1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Smart hdd infection

Discussion in 'Malware Removal' started by DeanK, Apr 26, 2012.

  1. DeanK

    DeanK Private E-2

    Ok, I know I should have come to you guys first, but I tried to fix this myself and things have gotten worse. I have a Dell D810, wirelessly connected to my network that has gotten the Smart Hdd virus. Changed it to safe mode and tried Malawarebytes with no luck. Then downloaded Roguekiller and ran it and the virus infected safe mode! Now I don't have any acces to any programs or anything in safe mode either.

    I need help to get back so I can even try anything. I have other computers to download info onto memory sticks, but right now the d810 can't even recognize it.

    This is a pickle George, a real pickle.
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You left out a very important detail that impacts what we may say next!!!

    What version of Windows are you running?
  3. DeanK

    DeanK Private E-2

    rolleyesOpps...Windows XP Professional, service pack 3.

    If I can gain acces to personal files, I can check a save the few my kids have saved there to another computer and wipe the hard drive if necessary. The vast majority of personal files are kept on another computer acting as a server of sorts. So I may have the nuclear option.:major

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have your Windows XP boot disk? It may or may not be able to be used to run a repair.

    To do backups ( not really a topic for this forum ), you will have to research using some other special boot CD that allows that ability. Like perhaps the below link mentions:

    Use Ubuntu Live CD to Backup Files from Your Dead Windows Computer

    Are you saying the PC does not boot up at all, or are you saying it boots up but you do not seem to be able run anything? If the latter, are you 100% sure you cannot run anything?
  5. DeanK

    DeanK Private E-2

    I have the disk that came with the computer, which I think is the boot disk.

    The computer does boot up: in regular mode the smart hdd virus pops up right away, listing 21 write fault errors, then S.M.A.R.T. Check pops up and starts running. It seems I can pause it from running, and cannot get the Windows Task Manager to come up, or get internet explorer running. The desktop is blank also.
    I did find a work around to get to my C: drive, after showing all hidden files, my documents was listed under start, and I can get to it. I can also plug in a flash drive and access it! So in short, I have no network or internet access, but can access C: and a flashdrive. SMART HDD keeps complaining with different failure warnings, but the 'recovery' program is paused.

    I would appreciate any suggestions of what I should load on the flashdrive to run on the infected computer. Thanks.

    Safemode with networking is worse. No ccess to file or programs period.
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then we will try to make use of this.

    Okay and we will make use of this too.

    Use another PC to download the below programs to your flash drive:
    Then put the flash drive into the problem PC and copy each of the above files from the flash drive into your My Documents folder that you said you have access too. Once copied to the My Documents folder, try the below:

    • Run MGtools.exe by double clicking on it and wait for it to finish running. It will tell you when finished. Attach the log from MGtools which will be C:\MGlogs.zip Full details on running MGtools are here >> Using MGtools You will have to copy the log file back to your flash drive to use your other PC to post here.
    • Now try to run ComboFix.exe by double clicking on it. Since you do not have an internet connection you cannot install the recovery console or perform any other updates. Just see if you can get it to run. If it does then attach the C:\combofix.txt log it creates to your next message.
    • Now see if you can get the Malwarebytes installer to run. If you can then run a full scan with it and fix any problems it finds. Immediately reboot your PC after selecting to fix problems.
    Let me know what you can and cannot do. If things do not work, tell me exactly what problems you have.
  7. DeanK

    DeanK Private E-2

    When I started up the computer after leaving it off for a few days, the smart hdd didn't attack like before. The desktop was blank but the Start menu was populated again (files weren't hidden again either). I had an internet connection too.

    MGTools ran fine, file attached.

    Combofix ran and updated, and reported I had a rootkit.zeroaccess! virus. After a while it froze, so I rebooted it and ran Combofix again. Froze again during the scan. Oh yeah, during the load (both times) it said there was a parasite in dplayx.dll that was trying to attatch itself to combofix.

    Ran Malwarebytes and it came up with 9 trojans, which I think snagged it. The third run of combofix froze up again, but there was no report of the virus.

    View attachment 178410

    View attachment 178411

    :-D I have some success here! What do you think?
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please only follow instructions given. You should not run anything extra times. If something does not work when requested then skip it and report back what happened exactly.

    You did not attach valid files, please try attach the logs again. See: HOW TO: Attach Items To Your Post
  9. DeanK

    DeanK Private E-2

    Sorry, just thought i couldn't hurt.

    Here are the files.

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your infection may have hidden some things from you ( like Start Menu, Programs....etc ). Let's fix this.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )


    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: SearchPredictObj Class - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files\SearchPredict\SearchPredict.dll
    O4 - HKLM\..\Run: [LHWmcRqHquM.exe] C:\Documents and Settings\All Users\Application Data\LHWmcRqHquM.exe
    O4 - HKLM\..\Run: [XkFcjVGVgWJhiQK.exe] C:\Documents and Settings\All Users\Application Data\XkFcjVGVgWJhiQK.exe
    O4 - HKLM\..\Run: [XkFcjVGVgWJhiQK.exe] C:\Documents and Settings\All Users\Application Data\XkFcjVGVgWJhiQK.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
  11. DeanK

    DeanK Private E-2

    Unhiding went fine.

    When I run HiJack This, it gets denied access to a hosts file. There's a funny line:

    01 - Hosts: ::1 localhost

    that I've never seen before when running HiJack This. Should I delete this? I didn't do it pending your instuctions. Also, I only found line 02 and the last 04 line to fix, the other 04 lines were not listed.

    I haven't really run it through it's paces, but I'll try it out and post again.

    Attached Files:

  12. DeanK

    DeanK Private E-2

    Ok, page loading is slower right now, running a video off youtube gives choppy video but the audio is smooth. I ran something I know I've run before so I'd see the difference. The commit charge seems higher than usual, but I can't find any unusual processes running.

    Obviously the worst is past now, with no pop-up warnings and I can see and run everything. Time will tell if any strange warning pop up again like after the first round of fixes.

    Sorry I didn't say this earlier, thank you for your help! As you can see with my extra tinkering I try to fix things myself, and I have been successful in the past just by following your first steps. This virus was a tough one, and it's great to have this computer up and running again.

    Any next steps?
  13. DeanK

    DeanK Private E-2


    explorer.exe is hogging mem usage, eating up between 160,000k and 250,000k. It moves up and down, and when it does the CPU usage goes up, 50-100%.

    I have no idea what is running there.:confused
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! This is normal.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
  15. DeanK

    DeanK Private E-2

    I removed Windows Messenger.

    TDS Skiller did not run as an .exe or .com. I redownloaded it on a thumbdrive and tried to run it that way but no luck either.

    MBRcheck file attached.

    No other pop-ups or virus attacks to report, but last problem (slowness) is unchanged.

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MBRcheck shows a faked MBR
    PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A
          Size  Device Name          MBR Status
         93 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   MBR Code Faked!
                SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    You need to fix this. Earlier in message number 5 you said you think you have your Win XP boot disk. You need to check and make sure you really have a CD that is a bootable Windows XP disk and check to see if you can boot to the Recovery Console with it. If you can get to the command prompt of the Recovery Console, you need to run the below command.


    The second command will reboot. Just reboot normally to Windows and rerun MBRcheck and attach a new log.
  17. DeanK

    DeanK Private E-2

    Sorry about the delayed response, I had a serious accident.

    The boot disk I tought I had is the Operating System reinstallation CD (Windows XP, SP2) that I recieved with the computer. With it in the cd drive, I was able to choose the recovery console, but the computer appears to freeze while loading it. I tried a couple of times with the same results. Is there a generic boot disk I can make with one of my other computers and use on this one?
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hope everything is okay!

    If you had any external/removable devices ( like USB flash drives, USB hard disks, camera's, MP3 player.....etc ) plugged in then unplug all of them an try again. If this does not help, try the below.

    Fix MBR using ARCDC
  19. DeanK

    DeanK Private E-2

    I'll be healing for a long time...I'm very lucky, it could have been worse or even fatal.

    Used ACRDC and made a dic off another computer, and ran it on the troubled laptop here. Nothing seems to have changed. Laptop giving fits about attaching files for some reason, so I copied and pasted the latest MBRcheck file I reran after running fixmbr.

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 119):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D1000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 PCIIde.sys
    0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
    0xBA5AC000 intelide.sys
    0xB9F4A000 pcmcia.sys
    0xBA0B8000 MountMgr.sys
    0xB9F2B000 ftdisk.sys
    0xBA330000 PartMgr.sys
    0xBA0C8000 VolSnap.sys
    0xB9F13000 atapi.sys
    0xBA338000 cercsr6.sys
    0xB9EFB000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xBA0D8000 disk.sys
    0xB9EDB000 fltmgr.sys
    0xB9EC9000 sr.sys
    0xB9EB2000 KSecDD.sys
    0xB9E9F000 WudfPf.sys
    0xB9E12000 Ntfs.sys
    0xB9DE5000 NDIS.sys
    0xB9DCB000 Mup.sys
    0xBA2F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA568000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB9C27000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xB9C13000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9BF5000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9BD1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB9BBB000 \SystemRoot\system32\DRIVERS\gtipci21.sys
    0xBA570000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
    0xB9B27000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xB9AE4000 \SystemRoot\system32\drivers\STAC97.sys
    0xB9AC0000 \SystemRoot\system32\drivers\portcls.sys
    0xBA318000 \SystemRoot\system32\drivers\drmk.sys
    0xB9A9D000 \SystemRoot\system32\drivers\ks.sys
    0xB9A6A000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
    0xB996D000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
    0xB98C0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA3F0000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA108000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA118000 \SystemRoot\system32\DRIVERS\serial.sys
    0xBA574000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xBA128000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA138000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA148000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA408000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xBA6A0000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB9881000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA168000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA410000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB9870000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA418000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA420000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB9840000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5CC000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB97E2000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA6A7000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5D8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA440000 \SystemRoot\System32\drivers\vga.sys
    0xBA5DA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5DC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA448000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA450000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB9D72000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB169F000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB1646000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB162D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB1607000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA55C000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xB15E5000 \SystemRoot\System32\drivers\afd.sys
    0xBA228000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB15BA000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB15A1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA2B8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB1561000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA618000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB98B8000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA498000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA7CB000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF04E000 \SystemRoot\System32\ati2cqag.dll
    0xBF080000 \SystemRoot\System32\atikvmag.dll
    0xBF0B2000 \SystemRoot\System32\ati3duag.dll
    0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
    0xAF375000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xAE01A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xAE005000 \SystemRoot\system32\drivers\wdmaud.sys
    0xAF2E9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xADECF000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xADD77000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAD8D6000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 36):
    0 System Idle Process
    4 System
    744 C:\WINDOWS\system32\smss.exe
    820 csrss.exe
    844 C:\WINDOWS\system32\winlogon.exe
    888 C:\WINDOWS\system32\services.exe
    900 C:\WINDOWS\system32\lsass.exe
    1052 C:\WINDOWS\system32\ati2evxx.exe
    1064 C:\WINDOWS\system32\svchost.exe
    1160 svchost.exe
    1200 C:\WINDOWS\system32\svchost.exe
    1232 C:\WINDOWS\system32\svchost.exe
    1404 svchost.exe
    1600 C:\WINDOWS\system32\ati2evxx.exe
    1668 svchost.exe
    1676 C:\WINDOWS\explorer.exe
    184 C:\WINDOWS\system32\spoolsv.exe
    232 scardsvr.exe
    284 svchost.exe
    708 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    732 C:\Program Files\Bonjour\mDNSResponder.exe
    1532 C:\WINDOWS\system32\svchost.exe
    2060 wmiprvse.exe
    2264 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    2296 C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE
    2320 C:\Program Files\iTunes\iTunesHelper.exe
    2336 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    2372 C:\WINDOWS\system32\ctfmon.exe
    2380 C:\WINDOWS\system32\rundll32.exe
    2444 C:\Program Files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe
    2560 alg.exe
    2920 C:\Program Files\iPod\bin\iPodService.exe
    3800 C:\WINDOWS\system32\svchost.exe
    2044 C:\WINDOWS\system32\wuauclt.exe
    2816 C:\Program Files\Internet Explorer\iexplore.exe
    3764 C:\Documents and Settings\D810\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A

    Size Device Name MBR Status
    93 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you may have been trying to reattach the same old log. You need to run a new scan with MBRcheck before ATTACHing the new log. If this is really a new log then you did not get the MBR fixed by booting into the Recovery Console and you will need to do it again and make sure you follow all steps properly. You must BOOT your computer from the CD. You cannot be running Windows and then run those commands.

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds