Smart Security

Smart Security virus will pretend as an anti-virus application in order to cheat computer users and hide its true identity and purpose. Coming from the authors who also created the infamous Security Tool, it has the same method of spreading itself; most common is the use of fake online virus scanner. Typically, Internet browser that redirects to fake web sites is a sign of Trojan infection. The Trojan’s main objective is to propagate Smart Security virus. It modifies Internet browser settings and adjusts default home page settings for a malicious purpose. Once landed on fake online scanner, the site runs automatic diagnostic on the computer. As expected, it will discover a bunch of threats and security risks and advice to install Smart Security.

When inside the computer, Smart Security virus modifies your system files and registry. Embedding its own value will routinely run the bogus software every time Windows starts. Again, it will launch a virus scan, but this time it will perform local detection.  Consistently, it identifies similar threats.  Then, it shows an alert to convince victim in acquiring Smart Security activation code or registration key. Since the program is rogue, we never expect it to be fully functional security software. Smart Security author’s sole purpose is to gain earnings by deceiving computer users.

Damage Level: Low

Systems Affected: Windows

Screenshot Image:

Smart Security Image

New Smart Security Virus

Smart Security Removal Procedures

Smart Security REMOVAL TOOL:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.

MANUAL REMOVAL PROCEDURE:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Smart Security”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe or SMae0_289.exe

2. You need to update installed antivirus application to have the latest database.

3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Smart Security Virus.

4. Registry entries created by Smart Security must also be removed from the Windows system. Please refer below for entries associated to the rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

5. Exit registry editor.

6. Get rid of Smart Security start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe or SMae0_289.exe

7. Click Apply and restart Windows.

Technical Details and Additional Information:

Malicious Files Added by Smart Security
c:\Documents and Settings\All Users\Application Data\er41ss\SMae0_289.exe
c:\Documents and Settings\All Users\Application Data\er41ss\SMS.ico
c:\Documents and Settings\All Users\Application Data\er41ss\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\er41ss\SMSSys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\SMUVZICOS\SMSYYTICS.cfg
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Smart Security.lnk
%UserProfile%\Application Data\Smart Security\cookies.sqlite
%UserProfile%\Application Data\Smart Security\Instructions.ini
%UserProfile%\Desktop\Smart Security.lnk
%UserProfile%\Desktop\Smart_Security\4d0493aabb97d8er41ss42668ec8a22e.ocx
%UserProfile%\Recent\ANTIGEN.drv
%UserProfile%\Recent\eb.dll
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\fan.drv
%UserProfile%\Recent\fan.sys
%UserProfile%\Recent\fix.exe
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\sld.drv
%UserProfile%\Start Menu\Smart Security.lnk
%UserProfile%\Start Menu\Programs\Smart Security.lnk

File Location for Windows Versions:

  • %UserProfile% for Vista/7 user is C:\Users\<Current User>, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.

Smart Security Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:25567″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “DisallowRun” =”1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Smart Security”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1″
HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\SMae0_289.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=289&q={searchTerms}”
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=289&q={searchTerms}”

Alternative Removal Method for Smart Security

Option 1 : Use Windows System Restore to return Windows to previous state

If Smart Security enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Smart Security infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.