…so exactly what did you click on?

Working on my Dad’s PC as something he clicked on gave him a rogue SmartHDD alert /rogue antivirus.  One that looks to be specifically going after Microsoft Security Essentials as it hid it in the system tray.


Wish me luck.

7 Thoughts on “…so exactly what did you click on?

  1. SeanPT on August 2, 2012 at 8:56 am said:

    Combofix from Bleeping Computer is fantastic for cleanup on isle 7.

  2. Dave Nickason on August 2, 2012 at 9:57 am said:

    That happened to me recently and I was able to clean it with Malwarebytes. However, it made some annoying changes that I could have fixed with System Restore if I hadn’t waited too long to run it. Also there are a lot of resources at http://www.bleepingcomputer.com/ (thanks to Larry).

  3. Joe Raby on August 2, 2012 at 2:04 pm said:

    The fake HDD diag progs usually hide every file on the hard drive by using the ATTRIB command without initiating it via a command prompt. You can try to restore the files back, but if you try to do it on all files, Windows flips out that some of the system files have been modified. Data files are just hidden, but when system files are hidden, certain Windows components won’t find them because they’re not all coded to look for hidden files. Windows is officially broken at that point.

    Best to restore using a complete system backup, or else start flattening….

    Just FYI: Metro IE makes these types of attacks impossible because it won’t allow plugin code to run. Get your dad on Windows 8 to prevent this in the future. When dealing with computer N00b’s ;) Java and Adobe is your enemy because they have to be constantly updated by the user, and these types of attacks most frequently target out of date versions. I don’t put Java on computers anymore for this exact reason, and Windows 8 will make Adobe software irrelevant (Microsoft has their own PDF reader, and Flash is integrated into IE and will be updated automatically by Microsoft via MS Update). This is good news for average users that don’t know, or don’t care to know about PC security and maintenance.

  4. Here’s the combination I use for such things:

    1. Download Rkill and run http://www.bleepingcomputer.com/download/rkill/
    2. Run Malwarebytes and reboot as needed
    3. Run Rkill again after reboot
    4. If files have been hidden run unhide
    http://www.bleepingcomputer.com/forums/topic405109.html (also tells you how to restore your icons if they are missing, be careful not to delete temp files)
    5. Run TDSSKILLER.exe from Kaspersky (it’s just good practice now)
    http://support.kaspersky.com/faq/?qid=208283363
    6. Reboot as neccessary for tdsskiller and run rkill again just in case
    7. Run combofix
    http://www.bleepingcomputer.com/download/combofix/

    Hopfully you should be clean.

    P.S. Your captcha now works in chrome since I’m using the IE tab plugin :P

  5. bradley on August 2, 2012 at 7:37 pm said:

    System restore to a date before the infection worked the best.

  6. Joe Raby on August 2, 2012 at 8:19 pm said:

    If it was one of the fake HDD diag programs, check to see if files are hidden. If they were, System Restore won’t restore the files in the user space, so check your data. Just remember that your user data folders (Documents, Pictures, etc., but NOT AppData) will still have THUMBS.DB and DESKTOP.INI hidden, so it’s still a pain to recover from. Whenever I backup files just prior to a wipe, I’ll just backup entire folders, then mark the folders and all contents as unhidden, then just search for the desktop.ini and thumbs.db and delete them to keep the backup simple.

  7. Yeah system restore will not do anything to files used as payload, which puts machine at risk by a curious user poking around later.

    Get out of windows to clean it, is my standard protocol. Rootkits are pretty standard now on infection(see tdsskiller above) and Windows can’t be trusted to restore itself.

    Security Essentials (and the rest) is fairly useless, there are over 40K new variants of malware found a day now. Make the user a user first, block startup directories, prevent ads and scripting in your browser (use Chrome or Firefox or a derivative) it’s by far the best preventative defense.

Post Navigation