S.M.A.R.T. HDD bug

Pretty sure I picked this up looking for car insurance quotes online as it happened shortly after while I was visiting a website. I was unable to run aswMBR.exe for some reason but am attaching logs from OTL and RogueKiller. When I tried to run aswMBR.exe my cursor acted like something was happening then it went back to normal and nothing at all happened.

Also, I ran out of room to attach RKreports. Will post the others in a second post.

~ butterflybrr

Here is the additional RKreport.

Please help, I posted this a couple days ago and have had no reply. I’ve mostly removed the infection using the tools and advice I found here but I still get notifications from Malwarebytes that something is up. I mostly notice when I’m trying to perform internet searches as it re-routes me to bogus sites or seemingly randomly sends me to a certain site that I’ve forgotten the URL to. Something like vacation.com.

Hi this is the problem 2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953521664 | Size: 1 Mo

We will try TDSSKiller first although I feel that may fail as well

If it does fail are you able to burn a CD ?

I will also need to see your partition set up

Go start > run
and type in :

diskmgmt.msc

This will open the disc manager system
Could you ensure all partitions are visible and post a screenshot

If TDSSKiller fails then :

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

I’m having a lot of trouble responding and I think it’s due to the attachments. Can I email them?

Did TDSSKiller run ?

If so could you post the last 20 lines please

Yes TDSKiller did run, here are the ends from both of the logs. I followed instructions given to another poster and hope I didn’t mess anything up. What information did you need from the screenshot? I’ll try and post it again but I’ve tried a bunch of times and it’s just not working.

09:32:06.0150 1548 Detected object count: 4
09:32:06.0150 1548 Actual detected object count: 4
09:32:26.0789 1548 Akamai ( HiddenFile.Multi.Generic ) - skipped by user
09:32:26.0789 1548 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip
09:32:26.0789 1548 Realtek11nSU ( UnsignedFile.Multi.Generic ) - skipped by user
09:32:26.0789 1548 Realtek11nSU ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:32:26.0827 1548 \Device\Harddisk0\DR0# - copied to quarantine
09:32:26.0827 1548 \Device\Harddisk0\DR0 - copied to quarantine
09:32:26.0879 1548 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
09:32:26.0880 1548 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
09:32:26.0902 1548 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
09:32:26.0904 1548 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
09:32:26.0906 1548 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
09:32:26.0908 1548 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
09:32:26.0911 1548 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
09:32:26.0913 1548 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
09:32:26.0915 1548 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
09:32:26.0918 1548 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
09:32:26.0921 1548 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
09:32:26.0923 1548 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
09:32:26.0926 1548 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
09:32:26.0928 1548 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
09:32:26.0930 1548 \Device\Harddisk0\DR0\TDLFS\info - copied to quarantine
09:32:26.0933 1548 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
09:32:26.0935 1548 \Device\Harddisk0\DR0\TDLFS\mainfb.script - copied to quarantine
09:32:26.0945 1548 \Device\Harddisk0\DR0\TDLFS\com64 - copied to quarantine
09:32:26.0959 1548 \Device\Harddisk0\DR0\TDLFS\bbr232 - copied to quarantine
09:32:26.0964 1548 \Device\Harddisk0\DR0\TDLFS\serf332 - copied to quarantine
09:32:26.0998 1548 \Device\Harddisk0\DR0\TDLFS\serf364 - copied to quarantine
09:32:27.0005 1548 \Device\Harddisk0\DR0\TDLFS\bbr264 - copied to quarantine
09:32:27.0008 1548 \Device\Harddisk0\DR0\TDLFS\serf_conf - copied to quarantine
09:32:27.0068 1548 \Device\Harddisk0\DR0\TDLFS\bbr_conf - copied to quarantine
09:32:27.0072 1548 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
09:32:27.0114 1548 \Device\Harddisk0\DR0 - ok
09:32:27.0272 1548 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
09:32:27.0272 1548 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:32:27.0272 1548 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
09:32:35.0484 5144 Deinitialize success

09:37:37.0975 4340 Detected object count: 2
09:37:37.0975 4340 Actual detected object count: 2
09:37:49.0822 4340 c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll - copied to quarantine
09:37:49.0824 4340 HKLM\SYSTEM\ControlSet001\services\Akamai - will be deleted on reboot
09:37:49.0868 4340 HKLM\SYSTEM\ControlSet002\services\Akamai - will be deleted on reboot
09:37:50.0008 4340 c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll - will be deleted on reboot
09:37:50.0008 4340 Akamai ( HiddenFile.Multi.Generic ) - User select action: Delete
09:37:50.0055 4340 C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe - copied to quarantine
09:37:50.0056 4340 HKLM\SYSTEM\ControlSet001\services\Realtek11nSU - will be deleted on reboot
09:37:50.0057 4340 HKLM\SYSTEM\ControlSet002\services\Realtek11nSU - will be deleted on reboot
09:37:50.0062 4340 C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe - will be deleted on reboot
09:37:50.0062 4340 Realtek11nSU ( UnsignedFile.Multi.Generic ) - User select action: Delete
09:37:53.0256 4676 Deinitialize success

Re-run TDSSKiller and the when you get to this element select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

09:37:49.0822 4340 c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll - copied to quarantine 09:37:49.0824 4340 HKLM\SYSTEM\ControlSet001\services\Akamai - will be deleted on reboot 09:37:49.0868 4340 HKLM\SYSTEM\ControlSet002\services\Akamai - will be deleted on reboot 09:37:50.0008 4340 c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll - will be deleted on reboot 09:37:50.0008 4340 Akamai ( HiddenFile.Multi.Generic ) - User select action: Delete 09:37:50.0055 4340 C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe - copied to quarantine 09:37:50.0056 4340 HKLM\SYSTEM\ControlSet001\services\Realtek11nSU - will be deleted on reboot 09:37:50.0057 4340 HKLM\SYSTEM\ControlSet002\services\Realtek11nSU - will be deleted on reboot 09:37:50.0062 4340 C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe - will be deleted on reboot 09:37:50.0062 4340 Realtek11nSU ( UnsignedFile.Multi.Generic ) - User select action: Delete
Why did you delete these ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I re-ran TDSKiller but nothing came up when it checked my files and I didn’t see any option to delete \Device\Harddisk0\DR0 ( TDSS File System ).

I only deleted those files because they showed up as threats…I realize that was probably a mistake now and hope there will be no repercussions :stuck_out_tongue:

As for ComboFix, I ran it and now I am logged into a different computer to respond because I can’t access the internet at all. When I try to open IE or Google Chrome (or a game I play that uses the internet) I get the message “Illegal operation attempted on a registry key that has been marked for deletion”. Ack! I can’t even open explorer.exe…but for some reason when I click on recent documents I’m still able to open it that way.

I was able to do a System Restore to an earlier point and fix the registry error. Not sure if this has undone any of our work or not.

Please read the instructions… A reboot would have fixed that

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Could you run a fresh OTL log with all users selected please so that I can see if anything was restored

Here is the new OTL log

Not to bad, on completion of this can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-2746239865-2659986515-2706294417-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421; O3 - HKU\S-1-5-21-2746239865-2659986515-2706294417-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) [2012/04/10 18:33:32 | 000,000,160 | ---- | M] () -- C:\ProgramData\-fD84xc1doAOuT8r [2012/04/10 18:33:32 | 000,000,000 | ---- | M] () -- C:\ProgramData\-fD84xc1doAOuT8

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here is the OTL log. Ever since that last restore after Combofix I haven’t been experiencing any difficulties. No pop-up warnings from MalwareBytes or anything! Am I officially in the clear? :smiley: Thanks so much for your help!!

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave: