Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

S.M.A.R.T. HDD virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 Mike Derbyshire

Mike Derbyshire

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 11 April 2012 - 04:22 PM

Last weekend I discovered that my laptop (Toshiba with Windows 7 Home Premium) was infected with the SMART HDD virus/malware. I got the valid-looking screen pop-up, warning dialogs, missing desktop & program items, etc., etc., etc. I've run into these types of infections at work before, so I at least knew enough not to actually try purchasing the "registered version". I have the latest subscription to Norton 360, which, as I now understand it, isn't necessarily set up to catch certain kinds of malware.

When I realized I'd been infected, I immediately took to the search engines (tried Google, but of course everything was being re-directed) to look for a solution. So, in my searching, I saw several articles recommending that I download and run Malwarebytes anti-malware program. I did this. I also found an article on this site with directions including the unhide.exe file/program. After I ran a full system scan with Malwarebytes and ran the unhide application, things seemed to look better. Some, but not all, of my files were visible again. I could get to my pictures, documents and some of my programs (Norton was not one of them). Then I attempted a restart. Thatís where things took a down-turn. When the computer was coming back up, before the Microsoft logo swirl, a message came on the screen indicating that there was a failure in the start up. It gave me the option to automatically fix the error (recommended) or to start normally. I selected the fix. It ran for several minutes, restarted and then the same message came back. I selected the normal start and it didnít make it past the logo swirl before restarting.

Iíve gotten to a diagnostic dialog after going through the start-up auto-fix-failure messages. This dialog offers resetting to an earlier, functional setup, boot from a disc, reset from a backup and reimaging. I donít have a backup (I knowÖ stupidÖ) and I canít find the software discs that came with the computer, so I tried resetting from earlier setups. All to no avail.

I tried to use the F8 method, mentioned in the article here, to get to the safe-mode start. That didnít get me any further than the logo swirlÖ

What all of that means is that I canít get to where I can copy-paste the log files that your site is asking for!

Obviously, I really, REALLY donít want to reimage the computer which would wipe out all of my programs and data. Any help would be GREATLY appreciated!!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:04 PM

Posted 13 April 2012 - 03:28 AM

Hello and welcome to BleepingComputer!

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 07:59 AM

The blue screen prompt:

Technical Information:
*** STOP: 0x0000007B (0xFFFFF880009A9928, 0xFFFFFFFFC000000D, 0x0000000000000000, 0x0000000000000000)


I don't know if it'll help, but here is a picture of the blue screen...
Attached File  Blue Screen.JPG   241.95KB   2 downloads

THANKS FOR YOUR HELP!!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:04 PM

Posted 13 April 2012 - 08:46 AM

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 10:14 AM

[*]Expand mnt
[*]sda1,2...usually corresponds to your HDD
[*]sdb1 is likely your USB


There were no files in the mnt folder... :-(

Wait... Nevermind. Guess I didn't have the USB plugged in all the way (?)
Anyway, here is the mbr.zip.Attached File  mbr.zip   498bytes   9 downloads

Edited by Mike Derbyshire, 13 April 2012 - 10:48 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:04 PM

Posted 13 April 2012 - 11:47 AM

That looks like both a corrupt partition table and an infected MBR. Lets first take care of the rootkit.

Right click the following download link and select "save link/target as": xPUD_MBRfix
Save the file to your USB drive.
  • Boot the ailing computer to xPUD
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Double click on xPUD_MBRfix to execute the script
  • When asked "what boot code do you want to write?" type 7 for Windows 7 boot code and press enter.
  • When asked "to which one do you want to write a new mbr?" type sda and press enter.
  • Type y and press enter to confirm your choices.
  • Press enter to close the window.
  • Upon finishing, its actions will produce a report (mlog.txt)
  • Post that report in your next reply

Try to reboot normally and let me know if that works (if not it is quite likely caused by the partition problem).
In that case, download xPUDtd and save it to an USB drive. (if the download opens in a separate tab, right-click the link and select Save Link/Target As)
  • Remove the USB & xPUD CD and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Doubleclick on xPUDtd to extract and run it.
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [Analyse] and press Enter to continue.

Posted Image

Select Quick Search and press Enter.

If you receive a warning, select continue and press Enter.

At the following screen please see if the correct partition structure is displayed (meaning that Testdisk should show you the right sizes of partitions you know you have on disk). If you are not sure just quit at this point and post me the Testdisk log created on your USB drive.

Press Q repeatedly until TestDisk exits and post the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 12:01 PM

Ok. It didn't boot properly. Moving on to your other instructions.
mlog file:
Attached File  mlog.txt   504bytes   2 downloads

#8 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 12:10 PM

The TestDisk is only seeing my USB drive...

Also, just to let you know, in the mnt directory the only thing showing up is sda1 (USB).

Edited by Mike Derbyshire, 13 April 2012 - 12:17 PM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:04 PM

Posted 13 April 2012 - 12:27 PM

Testdisk is disappointing me. :wink:

In that case, lets just do it manually. For that I need a new MBR dump though. Please repeat the steps in post #4 of this topic and post me the new mbr.zip file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 01:37 PM

Testdisk is disappointing me. :wink:

In that case, lets just do it manually. For that I need a new MBR dump though. Please repeat the steps in post #4 of this topic and post me the new mbr.zip file.


New mbr.bin:
Attached File  mbr.zip   544bytes   6 downloads

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:04 PM

Posted 13 April 2012 - 01:43 PM

Sorry, looks like that is the flash drive's MBR, which is not used anyway.

Can you tell me exactly how far your computer boots when you turn it on?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 02:22 PM

Without going into the F8 or F12 prompts, a Windows Error Recovery screen comes up before the Windows 'swirl'. This screen gives the options to "Launch Startup Repair (recommended)" and "Start Windows Normally". If I try to start normally, the 'swirl' starts and then the computer restarts. Using the "Repair" brings up a Startup Repair dialog, which does a scan and says "Windows cannot repair this computer automatically", with options to send information about this problem to Microsoft or not.

The problem details are:
Problem signature:
Problem Event Name: StartupRepairOffline
Problem Signature 01: 6.1.7600.16385
Problem Signature 02: 6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: 21200984
Problem Signature 05: AutoFailover
Problem Signature 06: 8
Problem Signature 07: NoRootCause
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033

When that dialog finishes out, a secondary dialog is present with options to:
View diagnostic and repair details
View advanced options for system recovery and support


The System Recovery Options are:
Startup Repair
System Restore
System Image Recovery
Windows Memory Diagnostic
Command Prompt
Toshiba Recovery Wizard


The Startup repair doesn't work, none of the earlier versions in the system restore work, I don't have an image that I created earlier and the Recovery Wizard will wipe the computer entirely (which I want to avoid, if at all possible). I haven't tried the Memory Diagnostic or the command prompt.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:04 PM

Posted 13 April 2012 - 02:28 PM

Are you using drive encryption?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 02:29 PM

I can only guess what drive encryption is, so no, I don't think so...

#15 Mike Derbyshire

Mike Derbyshire
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Natchez, MS
  • Local time:05:04 AM

Posted 13 April 2012 - 02:31 PM

Running the Memory Diagnostic now. 46% complete. Figured it couldn't hurt (could it?)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users