Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SMART HDD


  • Please log in to reply
32 replies to this topic

#1 Cave71

Cave71

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 30 March 2012 - 11:16 PM

Removal Guide for Smart HDD can be found at this link:

Remove Smart HDD (Uninstall Guide)

 

Hi,
I believe our desktop pc was hit by smart hdd yesterday. My nephew was using the pc when it happened and explained that a window popped up and told him to update an audio driver, so he did. Next thing he saw on the screen was "Smart HDD, followed by several screens warning of bad disc errors, etc. and he followed the directions thinking it was being helpful. Once he told me, I ran my AVG antivirus, spybot S&D (found nothing) and then malwarebytes, which found and quarantined a file (unfortunately unknown, as I lost the log when I restored the pc). The system was restarted and that is when I noticed files "missing" (actually they were "hidden"). I backed up the few files that I wanted to backup on a usb - and now I think I may have infected my other computer, too (I guess I'll deal with that one next)!! The only way I could access the pc, without it basically locking up after windows started was in safe mode and even that was reluctant to start. Otherwise I can move my curser around the screen but cannot open anything. I eventually got fed up with it and just did a system restore to factory settings. I thought that worked but apparently not. My system ran fine for several hours today as I reloaded software and a few files, but once the pc went to sleep, it woke up with the same symptoms as before the restore. I tried to remedy by disabling the system restore, reboot, then turn system restore back on, but the problem still seems to start when the system boots. Finally I ran rkill which found and terminated C:\Windows\syswow64\wbem\wmiprvse.exe, then I ran SuperAntiSpyware which found nothing. Now I am just frustrated :-)

I really have no clue what I am doing - I only know to run the programs which I have done and most of that is simply guess work and I clearly need the help of experts.
This pc is an HP p6745f (i5-2300 @ 2.8GHz), running Windows 7 premium 64 bit, SP1

Can anybody direct me through what is needed to fix this?
Thanks!
Andy

Edited by Grinler, 01 April 2012 - 05:08 PM.
Added removal guide link at the top.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:30 AM

Posted 30 March 2012 - 11:43 PM

Have you followed the steps here?

http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd

#3 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 31 March 2012 - 12:34 AM

Thanks for replying Grinler! I have followed those steps. Initially I followed the steps only partially. I didn't get to the point of unhiding the folders, since rkill (which stopped one process) and then Malwarebytes scan came back clean, I just assumed something may still wrong and not to bother going further without help. However, I did go back and have followed through the steps.

I am no longer able to see any of the listed smart hdd files in my folders or associated registry entries etc. from the help page in your link.

After running the unhide program, I followed the directions to replace the missing \AppData\Local\Temp\smtmp\ file. That seemed to work well and I'd say my system appeared to restart normally. But I noticed that my "c:\documents and settings" folder is now locked. Is that normal or is it a problem? I seem to remember it being previously accessable, now I can't get into it. I see several folders that now show a lock icon, but they are not locked.....I am able to get into all of the other folders I have tried.


Thanks!

Edited by Cave71, 31 March 2012 - 12:53 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:30 AM

Posted 31 March 2012 - 01:09 PM

What folders are showing the lock icon?

#5 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 31 March 2012 - 05:06 PM

When I ran unhide.exe, last night for the first time (as mentioned in my post above) I got the message "C:\Users\Andy\AppData\Local\Temp\smtmp\ folder does not exist". I ran the http://download.bleepingcomputer.com/grinler/fakehdd/win7-x64-sm-reset.exe and the pc has run well since, at least from what I see.

However, my external drive had been disconnected until today. When I reconnected it, I scanned it with my security programs and it appeared to be okay. But I noticed the lock icons/hidden folders and files on that drive. I ran the unhide.exe again and was able to unhide the items, but I got the same message as last night "smtmp folder does not exist". I followed the "fakehdd/win7-x64-sm-reset.exe" again and rebooted. I did not manually restore any shortcuts. Do I have to do that?

These are where I have locked icons.

C:\$RECYCLE.BIN - able to access

C:\Documents and Settings - cannot access

and my backup/external hard drive:

F:\$AVG - able to access
F:\RECYCLER - able to access
F:\FreeAgentDesktopNext.ico - just an icon, I did not click it

When I open F:\External Drive\ (Where my personal backup folders are),out of the 12 backup folders in that directory, 8 folders show locks (I can access them all) and all contained hidden files or folders. I have "un-hidden" the folders and files with unhide.exe. but the lock icons are still there. There is also a lock icon on a "desktop.ini" file in the Ext. drive folder.

Everything does appear to be working well aside from the locked documents and settings folder. The lock icon on the other folders appears to be more "cosmetic", but wondered if maybe there is something more to it...?

#6 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 01 April 2012 - 12:32 AM

Sorry Grinler, I just noticed that I had missed some additional files with lock icons that I cannot access on my c drive.

If I click Start Menu - Documents (or alternately Libraires\Documents via the sidebar in a folder) I see My Music, My Videos, My Pictures, and shortcut folders of the same names. If I click on any of these, I am notified that "C:\Users\Public\Documents\<folder name> is not accessible"

But, if I navigate directly to my personal folder "Andy" I see no lock icons on folders and am able to access everything including My Music, My Pictures, My Videos with no problem.

Thanks again.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:30 AM

Posted 01 April 2012 - 09:14 AM

Open your C drive

On top,click on organize-folders and search options

Click on view tab

Check mark these two settings

Dont show hidden files,folders

Hide operating system files


Now everything should look good

good luck

#8 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 01 April 2012 - 09:24 AM

Thanks narenxp! I wasn't aware that those folders normally hid in that documents folder. It all appears normal again. Thanks so much.

Andy

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:30 AM

Posted 01 April 2012 - 09:31 AM

You're welcome :thumbsup:

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:30 AM

Posted 01 April 2012 - 11:42 AM

Just wanted to let you know that I have not forgotten you. Just looking into this for you.

#11 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 01 April 2012 - 11:52 AM

Thanks Grinler. All does appear to be working well again - after following narenxp's directions, I am not seeing any problems. I am unsure/ slightly concerned that there could be something hidden (what smarthdd seems to do)still lurking...?? Thanks again for all the help!!!

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:30 AM

Posted 01 April 2012 - 11:57 AM

What instructions from NarenXP?

#13 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 01 April 2012 - 12:02 PM

Post #7 - to "re-hide" those files. But I guess that would not solve the problem of actually accessing "documents and settings" which (if I un-hide the files again), I still cannot access. Sorry for the confusion.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:30 AM

Posted 01 April 2012 - 05:42 PM

Ahh, I missed that post from Naren. No worries there. I also updated the Smart HDD guide to reflect the new version that was recently released.

Few questions first. When you were first infected with this, did the program hide all of your files or was this program just starting and giving the fake alerts? Did the programs in your start menu disappear?

If the programs in your start menu did disappear, its possible that the folder name has changed. Can you look in your temp folder and see if there are any directories that have been created recently, and if one exists, please let me know the name. You can access your temp folder by going to this path:

%Temp%

Juts click Start, then run, and type %Temp% and press enter.

Also if you, or anyone else who views this thread, has samples of this infection or the urls that you were infected from, please submit them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

As for the locked folders, its normal for C:\$RECYCLE.BIN and C:\Documents and Settings to be locked. The onyl reason you are seeing them is because we made them visible after you ran Unhide. You can right-click on them, click on the properties, and put a checkmark in the hidden box. That will hide them again.

As for F:\FreeAgentDesktopNext.ico, that is normal if you have a Seagate Freeagent external hard drive, which I assume you do.

As narenXP already explained, those locked folders are normal and you are only seeing them because you had enabled the ability to see hidden files. So do not worry about that.

Overall, it sounds like you were able to clean up the infection properly and just got hung up on the repurcussions of changing your settings so that you can view hidden files.

Are there any other major concerns you are having?

#15 Cave71

Cave71
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 01 April 2012 - 06:49 PM

I only noticed that the "SmartHDD" had only begun to hide folders on my c drive - I'm not certain if any programs where "hidden". I ran my security scans and when they turned up nothing, I backed up the few files that were on the C drive and did a system reset to factory settings. Luckily 99% of my data and files on my c drive are shortcuts to my external drive, which I disconnected ASAP.

Unfortunately since I stupidly jumped the gun and did that factory reset on my desktop, all of the %temp% items are new (150 items in that folder). Is there a certain file extension for a directory that I could look for that might help?

The only concerns I am having now are with the laptop (that I corrupted when I backed up the files from my desktop c drive folders to a usb!). When I connected the usb to the laptop, I ran every security program I had before opening it and found no problems, so I thought these files were safe. They weren't. Prior to my first post I did a system restore, but not back to factory (as I did with the desktop). I believe SmartHDD is now gone from the laptop, too. It works fine until I shut the lid. After it "sleeps" and I click on any icon, the system freezes. I can move the curser around the screen, but cannot click on anything. I get a small "swirling cirle" (that I normally associate with windows "working") over my internet access icon in my taskbar. This is a new problem. Could this be cuased by SmartHDD or have I possibly mesed up another setting?

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users