Smart_hdd

Upon startup multiple error messages pop up that say System Error - Write Fault Error. Then a window opens and S.M.A.R.T. runs a "scan telling me the pc is at risk. All desktop icons other than IE and Recycle Bin are invisible as well as all programs when clicking the start button. This has been going on for a day. This is my parent's pc, I'm assuming one of them downloaded something from an email.

After running through read and run me, desktop icons are visible but are shaded as if they have been clicked, no programs are visible when clicking the start button. I was unable to completely run ComboFix. It got to the screen saying it was scanning but appeared to get hung up as it never advanced to the stages. I was unable to run Root Repeal because I could only find .rar downloads and have no idea how to extract the .exe file from that file type.

Thanks in advance.

 

Hello wdm3649,

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

• Rename RogueKiller.exe to winlogon.exe
• Double-click winlogon.exe to run the program.
• When it opens, press the Scan button
• When it is finished, there will be a log on your desktop called: RKreport[1].txt
• Attach RKreport[1].txt to your next message. (How to attach)
• Now press the Delete button while RogueKiller is still open.
• When it is finished, there will be a log on your desktop called: RKreport[2].txt
• Attach RKreport[2].txt to your next message. (How to attach)
• Finally, press the ShortcutsFix button while RogueKiller is still open.
• When it is finished, there will be a log on your desktop called: RKreport[3].txt
• Attach RKreport[3].txt to your next message. (How to attach)

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

__

Afterwards, here is a video tutorial on how to extract a file from an archive.

http://www.youtube.com/watch?v=CRut2J1W8qM

If you were able to do this, go ahead and try to obtain a RootRepeal log.
Do not worry if you weren't able to do this, it isn't an imperative log for this type of infection.

 

I was able to run everything you requested.

 

Good job

__

http://img196.imageshack.us/img196/3557/tdsskiller.gif Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

__

http://img194.imageshack.us/img194/4930/combofix.gif Attempt to run ComboFix using these directions:

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

 

I reran TDSSKiller but ran into the same issue with ComboFix. It runs fine all the way to the blue screen stating that it is performing a scan and just stays on that screen and does not advance through the scanning stages. A windows security baloon pops up and says their is no firewall turned on and there is no virus detection software found. Other than that I do not notice anything else going on while it is stuck on that scanning screen. Last night I let it sit there for about an hour and just now for about 40 minutes. Cannot close out of the program and I have to manually turn off the pc and reboot.

 

I will get a chance to review your logs more thoroughly later this evening.

In the meantime, please tell me what malware problems remain.

 

As far as I can tell it's just the HDD_Smart problem. There is a desktop icon now visible for that malware item. I have noticed that when I open IE that it tries to go to a search engine called mystart, which I believe is malware. Other than that it seems to be rebooting fine, but it appears there are 1 or 2 desktop icons as well as a few programs when hitting the start button that it is trying to show as invisible but look they have been clicked once. Thank you again for your help, not sure if this process has led you to be frustrated with me, but I can assure it can't be near the frustration level I am at with my father. Patience hasn't agreed with him in his old age. Once this is finished, if there is a way to send you a few bucks through PayPal or something similar, I will make sure he does, or one of us does anyway. Again, thank you.

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Blekko search bar
• Broderbund Toolbar
• Coupon Printer for Windows
• ShopAtHome.com Toolbar
• SpySubtract

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Find and delete the following items in red:

• C:\Documents and Settings\All Users\Application Data\-XdtsSeiP76JjKg
• C:\Documents and Settings\All Users\Application Data\-XdtsSeiP76JjKgr
• C:\Documents and Settings\All Users\Application Data\XdtsSeiP76JjKg
• C:\Documents and Settings\HP_Owner\Desktop\SMART_HDD.lnk
• C:\Documents and Settings\HP_Owner\Start Menu\Programs\SMART HDD <-- Delete the entire folder

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

__

Let me know what problems remain after you have completed the above tasks.

 

I was able to complete all tasks successfully. As far as I can tell there are no other issues.

 

Great

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe