Virus Smart HDD

Topic

New Reply

Even though he was using Microsoft Security Essentials my son’s XP PC got infected with the Smart HDD virus. I have tried the steps in the link http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd but they have not worked. Even in safe mode I can not get the process stopped so I can load Malwarebytes to remove the virus. Rkill various renamed files do not work and I have tried other programs including Microsoft Malicious software removal but so far nothing has worked. I can boot the PC using Hrien’s boot disk and read all his files but can not run Malwarebytes through mini Windows. Does anyone know of another program or way to remove the virus?

Reply | Quote

Replies

Hi Jerry, to ensure no mistakes are made and that no secondary infections are implicated, it’s best to get it checked out by real malware specialists; bleepingcomputer are very good, as are majorgeeks, geekstogo, techsupportforum …

If you really want to try on your own, Process Explorer and Autoruns will be of great assistance. Whatever route you choose, without expert analysis, there’s a distinct possibility of BSODs or an unbootable PC.

Reply | Quote

Jerry, try the following processes (in the order they are shown):

[*]Boot into Safe Mode Without Networking (just plain old Safe Mode).
[*]Run a System Restore to a time that you know the machine was clean. If you have System Restore turned off you will have a much more difficult recovery path.
[*]Return to Safe Mode without Networking to complete the System Restore – do not return to normal mode as the system restore will not be complete – it must be completed from Safe Mode Without Networking.
[*]Once the System Restore has completed sucessfully, reboot into normal mode. Hopefully by now the active component will have been removed
[*]Download Malware Bytes and run a full scan. MBAM is looking for data files rather than registry and program entries.
[*]Run Kaspersky TDSS Killer and Sohpos anti-rootkit, though hopefully by now, you won’t need them.
[*]Install AutoRuns and look for the rogue process if it still remains.
[*]Verify the Hosts file has not been corrupted by the malware. Clean as required.
[*]Verify no proxy or DNS Hijack settings have been installed. Remove any proxy settings installed by the rogue app.
[*]If Either the hosts file, Proxy or DNS settings have been adjusted by the malware, re-run MBAM to check than no new malware has been injected by a rogue site since the initial infection has been cleaned.
[*]Update Java, Adobe Flash Player and Adobe Reader – these 3 are the most likely vector the malware used to infect the machine.
[*]Install AdBlocking software for the Browser – will help prevent malware being injected via rogue adverts exploiting Flash vulnerabilities.

Why is it necessary to use Safe mode without networking? Because every instance I have seen of this type of scare-ware has been injected into a Windows networking component. Running without networking disables the launch mechanism of the malware.

The above processes have worked for me in every instance (and that’s a lot of cases!), unless there has been some user interaction with the malware. If that has occured, the malware may have injected additional attacks and be active even in Safe Mode without networking in which case, you have more than one problem and a difficult recovery path.

Reply | Quote

4 Star thanks for the info

I have tried system restore but it will not run even in safe mode. I have tried all versions of RKill. I also have downloaded MBAM on another PC and copied it to my son’s using safe mode but it will not run after an apparent install and I get an access denied error. I have also tried autoruns but can not identify the smart hdd files which are causing the problem. I have tried TDSS Killer in safe mode with no results. I have been running Safe Mode with command prompt but will try plain Safe Mode. Also in Safe Mode I selected view hidden files and tried to update my son’s existing MBAM installation on his C drive but got access denied when the attempted update completed. I have also used Norton’s disaster recovery disk and scanned the PC but it did not fix the problem. I have not returned to normal mode since I started all this process but that has not helped. However, I have restared in Safe Mode with Networking to try to get some updates but based on your info I will only use plain Safe Mode.

Reply | Quote

Jerry,
Hello.. have you the latest Malwarebytes .. 1.61.0.1400? I have heard that the newer versions have a mode that “Hides” itself “chameleon mode” Install it on a flash drive and try again in safe mode Regards Fred

Reply | Quote

Tinto, Thanks for a very comprehensive list for others to follow. It would be nice if an Admin or Moderator could put this list in as a Sticky, it’s that good.

Jerry, Unfortunately no AV will catch everything, especially if they did follow the infestation routes outlined by Tinto, and especially if the operator was not vigilant enough. The weakest link in any security scheme is the operator themselves.

Reply | Quote

If the previous steps don’t solve it, give Emsisoft’s emergency kit a try (especially the command line tool): http://www.emsisoft.com/en/software/eek/

Reply | Quote

Thanks for all the help. I have finally resolved the problem and I will detail what fixed it so maybe it will help others who get this virus. Since the virus hides most of your files so you think the HD is corrupt I used Safe mode and removed the hidden attribute on the files. After removing the hidden attributes I could read the HD again but be sure and stay or restart in Safe mode. You could probably use Hiren’s Boot disk to see and remove the hidden attributes if you can not remove them using safe mode. Once the hidden attributes were removed I went to the command prompt and entered the command C:windowssystem32restorerstrul.exe and got restore to run successfully. Apparently trying to run restore from a startup option does not work but the command does. After the restore completed for a date before the infection everything was back to normal and all data and programs were there. This was a very fustrating problem to resolve so good luck to anyone who gets this virus and I hope this helps.

Reply | Quote

Jerry,
Did you mean “rstrui.exe” not at all sure about “rstrul” Regards Fred

Reply | Quote