Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMART HDD


  • Please log in to reply
19 replies to this topic

#1 EmilyMD

EmilyMD

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 22 April 2012 - 04:48 PM

I became infected with the SMART HDD virus. Received a cascade of error msgs and scan that indicate my hard drive was in failure. I followed the removal instructions on this site and currently can access most of my files, but I'm still getting the cascade of error messages and the SMART HDD scan still comes up.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Emily at 16:37:42 on 2012-04-22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2940.1544 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Fitbit\fitbit.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Fitbit\fitbit-tray.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://start.toshiba.com/g/
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Best Buy pc app] C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Fitbit Service Monitor] C:\Program Files (x86)\Fitbit\fitbit-tray.exe
uRun: [hjOouWQXnIVMkvP.exe] C:\ProgramData\hjOouWQXnIVMkvP.exe
uRun: [SUPERAntiSpyware] E:\SUPERAntiSpyware.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Emily\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{6B0F2361-1617-4D63-855D-C1F6167E5071} : DhcpNameServer = 192.168.15.1
TCP: Interfaces\{6B0F2361-1617-4D63-855D-C1F6167E5071}\4416C647F6E6 : DhcpNameServer = 64.6.42.11 207.5.120.17
TCP: Interfaces\{6B0F2361-1617-4D63-855D-C1F6167E5071}\84F6C6964616970294E6E602E4F627D616E6 : DhcpNameServer = 8.8.4.4 8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GRA32A~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 Fitbit;Fitbit Data Uploader;C:\Program Files (x86)\Fitbit\fitbit.exe [2012-3-4 788000]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-2-6 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S1 wsrsomcn;wsrsomcn;\??\C:\windows\system32\drivers\wsrsomcn.sys --> C:\windows\system32\drivers\wsrsomcn.sys [?]
S2 !SASCORE;SAS Core Service;"E:\SASCORE64.EXE" --> E:\SASCORE64.EXE [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 SIUSBXP;SIUSBXP;C:\windows\system32\drivers\SiUSBXp.sys --> C:\windows\system32\drivers\SiUSBXp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-22 21:24:07 50000 ----a-w- C:\windows\System32\drivers\wsrsomcn.sys
2012-04-22 21:23:34 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{897456B8-4E3F-4110-83AD-6E4DB65B28D8}\offreg.dll
2012-04-21 18:00:50 -------- d--h--w- C:\Users\Emily\AppData\Roaming\SUPERAntiSpyware.com
2012-04-21 17:57:51 -------- d--h--w- C:\ProgramData\SUPERAntiSpyware.com
2012-04-21 16:11:03 -------- d--h--w- C:\Users\Emily\AppData\Roaming\Malwarebytes
2012-04-21 16:10:53 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-04-21 16:10:53 -------- d--h--w- C:\ProgramData\Malwarebytes
2012-04-21 16:10:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-21 15:46:42 220672 ---ha-w- C:\ProgramData\9nqhpFCTOoYdnv.exe
2012-04-21 15:41:00 299008 ---ha-w- C:\ProgramData\hjOouWQXnIVMkvP.exe
2012-04-20 13:23:29 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{897456B8-4E3F-4110-83AD-6E4DB65B28D8}\mpengine.dll
2012-04-12 02:49:45 80896 ----a-w- C:\windows\System32\imagehlp.dll
2012-04-12 02:49:45 22896 ----a-w- C:\windows\System32\drivers\fs_rec.sys
2012-04-12 02:49:45 158720 ----a-w- C:\windows\SysWow64\imagehlp.dll
2012-04-12 02:49:44 5120 ----a-w- C:\windows\SysWow64\wmi.dll
2012-04-12 02:49:44 5120 ----a-w- C:\windows\System32\wmi.dll
2012-04-12 02:49:44 220672 ----a-w- C:\windows\System32\wintrust.dll
2012-04-12 02:49:44 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
.
==================== Find3M ====================
.
2012-03-06 06:43:21 5504880 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-03-06 05:59:41 3958128 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-03-06 05:59:41 3902320 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-02-23 15:18:36 279656 ------w- C:\windows\System32\MpSigStub.exe
2012-02-15 06:27:54 1031680 ----a-w- C:\windows\System32\rdpcore.dll
2012-02-15 05:44:57 826368 ----a-w- C:\windows\SysWow64\rdpcore.dll
2012-02-15 04:47:21 204800 ----a-w- C:\windows\System32\drivers\rdpwd.sys
2012-02-15 04:46:59 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys
2012-02-10 06:18:10 1541120 ----a-w- C:\windows\System32\DWrite.dll
2012-02-10 06:17:55 1837568 ----a-w- C:\windows\System32\d3d10warp.dll
2012-02-10 06:17:54 902656 ----a-w- C:\windows\System32\d2d1.dll
2012-02-10 06:17:54 320512 ----a-w- C:\windows\System32\d3d10_1core.dll
2012-02-10 06:17:54 197120 ----a-w- C:\windows\System32\d3d10_1.dll
2012-02-10 05:41:38 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2012-02-10 05:41:20 218624 ----a-w- C:\windows\SysWow64\d3d10_1core.dll
2012-02-10 05:41:20 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll
2012-02-10 05:41:20 1170944 ----a-w- C:\windows\SysWow64\d3d10warp.dll
2012-02-10 05:41:19 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2012-02-03 04:16:03 3143168 ----a-w- C:\windows\System32\win32k.sys
2012-01-25 06:27:11 76288 ----a-w- C:\windows\System32\rdpwsx.dll
2012-01-25 06:27:11 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll
2012-01-25 06:20:59 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe
.
============= FINISH: 16:38:03.72 ===============

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 23 April 2012 - 12:08 AM

Welcome to BleepingComputer, EmilyMD!

Please download RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement: Posted Image
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•Windows Seven: Right-click and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.
To do is to be - Socrates

#3 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 23 April 2012 - 09:54 AM

RogueKiller V7.3.3 [04/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Emily [Admin rights]
Mode: Scan -- Date: 04/23/2012 09:51:15

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 25 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Best Buy pc app (C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms) -> FOUND
[SUSP PATH] HKCU\[...]\Run : hjOouWQXnIVMkvP.exe (C:\ProgramData\hjOouWQXnIVMkvP.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1779739649-3588016280-282188535-1001[...]\Run : Best Buy pc app (C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1779739649-3588016280-282188535-1001[...]\Run : hjOouWQXnIVMkvP.exe (C:\ProgramData\hjOouWQXnIVMkvP.exe) -> FOUND
[SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[SUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2565GSX +++++
--- User ---
[MBR] 1663bebd3b9cc60237760466abc7bbcc
[BSP] fcaa9f59221a0c55501a50c967c60255 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 226546 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 467040256 | Size: 10428 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 24 April 2012 - 11:52 AM

My apology for the delay...did not see your post.

Let's press on with RogueKiller...

•Please quit all programs
•Right-click the RogueKiller file and select 'Run as Administrator'
•Wait until the Prescan finishes

•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.
An RKreport (Mode: Delete) is now created on the Desktop.
(The RKreport also opens using the Report button on the console.)

Please post the RKReport Mode: Delete in your reply.
To do is to be - Socrates

#5 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 24 April 2012 - 01:41 PM

Nothing shows under Registry. I previously had RogueKiller still open from the first set of instructions. Because your new instructions indicated to Run as Administrator, I closed the program and reopened and followed your instructions. After the prescan nothing shows under processes or registry. Do I need to maybe first run the scan?

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 24 April 2012 - 09:46 PM

Yes, please try it that way.
To do is to be - Socrates

#7 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 25 April 2012 - 08:52 AM

Attached are the 2 files created after running the scan and deleting the registry entries.

Attached Files



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 25 April 2012 - 02:43 PM

:thumbup2:

If there is a Smart HDD icon on the Desktop, you can right-click and select: Delete

Also, if there is one in Start > Programs, go ahead and delete it.


Next, please do the following...

Download Malwarebytes' Anti-Malware

Save to the Desktop.

MBAM may make changes to the Registry as part of its disinfection routine.
If using other security programs that detect Registry changes, they may interfere or alert you.
Temporarily disable such programs as shown here, or permit them to allow the changes.

Windows Seven: Right-click and select 'Run as Administrator'

When the installation begins, follow the prompts and do not make any changes to default settings.

Make sure you leave both of these checked:
-Update Malwarebytes' Anti-Malware
-Launch Malwarebytes' Anti-Malware

Click: 'Finish'

MBAM automatically starts and you are asked to update the program.

If an update is found, the program will automatically update itself.
Press the 'OK' button to close that box and continue.


On the 'Scanner' tab:
Make sure the 'Perform Full Scan' option is selected.

Then click on the 'Scan' button.

If asked to select the drives to scan, leave 'all' the drives selected.
Click on the 'Start Scan' button.

The scan may take some time to complete, so please be patient.

When the scan is finished, a message box shows ''The scan completed successfully. Click 'Show Results' to display all objects found''

Click 'OK' to close the message box and continue with the removal process.


Back at the main 'Scanner' screen:
Click on the 'Show Results' button to see a list of any malware found.
Make sure that everything is checked, and click: 'Remove Selected'

When removal is completed, a report opens in Notepad.

The log is automatically saved and can be viewed by clicking the 'Logs' tab.

Please copy/paste the entire contents of the >>MBAM report<< in your reply.

Exit MBAM when done.


Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot your computer so MBAM can proceed with the
disinfection process. If asked to restart the computer, please do so immediately.

Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.
To do is to be - Socrates

#9 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 25 April 2012 - 08:34 PM

No malicious items were detected.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.21.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Emily :: EMILY-PC [administrator]

4/25/2012 3:27:10 PM
mbam-log-2012-04-25 (15-27-10).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 348576
Time elapsed: 33 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 25 April 2012 - 08:47 PM

In your initial post you mentioned...

1. still getting the cascade of error messages
2. the SMART HDD scan still comes up

Are you still having these problems, or any other malware problems Smart HDD brought about?
To do is to be - Socrates

#11 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 26 April 2012 - 01:50 PM

I'm not any longer. I was getting them between the first and second time that I ran the RogueKiller and MBAM. I've restarted now and everything seems to be fine. Thank you for your help!

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 26 April 2012 - 07:45 PM

To get rid of any remnants that other programs may have not picked up,
let's run the ESET Online Scanner:

One more time, please disable your AntiVirus program and any AntiSpyware programs while performing the scan. It will preclude conflicts, and
will speed up scan time.

For information on how to disable protective programs, refer to this link:
http://www.bleepingcomputer.com/forums/topic114351.html


Since you are using Windows Seven to perform this scan, go to the Start button, look for the Internet Explorer browser icon, right-click it and select: 'Run as administrator'

In the IE browser address bar, copy paste the following 'http' address (do not copy the word code):
http://www.eset.com/us/online-scanner

Press the ESET Online Scanner button
  • In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
  • Allow the ActiveX to download, and click: 'Install'
  • Click Start
  • Make sure that the option Remove found threats is unticked/unchecked
  • Click: Scan
  • Wait for the scan to finish...it may take a while.
  • If any threats are found, click the 'List of found threats', then click Export to text file....
  • Save the file to your Desktop as: ESET Scan.

Please provide the contents of the ESET Scan in your reply.
To do is to be - Socrates

#13 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 April 2012 - 02:05 PM

Here is the results of the ESET scan:

C:\ProgramData\9nqhpFCTOoYdnv.exe a variant of Win32/Kryptik.AEMR trojan
C:\ProgramData\hjOouWQXnIVMkvP.exe a variant of Win32/Kryptik.AEMR trojan
C:\Users\All Users\9nqhpFCTOoYdnv.exe a variant of Win32/Kryptik.AEMR trojan
C:\Users\All Users\hjOouWQXnIVMkvP.exe a variant of Win32/Kryptik.AEMR trojan
C:\Users\Emily\AppData\Local\Temp\OwPu2PouFg53Y1.exe.tmp a variant of Win32/Kryptik.AEMR trojan
C:\Users\Emily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\48633bb5-350d2dd5 Java/Exploit.Agent.NAX trojan
C:\Users\Emily\Desktop\RK_Quarantine\hjOouWQXnIVMkvP.exe.vir a variant of Win32/Kryptik.AEMR trojan

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,135 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:08 PM

Posted 27 April 2012 - 02:12 PM

Let's get rid of those entries...

...continue to disable your AntiVirus program and any Security programs.

Please run ESET Online Scan once again...it should take less time, since you already downloaded its definitions.
  • This time make sure the option Remove found threats is ticked.
  • Click: Scan
  • When the threats are found, click the 'List of found threats', then click Export to text file....
  • Save the file to your Desktop as: ESET Scan 2.

Please provide the contents of ESET Scan2 in your reply.
To do is to be - Socrates

#15 EmilyMD

EmilyMD
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 April 2012 - 03:19 PM

Here are the second results:

C:\ProgramData\9nqhpFCTOoYdnv.exe a variant of Win32/Kryptik.AEMR trojan cleaned by deleting - quarantined
C:\ProgramData\hjOouWQXnIVMkvP.exe a variant of Win32/Kryptik.AEMR trojan cleaned by deleting - quarantined
C:\Users\Emily\AppData\Local\Temp\OwPu2PouFg53Y1.exe.tmp a variant of Win32/Kryptik.AEMR trojan cleaned by deleting - quarantined
C:\Users\Emily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\48633bb5-350d2dd5 Java/Exploit.Agent.NAX trojan cleaned by deleting - quarantined
C:\Users\Emily\Desktop\RK_Quarantine\hjOouWQXnIVMkvP.exe.vir a variant of Win32/Kryptik.AEMR trojan cleaned by deleting - quarantined




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users