Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMART HDD virus


  • Please log in to reply
33 replies to this topic

#1 jim29

jim29

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 14 April 2012 - 01:18 AM

First, thanks for the help removing SMART HDD. All seems to be back to normal except for one thing.

Second, the one thing that isn't back to normal is: There is a smart hdd icon on my desktop. Is that something I should be concerned with? How do I make it go away?
jim29

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 15 April 2012 - 11:20 PM

Welcome to BleepingComputer, jim29!

First, thanks for the help removing SMART HDD


This is your first post here, so an Advisor did not help you. Did you use the Uninstall Guide to remove Smart HDD?

If so, those guides are very useful. However, let's make sure Smart HDD is gone by checking what the following short scan shows.

Please download RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement: Posted Image
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•XP: Double-click the program to run it
•Vista/Seven: Right-click and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.

Old duck...


#3 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 18 April 2012 - 09:24 PM

Yes, I did use the uninstall for smart hdd.

Following is the report you asked be copied & pasted:


RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Jim [Admin rights]
Mode: Scan -- Date: 04/18/2012 22:05:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 9 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : SaitekInstall ("C:\Windows\temp\Saitek\ProFlight_Cessna_Trim_Wheel_SD7_64_Drivers\00000009\setup.exe" -S3 -R -WEB) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2599459041-3540167798-2434874953-1000[...]\Run : SaitekInstall ("C:\Windows\temp\Saitek\ProFlight_Cessna_Trim_Wheel_SD7_64_Drivers\00000009\setup.exe" -S3 -R -WEB) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVT-75ZCT2 ATA Device +++++
--- User ---
[MBR] 6f6d10c01ccb6a9805cdcfffdaa84085
[BSP] 1443d842b4cab0996f235e857ef3b6bd : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31619072 | Size: 223035 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



Since my original post I've observed two unusual things occuring.

1. When I open an MS Office Word document, this message comes up: "The command cannot be performed because a dialog box is open. Click o.k. and then close the open dialog box to continue." Upon clicking o.k in this dialog box, the following dialog box is behind the first: "Word cannot open this document template. (C:\users\jim\appdata\...\~$wiz12s.dotm). When this box is closed, the document opens up normally and functions normally. This has happened each time I open an MS Office document.

2. On two occasions there has been a small box that flashes on the screen and is gone. It happens too quickly to read anything on it; so quickly I'm not sure there is even anything written on it. It is like a large dialog box or notepad with a black background.

Thanks again for your help.
Jim29

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 18 April 2012 - 10:07 PM

Please download SystemLook from one of the links below:
Link 1
Link 2

Save the file to the Desktop

  • Right-click SystemLook.exe and select 'Run as Administrator'
  • Copy the content of the following code box into the open textfield:


:folderfind
C:\Program Files\Microsoft Office\Office*\STARTUP
  • Click the Look button to start the scan.
  • When finished, a Notepad window opens with the results of the scan.
    Please post the SystemLook.txt in your reply.

Old duck...


#5 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 19 April 2012 - 07:39 AM

How do I save to the desktop when I don't get that option? Every piece of instruction tells me to do this. However, when I download and the save/run dialog box appears "save to desktop" isn't an option. It always goes to the "downloads" file.
jim29

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 19 April 2012 - 08:53 PM

Don't have a Vista machine right now, but, is this what your Save as prompt looks like:

Posted Image

[Image replaced.]

If so, in the Save in... area, click the down arrow (triangle) to the right, and select the Desktop.

If this is what you see, the same applies:

Posted Image

You should have the down arrow to select where you want a file saved.

If the above is not the case, please take a snapshot of the Save prompt on your computer screen, as follows:

  • To capture the desired window, hold the 'Alt' key and press the 'Print Screen' key (often just labeled 'Prt Sc') on your keyboard.
  • Open an image editing application such as the MS Paint program under Start > Accessories
  • Select Paste to place the captured image into MS Paint.
  • In MS Paint, go to File > Save
  • Save the image to the Desktop, with File name: name x
  • Save as Type: JPEG
  • Below the area where you post a reply, look for: Additional Options
  • Press: Manage Attachments
  • Click the Browse button, and locate the file on your Desktop
  • Select: name x.jpg
  • When it appears in the Browse area, click: Upload
  • Close out of the Manage Attachments prompt
  • Now, select: Add Reply as you normally would when posting.

Edited by Aaflac, 19 April 2012 - 11:19 PM.

Old duck...


#7 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 19 April 2012 - 10:09 PM

O.k. I figured out how to save to desktop. I'd take a snapshot of that to share with you so it might help you help others, but I can't find MS Paint. I'll put the process at the end of this message.

Following is the report of the systemlook scan:

SystemLook 30.07.11 by jpshortstuff
Log created at 22:43 on 19/04/2012 by Jim
Administrator - Elevation successful

========== folderfind ==========

Searching for "C:\Program Files\Microsoft Office\Office*\STARTUP"
No folders found.

-= EOF =-

Here are the steps I took to save to the desktop:
1. Choose download and I get is a dialog box at the bottom on the screen with run, save and cancel buttons. The save button has the dropdown arrow.
2. When you click on the save button the options are save, save options, and save and run.
3. Click save options and there's a save dialog box similar to the one you pictured. At that point it's just a matter of choosing where to save and clicking save.

jim29

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 19 April 2012 - 11:23 PM

Thanks for the info.

Tried using a wild symbol searching the following, but, it did not work
C:\Program Files\Microsoft Office\Office*\STARTUP

Please do a search, and see if you can find the following:

C:\Program Files\Microsoft Office\Office12\STARTUP

Edited by Aaflac, 19 April 2012 - 11:25 PM.

Old duck...


#9 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 April 2012 - 11:03 AM

Didn't find it.

1. Clicked on the start icon.
2. Pasted the info you gave into the search box.
3. Result: No items match your search.

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 20 April 2012 - 04:56 PM

Let's try this one...

Go back to Post #4, and in SystemLook...
Copy the content of the following code box into the open textfield:

:filefind
C:\users\jim\appdata\*\~$wiz12s.dotm

  • Click the Look button to start the scan.
  • When finished, a Notepad window opens with the results of the scan.

    Please post the SystemLook.txt in your reply.

Old duck...


#11 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 April 2012 - 10:04 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 23:00 on 20/04/2012 by Jim
Administrator - Elevation successful

========== filefind ==========

Searching for "C:\users\jim\appdata\*\~$wiz12s.dotm"
No files found.

-= EOF =-

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 21 April 2012 - 09:33 PM

On the Smart HDD icon on the Desktop, you can right-click and select: Delete

Also, see if there is one in Start > Programs. If so, go ahead and delete it.


On the "small box that flashes on the screen..."
If you followed the Remove Smart HDD (Uninstall Guide), and installed Malwarebytes' Anti-Malware, please run it once again. MBAM opens a scan log and displays it on the Desktop, or you can obtain the log by clicking the Logs tab.

Please provide the contents of the MBAM report in your reply.



On the Word issue, we are batting zero.

The Business Applications forum may be able to help you on that one better than what I can. I do not have WORD installed, and can't search for files or folders related to the program.

However, you may also want to try the following Microsoft guidance on the issue:
http://support.microsoft.com/kb/827732
http://support.microsoft.com/kb/891986

Old duck...


#13 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 23 April 2012 - 02:20 PM

1. Deleted desk top SMART HDD icon and two from the start>programs. All that remains on start>programs is UNISTALL SMSART HDD. Should I delete that too or leave it? I presume that is connected to what I downloaded from bleeepingcomputer to remove SMART HDD.

2. Ran quick scan. Report follows:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.21.07

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Jim :: JIM-PC [administrator]

Protection: Enabled

4/23/2012 2:27:17 PM
mbam-log-2012-04-23 (14-27-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 265509
Time elapsed: 46 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 AM

Posted 23 April 2012 - 06:38 PM

During the installation SMART HDD copies the following file to the hard drive:
%UserProfile%\Start Menu\Programs\SMART HDD\Uninstall SMART HDD.lnk

You can remove it also.


Now, let's go one more step...

Please download the latest version of: TDSSKiller.exe
If you previously downloaded the program, please remove, and download this version.
Save to the Desktop.

Execute the downloaded file:
Windows Vista: Right-click the file and select 'Run as Administrator'

In the TDSSKiller Scan prompt, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default).
Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection.
Please reboot!!


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system,
normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_22.04.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot.

Old duck...


#15 jim29

jim29
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 25 April 2012 - 02:27 PM

You said,

If you previously downloaded the program, please remove, and download this version.
Save to the Desktop.

When I search for tdsskiller, it shows up in under "files". Do I simply right click tdsskiller and select "delete" or do I need to uninstall tdsskiller? If uninstall, how do I do that?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users