Thursday 11 March 2010

Remove Smart Security fake antivirus program (Free removal)

Smart Security is a fake (rogue) anti-virus program. Smart Security is a clone of widely spread scareware called Security Tool. It reports false system security threats to make you think that your computer is infected with worms, trojans and other malicious software. This fake program also displays bogus security warnings and pop-ups. If you are reading this article then your PC is probably infected with SmartSecurity scareware. Thankfully, there is a way to remove this virus from your computer for free using legitimate anti-malware applications. Just follow free Smart Security removal instructions below.





UPDATE: (09/30/2010) There is another rogue security program with exactly the same name Smart Security but different graphical user interface (GUI) and files. This one is clone of My Security Shield malware. The new Smart Security reports false system security threats as well. It constantly displays fake security warnings about spyware activity, infected files or identity theft attempts and it does the pig squeal. It blocks legitimate security software and hijacks web browsers. The rogue program sets up a local proxy server on your computer to reroute traffic to malicious websites or web pages with online Ads. So, as you can see SmartSecurity is the virus itself. It won't steal your password and it won't delete your files, so don't worry. However, you should remove Smart Security from your computer as soon as possible because it may download additional malware onto your computer, i.e. Trojans, rootkits or other adware. And, of course, don't pay for this bogus program. It won't remove any infections, believe me. Instead, it will give you a false sense of security. You will have to reboot your computer in safe mode with networking in order to remove this rogue program from your computer because it blocks nearly all programs in normal mode. Please follow removal instructions below.


(Thanks to rogueamp)

As a typical fake program it enters a computer with the help of trojans that come from fake online scanners, misleading sites, malicious PDFs or bundled with other malware. Once installed, Smart Security simulates a system scan and reports numerous infections on your computer. Then it claims that you have to pay for a full version of the program if you want to remove the infections. So basically, it prompts you to buy needless software in order to remove infections which don't even exist. It goes without saying - Smart Security is 100% scam.

Furthermore, the rogue program displays fake and very annoying security warnings like every one or two minutes. That's another sign that Smart Security is not legitimate program, because reputable security software doesn't flood user with notifications, at least not so many in a minute.
Smart Security Warning
Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs.
Click here to remove it immediately with SecurityTool.


However, the worst thing is that this virus blocks legitimate anti-virus and anti-spyware programs. It also hijacks Internet Explorer and blocks security sites. There may be other restrictions as well if the rogue program comes bundled or downloads other malicious software that blocks certain system tools.

If you find that your computer is infected with this virus then read the removal instructions below and remove Smart Security from your computer as soon as possible. Most importantly, don't purchase it! If it's already too late and you bought it then you should contact your credit card company immediately and dispute the charges. If you have any questions, don't hesitate and ask or leave a comment. Good luck!

Please note that there is a perfectly legitimate Internet security suite from ESET called ESET Smart Security. Don't confuse these two programs. SmartSecurity (the fake one) application is not related to ESET.


Removing Smart Security in Safe Mode with Networking:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Security removal instructions using HijackThis:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 – HKCU\..\Run: [Smart Security] “C:\Documents and Settings\All Users\Application Data\a322fb\SMfe2_145.exe” /s /d
Select all such entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.



Associated Smart Security files and registry values:

Files and folder:
  • C:\Documents and Settings\All Users\Application Data\a322fb\
  • C:\Documents and Settings\All Users\Application Data\a322fb\537.mof
  • C:\Documents and Settings\All Users\Application Data\a322fb\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\a322fb\SMfe2_145.exe
  • C:\Documents and Settings\All Users\Application Data\a322fb\SMS.ico
  • C:\Documents and Settings\All Users\Application Data\a322fb\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\a322fb\BackUp\
  • C:\Documents and Settings\All Users\Application Data\a322fb\Quarantine Items\
  • C:\Documents and Settings\All Users\Application Data\a322fb\SMSSys\
  • C:\Documents and Settings\All Users\Application Data\SMUVZICOS\
  • %UserProfile%\Application Data\Smart Security\
  • %UserProfile%\Application Data\Smart Security\cookies.sqlite
  • %UserProfile%\Application Data\Smart Security\Instructions.ini
  • %UserProfile%\My Documents\hijackthis.log
  • %UserProfile%\Recent\ANTIGEN.drv
  • %UserProfile%\Recent\CLSV.tmp
  • %UserProfile%\Recent\eb.dll
  • %UserProfile%\Recent\eb.exe
  • %UserProfile%\Recent\eb.sys
  • %UserProfile%\Recent\fan.drv
  • %UserProfile%\Recent\fan.sys
  • %UserProfile%\Recent\fix.exe
  • %UserProfile%\Recent\kernel32.exe
  • %UserProfile%\Recent\kernel32.tmp
  • %UserProfile%\Recent\PE.sys
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\sld.drv
Old Smart Security
  • C:\Documents and Settings\All Users\Start Menu\Programs\Smart Security
  • C:\Program Files\Smart Security
  • C:\Program Files\Smart Security\SmartSecurity.exe
  • C:\Program Files\Smart Security\unins000.dat
  • C:\Program Files\Smart Security\unins000.exe
%UserProfile% refers to the current user's profile folder. A typical path is C:\Documents and Settings\ for Windows 2000/XP; C:\Users\ for Windows Vista&7.

Registry keys and values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\SMae0_289.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=289&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=289&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25567"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" ="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Security"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Old Smart Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Security_is1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SmartSecurity"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SmartSecurity"
Share the knowledge:

No comments:

Post a Comment