Results 1 to 9 of 9

Thread: Virus Smart HDD

  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Knoxville, TN, USA
    Posts
    10
    Thanks
    0
    Thanked 1 Time in 1 Post

    Virus Smart HDD

    Even though he was using Microsoft Security Essentials my son's XP PC got infected with the Smart HDD virus. I have tried the steps in the link http://www.bleepingcomputer.com/viru...move-smart-hdd but they have not worked. Even in safe mode I can not get the process stopped so I can load Malwarebytes to remove the virus. Rkill various renamed files do not work and I have tried other programs including Microsoft Malicious software removal but so far nothing has worked. I can boot the PC using Hrien's boot disk and read all his files but can not run Malwarebytes through mini Windows. Does anyone know of another program or way to remove the virus?

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    2,138
    Thanks
    102
    Thanked 207 Times in 181 Posts
    Hi Jerry, to ensure no mistakes are made and that no secondary infections are implicated, it's best to get it checked out by real malware specialists; bleepingcomputer are very good, as are majorgeeks, geekstogo, techsupportforum ...

    If you really want to try on your own, Process Explorer and Autoruns will be of great assistance. Whatever route you choose, without expert analysis, there's a distinct possibility of BSODs or an unbootable PC.

  4. #3
    Gold Lounger
    Join Date
    Oct 2007
    Location
    Johnson City, Tennessee, USA
    Posts
    3,203
    Thanks
    37
    Thanked 212 Times in 199 Posts
    Jerry,
    Hello.. have you the latest Malwarebytes .. 1.61.0.1400? I have heard that the newer versions have a mode that "Hides" itself "chameleon mode" Install it on a flash drive and try again in safe mode Regards Fred
    PlainFred

    None are so hopelessly enslaved as those who falsely believe they are free (J. W. Von Goethe)

  5. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Jerry, try the following processes (in the order they are shown):

    • Boot into Safe Mode Without Networking (just plain old Safe Mode).
    • Run a System Restore to a time that you know the machine was clean. If you have System Restore turned off you will have a much more difficult recovery path.
    • Return to Safe Mode without Networking to complete the System Restore - do not return to normal mode as the system restore will not be complete - it must be completed from Safe Mode Without Networking.
    • Once the System Restore has completed sucessfully, reboot into normal mode. Hopefully by now the active component will have been removed
    • Download Malware Bytes and run a full scan. MBAM is looking for data files rather than registry and program entries.
    • Run Kaspersky TDSS Killer and Sohpos anti-rootkit, though hopefully by now, you won't need them.
    • Install AutoRuns and look for the rogue process if it still remains.
    • Verify the Hosts file has not been corrupted by the malware. Clean as required.
    • Verify no proxy or DNS Hijack settings have been installed. Remove any proxy settings installed by the rogue app.
    • If Either the hosts file, Proxy or DNS settings have been adjusted by the malware, re-run MBAM to check than no new malware has been injected by a rogue site since the initial infection has been cleaned.
    • Update Java, Adobe Flash Player and Adobe Reader - these 3 are the most likely vector the malware used to infect the machine.
    • Install AdBlocking software for the Browser - will help prevent malware being injected via rogue adverts exploiting Flash vulnerabilities.


    Why is it necessary to use Safe mode without networking? Because every instance I have seen of this type of scare-ware has been injected into a Windows networking component. Running without networking disables the launch mechanism of the malware.

    The above processes have worked for me in every instance (and that's a lot of cases!), unless there has been some user interaction with the malware. If that has occured, the malware may have injected additional attacks and be active even in Safe Mode without networking in which case, you have more than one problem and a difficult recovery path.

  6. The Following 3 Users Say Thank You to Tinto Tech For This Useful Post:

    Dick-Y (2012-04-10),Medico (2012-04-09),RetiredGeek (2012-04-10)

  7. #5
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,625
    Thanks
    161
    Thanked 929 Times in 851 Posts
    Tinto, Thanks for a very comprehensive list for others to follow. It would be nice if an Admin or Moderator could put this list in as a Sticky, it's that good.

    Jerry, Unfortunately no AV will catch everything, especially if they did follow the infestation routes outlined by Tinto, and especially if the operator was not vigilant enough. The weakest link in any security scheme is the operator themselves.
    Last edited by Medico; 2012-04-09 at 18:51.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  8. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Knoxville, TN, USA
    Posts
    10
    Thanks
    0
    Thanked 1 Time in 1 Post
    4 Star thanks for the info

    I have tried system restore but it will not run even in safe mode. I have tried all versions of RKill. I also have downloaded MBAM on another PC and copied it to my son's using safe mode but it will not run after an apparent install and I get an access denied error. I have also tried autoruns but can not identify the smart hdd files which are causing the problem. I have tried TDSS Killer in safe mode with no results. I have been running Safe Mode with command prompt but will try plain Safe Mode. Also in Safe Mode I selected view hidden files and tried to update my son's existing MBAM installation on his C drive but got access denied when the attempted update completed. I have also used Norton's disaster recovery disk and scanned the PC but it did not fix the problem. I have not returned to normal mode since I started all this process but that has not helped. However, I have restared in Safe Mode with Networking to try to get some updates but based on your info I will only use plain Safe Mode.

  9. #7
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,181
    Thanks
    129
    Thanked 1,139 Times in 1,050 Posts
    If the previous steps don't solve it, give Emsisoft's emergency kit a try (especially the command line tool): http://www.emsisoft.com/en/software/eek/

  10. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Knoxville, TN, USA
    Posts
    10
    Thanks
    0
    Thanked 1 Time in 1 Post
    Thanks for all the help. I have finally resolved the problem and I will detail what fixed it so maybe it will help others who get this virus. Since the virus hides most of your files so you think the HD is corrupt I used Safe mode and removed the hidden attribute on the files. After removing the hidden attributes I could read the HD again but be sure and stay or restart in Safe mode. You could probably use Hiren's Boot disk to see and remove the hidden attributes if you can not remove them using safe mode. Once the hidden attributes were removed I went to the command prompt and entered the command C:\windows\system32\restore\rstrul.exe and got restore to run successfully. Apparently trying to run restore from a startup option does not work but the command does. After the restore completed for a date before the infection everything was back to normal and all data and programs were there. This was a very fustrating problem to resolve so good luck to anyone who gets this virus and I hope this helps.

  11. The Following User Says Thank You to Jerry D For This Useful Post:

    satrow (2012-04-12)

  12. #9
    Gold Lounger
    Join Date
    Oct 2007
    Location
    Johnson City, Tennessee, USA
    Posts
    3,203
    Thanks
    37
    Thanked 212 Times in 199 Posts
    Jerry,
    Did you mean "rstrui.exe" not at all sure about "rstrul" Regards Fred
    PlainFred

    None are so hopelessly enslaved as those who falsely believe they are free (J. W. Von Goethe)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •