Endpoint Protection

Hi,

I'm wondering if anyone has come across the "Smart HDD" virus.

It basically pops up messages claiming your Hard Drive is about to fail and that you need to subscribe to prevent this, blah blah blah, hides all your icons on your desktop and start menu, slows down the affected PC, hides from antivirus solutions and makes it impossible to install anti-spyware and rootkit removers.

Does Symantec or anyone here know of a way to eradicate this virus?

(I have Endpoint Protection v 11.0.5002.333 installed on the system )

Thanks.

If you can call into support ,we can help you fix this issue.

But after a quick Google, I saw many forums talking about it.

Looks like it is a variant of FakeAV.

This should help

How to troubleshoot FakeAV if it is not detected

https://www-secure.symantec.com/connect/articles/how-troubleshoot-fake-av-if-it-not-detected

Best practices for troubleshooting viruses on a network

http://www.symantec.com/business/support/index?page=content&id=TECH122466

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

Security Best Practice Recommendations
http://service1.symantec.com/support/ent-security.nsf/docid/2009010808340848?Open&seg=ent

Symantec Power Eraser User Guide

http://www.symantec.com/theme.jsp?themeid=spe-user-guide

Hello,

The Description you are providing is about a type of Threat, which could be more like a varient of "FakeAV", however it seems it is not at present existing on your network, is it?

Insuch cases, I would recommend you to take the steps to secure the environment.

Check this:

http://www.symantec.com/theme.jsp?themeid=stopping_malware

Incase if there are certain Threat Files / Suspicious Files are not being detected by Symantec, it is advisable to follow the steps provided in the Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

How to troubleshoot FakeAV if it is not detected

Secondly, about the Tools like Power Eraser, I would recommend you to check this Thread:

https://www-secure.symantec.com/connect/forums/need-virus-removal-tool

Here are few Best Practices Articles:

Security Best Practice Recommendations

http://www.symantec.com/docs/TECH91705

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/docs/TECH122943

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

http://www.symantec.com/docs/TECH98360

Hope that helps!!

Based on my quick research, here’s a bit of background about this malware (http://support.kaspersky.com/viruses/rogue?qid=208286454):

1. It is consider rogue security software by the AV vendors,
2. It doesn’t actually do damage, rather it installs itself and hides files prompting users to pay for services to retrieve them, and
3. The removal tool available is proven successful and will unhide all hard drive files and remove offending registry entries.

I have also got some info from symantec :

1What is this virus?

Smart HDD is a fake hard drive optimization and analysis program that displays false information.Smart HDD is installed via Trojans that display fake error messages on the infected computer. These messages will state that there is something wrong with your computer's hard drive in order to scare you into purchasing the program.

Some examples of the fake problems that it will report are:

Hard drive boot sector reading error
System blocks were not found
Error 0x00000024 - NTFS_FILE_SYSTEM
Error 0x00000078 - INACCESSIBLE_BOOT_DEVICE
Error 0x0000002E - DATA_BUS_ERROR
Error 0x00000050 - PAGE_FAULT_IN_NONPAGED_AREA
The DRM attribute value is too small before disk scan

If you are infected with Smart HDD it is important that you do not delete any files from your Temp folder or use any temp file cleaners. This is because when the infection is installed it will delete shortcuts found in various locations and store backups of them in the %Temp%\smtmp folder. It does this so that you when try to launch a program from your start menu, none of your shortcuts will appear and thus making you think that your computer has a serious problem. Therefore, you do not want to delete any of the files in your Temp folder as it will remove the backups that we will use later in the guide to restore your Windows Start Menu.

Smart HDD also attempts to make it so you cannot run any programs on your computer. If you attempt to launch a program it will terminate it and state that the program or hard drive is corrupted. It does this to protect itself from anti-virus programs you may attempt to run and to make your computer unusable so that you will be further tempted to purchase the rogue. The messages that you will see when you attempt run a program are:

Windows detected a hard drive problem.
A hard drive error occurred while starting the application.

Or

Windows cannot find notepad. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

In addition, the rogue hides relevant data from the screen so that you think that it has been destroyed. You do not see icons in Start menu and program shortcuts in the screen. Not to mention the fact that you cannot view relevant files of the system when you open programs' folders by clicking on them. These actions taken against you are planned to make you believe that you are at risk. To restore your data, follow the instructions given:

1.If you are running Windows XP, in Start menu click Run option.
2.Enter cmd and press OK button.
3.When a black screen opens, enter a line: attrib.exe -s -h -r [home_drive]:\*.* /s /d which should be changed according to your home drive. Usually, it is C disk, so instead of [home_drive] enter C.

If you are using Windows Vista or Windows 7, enter cmd in start menu and hit Ctrl+Shift+Enter. Then select OK in Windows dialog box to open C:\WINDOWS\System32\cmd.exe. To restore the data, go back to see step 3 above.

These are just further alerts trying to make you think your computer has a serious hard drive problem. It should be noted that if you attempt to run a program enough times it will eventually work.

Files associated with Smart HDD infection:
==========================================

9903f2.exe
%Programs%\Smart HDD\Uninstall Smart HDD.lnk
%Programs%\Smart HDD\Smart HDD.lnk
%Programs%\Smart HDD
%Desktop%\Smart HDD.lnk
%Temp%\Windows Update.exe
%Temp%\dfrgr
%Temp%\dfrg
%Temp%\[random].dll
%Temp%\[random].exe
%Temp%\[random]

Smart HDD DLL's to remove:
==========================

%Temp%\[random].dll

Smart HDD processes to kill:
============================

9903f2.exe
%Temp%\[random].exe
%Temp%\Windows Update.exe

Remove Smart HDD registry entries:
==================================

HKCU\Software\Microsoft\Windows\CurrentVersion\Run [random].exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run [random]

Please check the below document to avoid such Fake Antivirus getting triggered or loaded to the machines

Title: Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security
Web URL: http://www.symantec.com/docs/TECH132337

Yes, Just like other fake Antivirus, it has same common locations.

This particular infection will hide all the files and folders, also the desktop icons.

Even applications will be empty in All programs.

I would suggest to run command "attrib -h -s "c:\*.*" /s /d" in cmd prompt and retrieve the applications and desktop icons from smtmp folder.

Run a full scan with rapid release latest definitions.

Please do reply if you have any questions?

Thanks