Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with S.M.A.R.T. virus


  • Please log in to reply
7 replies to this topic

#1 themoorefive

themoorefive

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 02 July 2012 - 09:12 AM

Hello, I am running a PC with Windows 7. It is infected with the S.M.A.R.T. virus. I have already tried starting the computer in "safe mode with networking" and running malwarebytes. I ran malwarebytes again this morning (running in normal mode, for the third time) and it found more items which I instructed it to delete. We also scanned the computer with McAffee and removed anything it found. Whenever I log into my son's user account it still gets a ton of "write error" messages.

What should I do next?

Thanks.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:49 AM

Posted 02 July 2012 - 11:34 AM

Boot into safemode with networking


Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 themoorefive

themoorefive
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 02 July 2012 - 02:51 PM

Thanks. I ran TDSSkiller. It scanned about 450 files and said it found no threats. Log was blank.

I ran aswMBR. Here is the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-02 12:31:36
-----------------------------
12:31:36.194 OS Version: Windows x64 6.1.7601 Service Pack 1
12:31:36.194 Number of processors: 4 586 0x170A
12:31:36.194 ComputerName: MOORE-PC UserName: Moore
12:31:38.209 Initialize success
12:32:35.426 AVAST engine defs: 12070201
12:32:43.872 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:32:43.875 Disk 0 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610480MB BusType: 3
12:32:43.905 Disk 0 MBR read successfully
12:32:43.912 Disk 0 MBR scan
12:32:43.916 Disk 0 Windows 7 default MBR code
12:32:43.919 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
12:32:43.931 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 9918 MB offset 112640
12:32:43.943 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 600497 MB offset 20424704
12:32:43.958 Disk 0 scanning C:\Windows\system32\drivers
12:32:56.718 Service scanning
12:33:22.278 Modules scanning
12:33:22.291 Disk 0 trace - called modules:
12:33:22.311 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
12:33:22.317 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800627b060]
12:33:22.324 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa8005bbd520]
12:33:22.331 5 ACPI.sys[fffff88000f337a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8005bbf060]
12:33:24.094 AVAST engine scan C:\Windows
12:33:28.042 AVAST engine scan C:\Windows\system32
12:35:11.507 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
12:35:14.366 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
12:36:29.094 AVAST engine scan C:\Windows\system32\drivers
12:36:41.560 AVAST engine scan C:\Users\Moore
12:37:30.624 File: C:\Users\Moore\AppData\Local\Temp\azmsjrllndsbpr.exe **INFECTED** Win32:Dropper-gen [Drp]
12:37:30.924 File: C:\Users\Moore\AppData\Local\Temp\gwtlvigrjescwsh.exe **INFECTED** Win32:Dropper-gen [Drp]
12:37:31.961 File: C:\Users\Moore\AppData\Local\Temp\jyvqvyshixxg.exe **INFECTED** Win32:Dropper-gen [Drp]
12:37:34.041 File: C:\Users\Moore\AppData\Local\Temp\lzfbotyonkroojyvfr.exe **INFECTED** Win32:Dropper-gen [Drp]
12:37:40.155 File: C:\Users\Moore\AppData\Local\Temp\xctngvykqjlrltuv.exe **INFECTED** Win32:Dropper-gen [Drp]
12:37:40.301 File: C:\Users\Moore\AppData\Local\Temp\zfguvbsoiblghw.exe **INFECTED** Win32:Dropper-gen [Drp]
12:41:01.077 AVAST engine scan C:\ProgramData
12:49:34.113 Scan finished successfully
12:51:05.408 Disk 0 MBR has been saved successfully to "C:\Users\Moore\Documents\MBR.dat"
12:51:05.415 The log file has been saved successfully to "C:\Users\Moore\Documents\aswMBR.txt"


I ran ESET. Here is the log:

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files (x86)\StartNow Toolbar\Reactivate.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\DnsBHO.dll probably a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\IEBHO.dll probably a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll Win64/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\datamngr.dll Win64/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\datamngrUI.exe Win64/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\DnsBHO.dll Win64/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\IEBHO.dll Win64/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\ProgramData\GPgFTxz72s5YQk.exe Win32/Adware.HDDRescue.AB application cleaned by deleting - quarantined
C:\ProgramData\yCSQeOBFEShetj.exe Win32/TrojanDownloader.Prodatect.BL trojan cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Users\Cameron\AppData\Local\Temp\2D3D.tmp a variant of Win32/Kryptik.AHTB trojan cleaned by deleting - quarantined
C:\Users\Cameron\AppData\Local\Temp\nzvHWBZsJjkb1J.exe.tmp Win32/TrojanDownloader.Prodatect.BL trojan cleaned by deleting - quarantined
C:\Users\Cameron\AppData\Local\Temp\ICReinstall\cnet2_MangaStudioEXWinDemo_zip.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Users\Cameron\AppData\Local\Temp\is324156961\MyBabylonTB.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Users\Cameron\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\UninstallToolbar.exe Win32/Somoto application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Local\Google\Chrome\User Data\Default\Extensions\maopdgeieiiiifooolcjjfmjdlkmhfdh\nplptl.dll a variant of Win32/Adware.Gamevance.BH application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Local\Temp\PageRage-SilentInstaller.exe probably a variant of Win32/Adware.CXFGDII application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Local\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Local\Temp\YontooSetup-Silent.exe probably a variant of Win32/Adware.NHJKXFY application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dll a variant of Win32/Adware.Gamevance.BR application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf2.dll a variant of Win32/Adware.Gamevance.BR application cleaned by deleting - quarantined
C:\Users\Jay\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf3.dll a variant of Win32/Adware.Gamevance.BR application cleaned by deleting - quarantined
C:\Users\Moore\AppData\Local\Temp\azmsjrllndsbpr.exe Win32/TrojanDownloader.Wauchos.A trojan cleaned by deleting - quarantined
C:\Users\Moore\AppData\Local\Temp\gwtlvigrjescwsh.exe Win32/TrojanDownloader.Wauchos.A trojan cleaned by deleting - quarantined
C:\Users\Moore\AppData\Local\Temp\jyvqvyshixxg.exe Win32/TrojanDownloader.Wauchos.A trojan cleaned by deleting - quarantined
C:\Users\Moore\AppData\Local\Temp\lzfbotyonkroojyvfr.exe Win32/TrojanDownloader.Wauchos.A trojan cleaned by deleting - quarantined
C:\Users\Moore\AppData\Local\Temp\xctngvykqjlrltuv.exe Win32/TrojanDownloader.Wauchos.A trojan cleaned by deleting - quarantined
C:\Users\Moore\AppData\Local\Temp\zfguvbsoiblghw.exe Win32/TrojanDownloader.Wauchos.A trojan cleaned by deleting - quarantined
C:\Windows\Installer\{b4070363-109f-c2f2-0ec1-1b8f875f0e10}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Windows\Installer\{b4070363-109f-c2f2-0ec1-1b8f875f0e10}\U\80000000.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined
C:\Windows\Temp\TBU001\ToolbarUpdate.exe Win32/Toolbar.Zugo application cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.EZ trojan

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:49 AM

Posted 02 July 2012 - 09:14 PM

Download

Blitzbank

Launch it and copy this script and paste it script tab

DeleteFile:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

Click on execute,system will reboot now

Post the new aswmbr log after reboot

#5 themoorefive

themoorefive
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 03 July 2012 - 08:41 AM

Is the new aswMBR log generated by Blitzbank, or do I run aswMBR again?

I ran the Blitzbank as instructed. When it rebooted I got messages to the effect of:

Move file on reboot (listing the two deleted files)
Replace with dummy=0

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:49 AM

Posted 03 July 2012 - 09:27 AM

You have to run aswmbr again to get thr log

#7 themoorefive

themoorefive
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 03 July 2012 - 03:51 PM

I thought I already posted this. Here is the new aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-03 12:45:43
-----------------------------
12:45:43.299 OS Version: Windows x64 6.1.7601 Service Pack 1
12:45:43.299 Number of processors: 4 586 0x170A
12:45:43.314 ComputerName: MOORE-PC UserName: Moore
12:45:45.623 Initialize success
12:45:49.570 AVAST engine defs: 12070201
12:45:53.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:45:53.891 Disk 0 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610480MB BusType: 3
12:45:53.907 Disk 0 MBR read successfully
12:45:53.907 Disk 0 MBR scan
12:45:53.922 Disk 0 Windows 7 default MBR code
12:45:53.922 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
12:45:53.938 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 9918 MB offset 112640
12:45:53.953 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 600497 MB offset 20424704
12:45:53.985 Disk 0 scanning C:\Windows\system32\drivers
12:46:09.772 Service scanning
12:46:33.921 Modules scanning
12:46:33.921 Disk 0 trace - called modules:
12:46:33.936 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
12:46:33.952 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800627b060]
12:46:33.952 3 CLASSPNP.SYS[fffff8800166c43f] -> nt!IofCallDriver -> [0xfffffa8005bb0520]
12:46:33.952 5 ACPI.sys[fffff88000e1a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8005bb8060]
12:46:36.510 AVAST engine scan C:\Windows
12:46:48.600 AVAST engine scan C:\Windows\system32
12:48:25.570 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
12:48:28.128 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
12:49:39.431 AVAST engine scan C:\Windows\system32\drivers
12:49:51.927 AVAST engine scan C:\Users\Moore
13:06:19.231 AVAST engine scan C:\ProgramData
13:21:46.653 Scan finished successfully
13:35:39.039 Disk 0 MBR has been saved successfully to "C:\Users\Moore\Documents\MBR.dat"
13:35:39.039 The log file has been saved successfully to "C:\Users\Moore\Documents\aswMBR2.txt"

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:49 AM

Posted 03 July 2012 - 04:17 PM

We need advanced tools to remove this

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users