Help With Win32 Darksma O !

[PhilliePhan]

Hi GM - I won't have time to check back until tonight, but here's another thing to try:

-- Download combofix.exe

Run combofix and follow the prompts. Don't do anything on your machine while it is running or it may freeze.
It will produce a logfile - please submit that for me.

Will check in tonight (hopefully with an idea or two).

-- There are different schools of thought on System Restore. These days, I prefer to flush it after a fix. During a fix, a bad restore point is better than none at all......

-- Have you tried sfc?

PP


-------------------------------------------------------------------------------------------------------------------------------

The smitfraud leftovers are from my first cleaning, maybe a re-infection??

I doubt re-infection. I didn’t realize at first that what I saw were remnants from a prior cleaning.

And I did check under Customize Desktop, and all I noticed under the web tab was the home page.

I think you’re OK there.

I am beginning to think I may have a hardware issue here, although I was infected by several things. If this is the case it would be a wierd coincidence!

Not weird at all! I have seen a few instances where this unfortunate coincidence occurred. With experience comes the wisdom and patience to keep an open mind. Admittedly hard to do when malware is in the foreground!

If you have any more suggestions, I will gladly accept them.
Thanks...can't say it enough!

Happy to try to help!

There are a number of options left to us, if you want to pursue them. Also, I’d like to give sfc a whirl and see if any system files are borked.

But I just have a feeling there is something hiding in there....

That could be – We’ll have a go with a couple other tools after combofix.exe

We may be dealing with residual damage to the registry – I just need to figure out which keys have been added or modified.

Worst case scenario, we could find that you compy is clean, but the residual damage is unfixable. In that case, it would probably be safe to back up sensitive data to a DVD and then flatten the hard drive and reformat. A bit of a hassle, but you’d still have all important data.....

Have a good weekend! I’ll be around (lotta football to watch!)

PP

[Glassman]

Ok, here is the combofix log. I have thought of sfc, but would like to wait until doing that restore. If I have to I will...

GM

[PhilliePhan]

Haven't given log a full look, but these
2006-10-25 15:15 617354 ---hs---- C:\WINDOWS\system32\klnmp.bak2
2006-10-24 10:43 529285 ---hs---- C:\WINDOWS\system32\klnmp.bak1
are painfully obvious VUNDO!

-- Was going to ask you to do a GMER rootkit scan, but they are under a DDOS attack and unavailable right now. So, I think we'll try F-Secure's Blacklight.



But First, please do this:

1- Move combofix.exe to the Desktop (if it is not already there)
2- Then Click Start > Run > and copy&paste the following command into the box:

"%userprofile\desktop\combofix.exe" /v klnmp

Let the tool run as before and post the new log.

I'm cutting out for the night - will try to check back tomorrow. If you are up to doing the Blacklight scan, feel free. Instructions should be well posted at the F-Secure site.

Best luck
PP

[Glassman]

Here is the new combofix log. Blacklight turned up nothing.

GM

[PhilliePhan]

Here is the new combofix log. Blacklight turned up nothing.

Well . . . looks like the VUNDO was just a remnant like the smitfraud. You'll need to manually delete these remnants.

C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.bak1

For the life of me, I cannot find anything in these logs! I am at a loss.

I'm thinking sfc might be a good idea. Something is definitely borked, but whatever did it (if malware) isn't present any longer.


BTW - What scanner popped up the Darksma reference?

PP

[Glassman]

Sorry for the delay...been pretty busy...

Deleted the VUNDO items. As soon as I do sfc I'll post any changes (hopefully there are some.) I am wondering more and more if this really is a video card issue??

Oh, the Darksma hit was from a scan by my old anti-virus software. That was the trojan that was discovered at the same time the screen became corrupted.

I actually wrote "breed of Darksma"? !

GM

[PhilliePhan]

I actually wrote "breed of Darksma"? !

That's pretty accurate! LOL!

There isn't much info available on that guy. Plus, it doesn't help that all the different AV vendors come up with their own names for the baddies.

All the logs show clean + Blacklight did not produce any rootkit hits. Probably no active malware to worry about.

I just do not have any leads for how to proceed. Hopefully sfc will help (it is often a "shot in the dark")

Here is a good link if you have trouble:

http://www.updatexp.com/scannow-sfc.html

Best
PP