Saturday, October 9, 2010

How to remove Smart Engine malware (Uninstall Guide)

Smart Engine is a rogue anti-virus program that deliberately reports false system security threats on the computer. It's a clone of My Security Shield. It masquerades as legitimate security software and claims that your computer is infected with malware. The rogue program only pretends to scan your computer for malicious software. Smart Engine is a scam, don't install/purchase it. This fake anti-virus program is promoted mostly through the use of Trojans, fake online anti-malware scanners and malicious websites. If your computer is infected with this virus, please follow the removal instructions below to remove Smart Engine from your computer for free using legitimate anti-malware software.



Once Smart Engine is installed, it will claim that your computer is heavily infected witl all sorts of malware. Furthermore, it will constantly display fake security warnings and pop ups that attempt to further scare you into thinking your PC is infected with Trojans, spyware, worms and other viruses. These warnings should be ignored as they are false as well. Here's how one of many fake Smart Engine alerts reads:
Windows Security Alert
To help ptotect your computer, Windows Firewall has blocked
some features of this program.

System Alert
malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using Smart Engine.


The bad news is that Smart Engine blocks legitimate programs and system utilities. It modifies Windows hosts file and hijacker web browsers. You will have to use certain tools and methods to disable this virus and then download malware removal software.

It goes without saying that SmartEngine was created with only one purpose; to scare you into thinking that your computer is infected so that you will purchase Smart Engine. Please note that this fake program won't remove any infections from your computer. By no means should you purchase this program. And if you have already bought it then please contact your credit card company and dispute the charges. Then please follow the removal instructions below. Last, but not least, if you have any questions, please leave a comment. Good luck and be safe online!


Smart Engine removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



2. Download Process Explorer.
3. Rename procexp.exe to iexplore.exe and run it. Look for similar processes in the list and end it:
  • SM19b_3912.exe
  • SmartEngine.exe
OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25520
O4 - HKCU\..\Run: [Smart Engine] "C:\Documents and Settings\All Users\Application Data\19cdab\SM19b_3912.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Engine removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Engine associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\19cdab\
  • C:\Documents and Settings\All Users\Application Data\345d567\853.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\SmartEngine.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\SM19b_3912.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\SME.ico
  • C:\Documents and Settings\All Users\Application Data\345d567\[SET OF RANDOM CHARACTERS].dll
  • C:\Documents and Settings\All Users\Application Data\345d567\[SET OF RANDOM CHARACTERS].ocx
  • C:\Documents and Settings\All Users\Application Data\19cdab\MSSSys\
  • C:\Documents and Settings\All Users\Application Data\SMEYFE
  • %UserProfile%\Application Data\Smart Engine\
  • %UserProfile%\Application Data\Smart Engine\cookies.sqlite
  • %UserProfile%\Application Data\Smart Engine\Instructions.ini

%UserProfile% refers to:
C:\Documents and Settings\ (for Windows 2000/XP)
C:\Users\[User Name]\AppData (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\SMae0_2129.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25437"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Version/10.02129"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Engine"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Share this information with other people:

No comments:

Post a Comment