Avast Update to Remove 'Darksma' ?

When will an update be provided to remove “Darksma” ?

Avast antivirus 4.7 Professional, along with Spy Sweeper 5.3, Trojan Hunter 4 (evaluation copy), and Ad-Aware SE 1.06 DO NOT pick up “Darksma”, but AOL Spyware Protection does. I delete Darksma, but it keeps on coming back.

When will Avast provide an update to SUCCESSFULLY remove “Darksma” ?

If you are not getting a virus warning that you believe is an undetected virus then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be an undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Darksma is also known as WIN32:Conhook.xx and there are 47 variants already detected by avast!

WIN32:Conhook.AT and WIN32:Conhook.AU were just added 2 days ago so it does seem there are new variants coming along right now. As DavidR said, if you have a sample of a new variant please send it to avast!

EDIT: Are you still havimg problems with this?

OMG conhook brings back sad memories :cry:

But it wasn’t too hard, was it? Still clean I hope :slight_smile:

Yes it is thank you, it was a marathon thread lol but SUPERAntispy stays on my system now… :slight_smile:

Hi, I do not know the location of Darksma.

The Active Shield Protection of AOL Spyware Protection is the one that picks it up. The active shield does not provide an address of Darksma. It just says that it has found Darksma and what would I like to do with it, “Restore” or “Delete”.

I would say after 5-15 min. of me pressing “Delete”, the active shield protection again tells me it has found Darksma and what I would like to do with it.

I also run a full scan of AOL Spyware Protection and it doesn’t pick it up. Maybe because I had already deleted it through the active shield protection?

And yes I still have it, and it is a downloader, because after I delete it, explorer tries to open a new window, but I don’t give it permission through Comodo Firewall Pro. (BTW I use Fire Fox 2, and not IE).

Hi there jojo if it is conhook had major problems with it, the only thing that shifted it was SUPERAntispy… picked it up and cleaned it in minutes…hope this helps

Yep - lets try this:

Download the free version of SuperAntiSpyware and run a complete scan. Quarantine anything it finds and then post the log it generates (you can find the log in Preferences>Statistics/Log tab.

Then post a HijackThis log:

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Thanks I will try it.

No, SUPER AntiSpyware Professional did not pick it up either. I ran two scans, a Quick and Full. During the Quick scan it picked up something, but during the Full scan it found nothing. Oh, and during the Full scan, AOL Spyware Protection found Darksma 3 times. I didn’t “Delete” it or “Restore” it, I just left it in the “Blocked Items”.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/06/2007 at 07:13 PM

Application Version : 3.7.1018

Core Rules Database Version : 3232
Trace Rules Database Version: 1243

Scan type : Quick Scan

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

This was moved into the Quarantined Items.

This is a picture of AOL Spyware Protection after the Full scan of SUPER AntiSpyware Professional.

UPDATE: I ran a scan from Dr. Web Scanner and it DID find it. I’m pretty sure that was it because it also classified it as a Trojan/ Downloader. It found it in here:

c:\windows\system32\kbddpc.dll

infected with Trojan.DownLoader.21784

I rebooted the computer since it said it was going to be deleted after a reboot. After rebooting I scanned the computer again with Dr. Web and it found nothing. But after a couple of minutes AOL Spyware Protection again pops up telling me it found Darksma. This time however, when I press the button to see the “Blocked Items” it doesn’t do anything. The AOL Spyware Protection box just goes away. Do you think this means anything?

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).

  5. Use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

Download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

Please also post the HijackThis log - there are instructions and a link above.

Hi, THE VIRUS IS GONE!!!

I did a Full scan of Dr. Web and it found other Trojan/ Downloaders. I did this yesterday, and so far no more pop-ups from AOL telling me it found Darksma.

I highly recommend everyone to do a FULL scan of Dr. Web (the initial scan is a Quick scan). Who knows what may still be in your computer that other spyware/ antivirus products did not pick up.

Out of [b]8 /b antivirus/ spyware products, only 2 picked up this variation of Darksma, and only ONE was able to successfully remove it.

Glad its cleared up.

There are new variants of this malware almost daily right now. Two more detections were just added in today’s avast! update so I’m sure we’ll be seeing more of this.

Welcome to the forum - and let us know if you need any more help.

Hi jojo222,

Yep, DrWeb has a good update rate, it is one of my non-resident scanners as well. And of course on my browser I have the DrWeb browser av hyperlink scanner plug-in for IE, FF or Opera. But caution as sometimes because of heuristic scanning DrWeb can come up with the occasional FP, so always check at Jotti before taking a decision.

polonus

This clearly shows how important are update rates and speed nowadays…

Hi Tech,

Good Tech, you always coming up with the right conclusion. Some can do it right, Kaspersky nr 1, DrWeb nr.2, ClamWinFree also good update rate. Respect for Petersburgi.

polonus

I decided to come back and list the software that helped me. Maybe somebody else has a similar problem and my list could guide them in the right direction.

Software that helped me the most: (The ones in bold are the only ones that detected Darksma)

  1. Dr. Web (The only one that successfully removed the virus).
  2. AOL Spyware Protection (If it wasn’t for the constant warnings from AOL SP telling me I had Darksma, I never would of known my PC had a virus. I used the Paid for/ Updated version. I say paid for/ updated because I am aware that a free version is available, but I don’t know how effective it is).
  3. Trojan Hunter 4.6 (This tool removed quite a number of trojans).
  4. SUPER Anti Spyware Professional
  5. Avast 4.7 Professional
  6. Spy Sweeper 5.3
  7. Ad-Aware SE Personal
    8 ) Bazooka Spyware Remover 1.13.03 (The least effective. This was the FIRST NEW program I used to try and remove the virus, but it detected nothing).