Smart hdd virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dogmoat, Aug 24, 2012.

  1. dogmoat

    dogmoat Private E-2

    Hello-- I seem to have a SMART HDD Virus. Any suggestions to get rid of it would be greatly appreciated.

    thank you

    Julie & Heather
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:


    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. dogmoat

    dogmoat Private E-2

    Hi there,

    Logs are attached. I removed a few items via Malwarebytes. Hitman found a couple; but per your directions, I did not delete.
    I think there are still some problems as I cannot get onto the internet now (I am posting via another computer).

    Please let me know what is next.

    thank you
    Julie & Heather
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Per your RogueKiller, you have an infected and hidden partition that has been made active
    Code:
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250234368 | Size: 10 Mo
    Do you have all important data backed up to CD/DVD or an external drive? If not, I suggest that you do so before continuing with the below.

    Re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist ( uncheck everything else )and then click the Delete button.

    Then immediately reboot your PC.

    After reboot, continue with the below.


    Procedure to download G-Parted ISO and create bootable Windows CD


    Please download: gparted-live ( approx 121 MB)
    Now boot off of the newly created GParted CD and you should see:

    [​IMG]
    • Press ENTER
    [​IMG]
    • By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    • Choose your language and press ENTER. English is default [33]
    [​IMG]
    • Once again, at this prompt, press ENTER
    • You will now be taken to the main GUI screen below
    [​IMG]



    According to your logs, the partition that we want to work on to remove any Hidden and Boot flags is 10 MiB thats 10 Mb
    • Right click on the 10 MiB Partion and select "Manage Flags"
    • Remove the Ticks from Boot and Hidden as follows and close then Manage flags form
    [​IMG]

    • Now right click on the boot Partition which is the 14.65 GiB
    • So select the 14.65 Gib partition and then select "Manage Flags"
    • Put a tick in the Boot option as follows ( if not already checked ) and close then Manage flags form
    [​IMG]

    • Now click the Apply selection ( the green check mark ).
    • You should now be here confirming your actions per the below.
    [​IMG]

    • Now recheck each partion under "Flags" make sure the rogue partiton does not have "Boot" applied, and the OS partion DOES have "Boot applied.
    • Now double-click the [​IMG] button.
    • At the next window select "Reboot" then "OK" Boot into Normal Windows.
    [​IMG]


    Verify that your PC boot normally.

    After reboot, rerun a scan with RogueKiller and save new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the new RogueKiller log
    • C:\MGlogs.zip
     
  5. dogmoat

    dogmoat Private E-2

    I seem to have reached a roadblock. I was not able to download the gparted onto my comupter because I do not have access to the internet. So I backed up my files onto a different computer and created the gparted file there. The ISO Roxio image file is 23.1 gig. However, it is now too big to fit onto a cd and also I cannot onto a flash drive no matter what size.... Where do I go from here???

    thank you

    J
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Follow the instructions exactly as written. G-Parted is not 23.1 GB. The current version is about 133 MB. Use your other PC to burn it and use ImgBurn.
     
  7. dogmoat

    dogmoat Private E-2

    sorry, I did not word my question correctly. I already created the image on the other computer; but cannot transfer it to a cd or a flash drivde because it is too big. It is 23.1 gigs and will not even fit onto a 64 gig flash drive.
    Also, I tried again and was able to get onto the internet on the infected computer; but the computer will not read an ISO file. Is there a differenty way to download GParted?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I stated already. The image is not 23.1 Gig. The ISO file is 133 MB. You just need to burn it to a CD using ImgBurn following the instructions in the link given for ImgBurn.
     
  9. dogmoat

    dogmoat Private E-2

    ok-- I was finally able to load the dvd and boot off of the gparted. I followed the directions below; but instead of booting normally; now it is stating that windows failed to start and it is prompting me to insert my windows installation disc.
     
  10. dogmoat

    dogmoat Private E-2

    please disregard the prior post.
    I was able to restart normally and ran the Roguekiller and MG log.
    Please see attached and advise.

    thank you
    J
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that partition is no longer hidden or active and RogueKiller no longer shows this >> ¤¤¤ Infection : Root.MBR ¤¤¤

    How is everything working?
     
  12. dogmoat

    dogmoat Private E-2

    It is better; but not perfect. the infected computer still has the following symptoms:
    At start up: It boots up faster; wallpaper is back; a Java prompt for jucheck.exe; Hitman runs an automatic scan and detects malware of a "Volume Boot Record" Rootkit; Malware popup states [open event] failed to perform desired action. error code 2; connection error for "steam network"; my image still does not come up (instead it is in a folder of the start menu); instead I have Dell stage. Music is empty, photos are empty, videos is complete; games is complete; docs is complete; internet is set with Yahoo.genio as homepage-- but the intermittent redirect seems to be gone.
    I have attached the latest log from Hitman.
    thank you Julie
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is from the partition we unhid and removed the Active setting from. Now we are going to delete it with G-Parted.


    Now boot off of the newly created GParted CD.
    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 10 MiB (10 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is boot next to your OS drive? According to your logs, your OS drive is the 581.41 GB sized partition.
    [​IMG]
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.


    Now reboot from into normal Windows.
    Once back in Windows...


    Run a new scan with Hitman Pro and then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new Hitman log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  14. dogmoat

    dogmoat Private E-2

    when trying to boot in os; I am getting a Windows boot manager error.
    Says "Windoows Boot Manager. Windows failed to start. Insert windows installation."
    I am able to boot into recovery mode. I have attached the scans that I ran just now in recovery mode.
    Hitman is now finding finding some "riskware"
    see attached
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MGtools will not run in recovery mode, so the log is very incomplete.

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  16. dogmoat

    dogmoat Private E-2

    see attached (I had to zip it cuz it was too big)
     
    Last edited by a moderator: Sep 9, 2012
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the log from FRST. You attached the FRST64.exe file that you renamed to .txt.
     
  18. dogmoat

    dogmoat Private E-2

    OK...
    Got it right this time.
    see attached for frst log
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now see if you can boot into normal Windows can continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  20. dogmoat

    dogmoat Private E-2

    I am still unable to boot in windows.
    Specifically error msg info says "An error occured while attempting to read the boot configuration data."

    Fix log is attached.
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please bootup again with the G-Parted CD and tell me what you see listed for Partitions. Also which ones are Active, Hidden, Boot,....etc.
     
  22. dogmoat

    dogmoat Private E-2

    I have the following partitions listed
    partition file system label size used unused flags
    /dev/sda1 fat 16 DELLUTILITY 100 mb 338kb 99.67kb diag
    /dev/sda2 ntfs Recovery 14.65gb 9.43gb 5.22gb
    /dev/sda3 ntfs OS 581.41gb --- ---- boot
    unallocated unallocated 15mb

    there is a warning flag by the OS partition
    error says ntfs is inconsistent. Run Chkdsk/f on Windows then reboot it TWICE! Unable to read the contents of this file system! Because some of the operations may be unavailable.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you change the boot flag to the 100MB partition, what happens?
     
  24. dogmoat

    dogmoat Private E-2

    upon boot it asks for a command
    C:\>
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    At that C: prompt, type the below and hit enter, tell me if any problems are detected. This may take a while to run. Note DO NOT use the /f option! Just enter it as I show below.

    chkdsk
     
    Last edited: Sep 11, 2012
  26. dogmoat

    dogmoat Private E-2

    It says "bad command or file name"
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's what I suspected. At the C: prompt what happens if you type the below and hit enter?

    D:

    Does the prompt change to show drive D? If so, what is the full prompt? Also if it changes to drive D, what happens if you type dir and hit enter?
     
  28. dogmoat

    dogmoat Private E-2

    upon command
    D:
    "invalid drive specified"
    the prompt stays on drive C.
     
  29. thisisu

    thisisu Malware Consultant

    @Chaslang
    Just a heads up that the fix you posted here was incorrectly run.

    The user may need to toggle the 581.41gb partition inactive and then back to active.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ah, good catch! Thanks thisisu!

    dogmoat, you need to go back and run the fix in message # 19 properly. You were not booted into the System Recovery Environment. And as noted by thisisu, you may need to first make the 581.41 GB partition inactive and then toggle back to Active.
     
  31. dogmoat

    dogmoat Private E-2

    I am still getting the error msg while trying to boot in OS (581.41 partition)

    says "windows failed to start. A recent hardware or software change might be the cause. To fixthe problem:
    1. insert your windows installaton disc and restart your computer.
    2 choose your language settings, and then click next.
    3. Click repair your computer.

    If you do not have this disc, contact your systems admin or computer mftr for assistance.

    File: \Boot\BCD
    status: 0xc000000f
    info: An error occurred while attempting to read the boot configuration data."
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you rerun the fixlist.txt fix with FRST? If so, please attach the new resulting Fixlog.txt
     
  33. dogmoat

    dogmoat Private E-2

    fixlog.txt is attached
     

    Attached Files:

  34. thisisu

    thisisu Malware Consultant

    Make sure you are attaching the correct (latest) log, this one still tells us that the fix was run incorrectly.

    Code:
    ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.
    Refer back to post #15 for instructions on how to get into the recovery environment / System Recovery Options.
     
  35. dogmoat

    dogmoat Private E-2

    try this one
     

    Attached Files:

  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay is there any change in the ability to boot up Windows.
     
  37. dogmoat

    dogmoat Private E-2

    No-- I still cannot boot into Windows; I get the same error msg
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try doing a Startup Repair from the System Recovery Options. See how we booted in message # 15 but this time choose Startup Repair not Command Prompt.

    More info on Startup Repair is in the below although this mentions booting from the Windows 7 DVD instead of the built in Recover Options.

    http://www.sevenforums.com/tutorials/681-startup-repair.html
     
  39. dogmoat

    dogmoat Private E-2

    sorry, that did not work either
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please see message # 15 again and boot up to the System Recovery Command prompt. When you get to the command prompt, just type dir and hit enter. What do you see? Also what is the prompt that you see when you first get to the command prompt?
     
  41. dogmoat

    dogmoat Private E-2

    command prompt
    X:windows\system32\

    upon running "dir" it provides a list of files and programs
     
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then what happens if you type the below and hit enter ( note the space after bootrec and the direction of the / )

    bootrec /fixmbr
     
  43. dogmoat

    dogmoat Private E-2

    it says "The operation completed successfully."
     
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now run the below and tell me what happens

    bootrec /fixboot
     
  45. dogmoat

    dogmoat Private E-2

    says "the operation completed successfully"
     
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What happens if you try to boot up normally now? Make sure no USB drives are plugged in first.
     
  47. dogmoat

    dogmoat Private E-2

    It still says
    "windows failed to start"
     
  48. thisisu

    thisisu Malware Consultant

    Can you do this again. Make sure you redownload FRST64.exe.

    [​IMG] Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  49. dogmoat

    dogmoat Private E-2

    see attached
     

    Attached Files:

  50. thisisu

    thisisu Malware Consultant

    Your OS partition is not marked as active.
    Boot back into GParted and make the 581 GB partition Active by adding a Boot flag to it. (Right mouse click => Manage Flags)
    Make sure you apply the changes before exiting GParted.

    Then attempt to reboot normally.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds