have a feeling there is something hiding in there....

That could be – We’ll have a go with a couple other tools after combofix.exe

We may be dealing with residual damage to the registry – I just need to figure out which keys have been added or modified.

Worst case scenario, we could find that you compy is clean, but the residual damage is unfixable. In that case, it would probably be safe to back up sensitive data to a DVD and then flatten the hard drive and reformat. A bit of a hassle, but you’d still have all important data.....

Have a good weekend! I’ll be around (lotta football to watch!)

PP

[Glassman]

Ok, here is the combofix log. I have thought of sfc, but would like to wait until doing that restore. If I have to I will...

GM

[PhilliePhan]

Haven't given log a full look, but these
2006-10-25 15:15 617354 ---hs---- C:\WINDOWS\system32\klnmp.bak2
2006-10-24 10:43 529285 ---hs---- C:\WINDOWS\system32\klnmp.bak1
are painfully obvious VUNDO!

-- Was going to ask you to do a GMER rootkit scan, but they are under a DDOS attack and unavailable right now. So, I think we'll try F-Secure's Blacklight.



But First, please do this:

1- Move combofix.exe to the Desktop (if it is not already there)
2- Then Click Start > Run > and copy&paste the following command into the box:

"%userprofile\desktop\combofix.exe" /v klnmp

Let the tool run as before and post the new log.

I'm cutting out for the night - will try to check back tomorrow. If you are up to doing the Blacklight scan, feel free. Instructions should be well posted at the F-Secure site.

Best luck
PP

[Glassman]

Here is the new combofix log. Blacklight turned up nothing.

GM