Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

S.M.A.R.T. Repair Virus


  • Please log in to reply
7 replies to this topic

#1 dlmuxlow

dlmuxlow

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 11 July 2012 - 04:45 PM

Hello,

I have a laptop that runs XP Professional with SP3. I have been infected with the S.M.A.R.T. Repair virus. When running my computer in regular mode, the virus hides my desktop folders as well as all programs from the start button.

To eliminate the virus, I tried launching my computer in Safe Mode and tried running Malwarebytes. The virus appears to block my access to the Internet as my computer does not demonstrate having networking capabilities. As such, I can't get Mawarebytes to get the latest patches.

Would appreciate someone's helping in ridding my computer of this virus.

Thanks,

David

BC AdBot (Login to Remove)

 


#2 dacholiday

dacholiday

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 11 July 2012 - 06:40 PM

I had the same virus, I did manage to get rid of the virus using superantispyware, but I am now here trying to get back all my icons and shortcuts.

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:36 PM

Posted 11 July 2012 - 07:29 PM

Boot into safemode with networking and not safemode

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


Press windows+R key and type

%temp% and click ok

Copy SMTMP folder to safe location

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:36 PM

Posted 11 July 2012 - 07:34 PM

Hello, you guys need to do it this way..
DO NOT run a Temp file cleaner.

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

>>>>

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.


>>>>

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.


>>>>>

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



It would not harm anything to run SAS too.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the Control Center screen.
  • Back on the main screen, under "Select Scan Type" check the box for Complete Scan.
  • If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).
  • Click the Scan your computer... button.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the scan log after reboot, launch SUPERAntiSpyware again.
  • Click the View Scan Logs button at the bottom.
  • This will open the Scanner Logs Window.
  • Click on the log to highlight it and then click on View Selected Log to open it.
  • Copy and paste the scan log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these [COLOR=blue]instructions
for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.




Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 dlmuxlow

dlmuxlow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 15 July 2012 - 12:06 AM

Alright, I seem to have gotten rid of the S.A.R.T. Repair virus, but another virus or possibly the remnant of the S.M.A.R.T. virus is still plaguing my system.

I am familiar with launching my computer in Safe Mode, but I haven't needed to do it on this system before. When I did and got the following options:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

I clicked on "Safe Mode With Networking"

It then asked: "Please select the operating system to start:"

I haven't seen this before, but then like I said, I haven't needed to launch this computer in Safe Mode before. I have on my other systems a number of times.

Anyhow, it gave me the options:

Microsoft Windows Recovery Console
do not select this [dbugger enabled]
Microsoft Windows XP Professional

I clicked on "Microsoft Windows XP Professional" and hit return.

I then got a message saying: To proceed to work in safe mode, click Yes. If you prefer to use System Restore to restore your computer a previous state, click No.

The problem is that I didn't get networking capabilities when I finished. Thus, all the programs you asked me to run, I downloaded on another system that runs Vista and used a thumb drive to transfer them.

I was able to run Rkill, Unhide, Malwarebytes, and SuperAntiSpyware all fine. They caught a number of the "Trojan" files and quarantined them. I then proceeded to delete them. However, I was never able to get TDSSKiller to run. I tried changing the name and the file extension as recommended and none of these efforts worked.

I thought my system was fine, but then started using my IE8 to web surf and have discovered that it is corrupted.

Here are the symptoms:

1) The tool bar is missing. I have searched on Google to fix this, but none of the general fixes from the Microsoft site or other sites work.
2) When I do a Google search and click on a link, it redirects me to another page. This is how I know that IE is definitely infected. This happened to me a few years back on another computer and I was able to fix it pretty easily with Malwarebytes. Not this time.
3) IE is incredibly slow. When I click to open it and click to go to a web page like Google it takes forever.
4) It won't let me click on a link for TDSSKiller. I can do it fine on my XPS system, but not on my infected Latitude.
5) When I am doing searches, I begin to hear audio like a video is playing, but none of the open windows is displaying a video.

I think it may have something to do with "AXWIN Frame Window"? When I try closing my computer I get an error window saying "End Program - AXWIN Frame Window".

Any additional help would be greatly appreciated. You guys are great and I really appreciate your help.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:36 PM

Posted 15 July 2012 - 05:14 PM

Hello, is it only the toolbar? You do have icons..

You did it right but appears you still have malware.

Let us see if we can get Safe mode to run.
Vista users my need to save it to the desktop first then right-click the icon and choose "Run as Administrator".

Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode with Networking.


Now try TDSS and SAS again.. If no safe mode then yrt them in Normal..

Post the MBAM log also please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dlmuxlow

dlmuxlow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 16 July 2012 - 07:14 PM

Regarding the toolbar:

1) I don't have the drop downs "File, Edit, View, Favorites, Tools and Help" that run directly below the tab/address bar.

2) I have icons, but they are layed out incorrectly. Also, where there are the downpointing arrows next to "Page, Safety and Tools" these words don't appear, just the arrows. Additionally, the drop downs associated with the arrows don't work.

------------------------------------------------------------------------

As for your instructions:

When I run RKill (either in Safe Mode or Regular Mode) I now am getting a pop up error message that tells me that installation failed. RKill will eventually run, but never seems to find anything to shut down.

One occassion it did shut down the following:

C:\WINDOWS\System32\wuaclt.exe

I ran SafeBootKeyRepair.exe. It does not fix the problem of allowing me to access the Internet in safe mode. Just as a reminder the machine runs XP Professional. I have a Vista 64 system and on this system I have never had a problem running Safe Mode with Networking.

In Safe Mode with Networking, when I click on my web browser, it comes up blank. I tried both IE8 and Google Chrome with no luck. When using Google Chrome, I got the message: "This webpage is not available".

Under "More information on this error" it states:

Error 105 (net::ERR_NAME_NOT_RESOLVED): The server could not be found.

Though it has no problem finding the server in regular mode.

Regarding TDSSS. It won't run in either Safe Mode or regular mode. I have repeatedly tried to change the name and the extension to .com and nothing.

I have run SAS and MBAM in both Safe and Regular mode 2-3 times each after running RKill. Neither catches the menacing virus. Below are posted 2 MBAM logs. One is an earlier post that seemed to catch some items. However, the last couple times I have run it is shows nothing.

------------------------------------------------------------------------

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Sean :: DLAPERLE [administrator]

Protection: Disabled

7/11/2012 3:09:40 PM
mbam-log-2012-07-11 (15-09-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191906
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.16.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sean :: DLAPERLE [administrator]

7/15/2012 6:28:49 PM
mbam-log-2012-07-15 (18-28-49).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256120
Time elapsed: 1 hour(s), 35 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

------------------------------------------------------------------------

I am thinking of reformatting my computer. The catch is I don't have a CD drive on this sytem as it is a 14 inch that does come with one. I also don't own an external CD drive. I guess I need to buy one? I don't suspect there is a way to do this online if you have the CD and While I would prefer to not reformat my operating system, I am beginning to think this virus has won. Thoughts?

Edited by dlmuxlow, 16 July 2012 - 07:29 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:36 PM

Posted 16 July 2012 - 07:30 PM

Probably not a bad idea as this system is infected.

Ask in the XP forum as I believe there is a way. I just don't know it.

If no luck with that we can clean this but you will need ti start a new topic here,

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users