S.M.A.R.T. HDD – malware nuisance

by DanB

It’s scary. My computer became infected with malware. A program masquerading as a system utility suddenly took over everything. I almost fell for it. Almost.

The malware was named S.M.A.R.T. HDD.  The program masqueraded as a disk maintenance program. My computer is a fairly new laptop and still has lots of the vendor specific programs loaded and running. My initial thought was the program was one of those. That is how I was almost fooled.

The first message the program tossed out said the my Hard Drive Boot Sector Reading Error then lots of messages started popping up about not being able to access the drive.

Here are some notes about what I did. I’ll clean these up shortly.

IMPORTANT: The various instructions below are only if you already have the S.M.A.R.T. HDD malware. If you don’t have it don’t change things. But do make a mental note that these instructions are here should you ever need them.

The first thing I did was reboot the machine. Of course it came right up. So much for my boot record being bad. After going into Safe Mode I searched for the program name and found some instructions on how to get rid of the problem. Those instructions only partially worked. After a little bit of manual tweaking I was back to normal. You can see the instructions I followed here:

http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd

There is a screenshot of what the program looks like there as well. If you aren’t very technical you may be a little intimidated.

On more recent versions of Windows you can run Windows Defender and it will do a decent job of cleaning up the system. If you do this then you can skip to Step 6 of the instructions at the link above. You need to run the unhide utility mentioned at that site so you can see all of your files again.

In my case I still needed to edit a registry entry to find the actual program, delete the files, and remove it from trying to start. To do this open the registry editior (Start / regedit) then locate the following key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Look through the entries for something with gibberish. In my case it was this:

“dhWpWLrHmsphLmp.exe”=”C:\\ProgramData\\dhWpWLrHmsphLmp.exe”

Your entry may be different but it will be gibberish. Look at the bolded part of my entry. That is where the program is installed on your hard drive. If the program still exists after you run Windows Defender you can go delete the gibberish files. After the files are gone you can safely delete this registry key.

Note – I’m intentionally leaving some details out here. If you aren’t comfortable editing your registry find someone you know and trust to do it for you. And always make sure and back up the registry before making changes.

One other thing. After booting back in to a normal login I had to reset up my Desktop settings – wallpaper, colors, etc. The other thing that happened was my anti-virus program flagged at least one of the programs I used in the Bleeping Computer instructions as being suspicious. I expected that because those programs are looking for programs that are suspicious.

That is what I needed to do to clean up my system. Haven’t had any problems since.

Hope you found something useful here. If you have had problems with this particular malware or other malware share your experience below.

When the malware popped up it masqueraded as a disk maintenance program.

This is a fairly new laptop and still has lots of the vendor specific

programs loaded and running. My initial thought was the program was one of

those. That is how I was almost fooled.

The first message the program tossed out said the my ****boot record could

not be found********* then lots of messages started popping up about not

being able to access the drive.

The first thing I did was reboot the machine. Of course it came right up. So

much for my boot record being bad. After going into safe mode I searched for

the program name and found some instructions on how to get rid of the

problem. Those instructions only partially worked. At the blog you will find

a link to the instructions I used.

  • wildrose

    your instructions are way too complicated for me, not that I have not done the regedit.
     Just exactly what is it I am looking for?
    could you please layman term the whole thing?
     I have AVG now, so do I even go there in the first place?
    Thanks

  • http://www.tnpcnews.com/ DanB

    You only need the instructions if you have the malware. If you don’t have the malware just make a mental note that the instructions are here when you need them. Sorry for any confusion. I’ll also clean up these notes when I get a chance.

    Dan

  • Setinhere

    “your instructions are way too complicated for me, not that I have not done the regedit.” WHAT?!?!?! I’m not a prof. compute geek and I thought those instructions where not specific enough…

  • Stephen56

    Got asked about a vuage “hard drive error” message by a friend.  He said his desktop was acting “really weird.”  I’m printing out your notes and looking at it tonight.  Thanks for posting about this, it really helps.

  • http://www.tnpcnews.com/ DanB

    Great. Sounds like what I saw. Main thing is book into Safe Mode and work from there. Try going the Windows Defender route first. Then visit the site I linked above and start at Step 6. Let me know how that goes.
    ~ Dan

  • DiggerP

    Hi Dan,
    Useful article ,but it leaves me with more questions.
    Why didn’t you do a System Restore the moment stuff started popping up?
    What kind of protection are you using for your browser?
    I’m using either Sandboxie  http://sandboxie.com/(most of the time) or BufferZone  http://www.trustware.com/  ,but there are so many
    other programs to let you surf or work in a protected environment,that I’m surprised you got caught by this.
    I’ve had my share of “infections” of this kind ,like the fake Antivirus 2011 or 2012 etc, but being caught in the sandbox ,it can do no harm.
    In fact ,I let it do its thing and watched with amusement all it did to my system.

    BTW ,my AV (Avira) did go nuts warning me of the infection ,but I allowed it ,just to see what it did ;)

    When I had my fun ,I checked what it deposited ,took a note of all the file locations and reg entries and then deleted the contents of the sandbox.Not a trace of it left.

    No un-installing or registry cleaning.It’s just GONE :)
    Anyway ,you could also use TimeFreeze (free) or DeepFreeze or Returnil and many others.

    DiggerP

  • http://www.tnpcnews.com/ DanB

    Thanks for the detailed comment.

    I actually had no protection on the browser hence the origin of the problem. I had turned it off. It is on now. I don’t always recommend other folks do as I do!

    Anyway for the record I use F-Secure and have for many many years. Since the browser piece was disabled I can hardly fault the product.

    Thanks again.

    Dan

  • Stephen56

    The screen on friend’s PC showed the S.M.A.R.T. false warning.  Booted to safe mode, ran Malwarebytes and re-booted then Windows Defender and re-booted again.  Seems to be gone now.  Many thanks!

  • http://www.tnpcnews.com/ DanB

    Thank you very much.

    Do you know if you had to run the unhide utility to get his files visible again? Just open an Explorer Window (Windows Key – E) and see if you can see any files.

    Dan

  • Tscott

    A teacher at my school had a school netbook that got hit with this nasty piece of malware too. Affected not just her login, but others as well. I had  log in as several different users and run MalwareBytes, EmsiSoft Antimalware and more just to clean everything off. Glad she didn’t do anything before getting me involved. What a waste of time and money.

Previous post:

Next post: