6 Replies Latest reply on Jun 2, 2012 11:42 AM by Hayton

    Removing SMART Recovery Malware

      I have another PC that has been infected with "S.M.A.R.T. Recovery". It appears to be only active on one user account. When it hit, Mcafee popped up and claimed to have removed it. It may be difficult to fix from that user account. Can I do removal procedures from another user account???  I have read instructions from Mcaffee site to remove by  instructions pasted below. I am a bit scared of using the Windows recovery disc if I can find it, or create a new one. Thru research I am finding claims that other Malware detection software such as Spyware Doctor will remove it. Any advice???

       

       

      1.Disable System Restore .

      2.Update to current engine and DAT files for detection and removal.

      3.Run a complete system scan.

      Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

      1. Please go to the Microsoft Recovery Console and restore a clean MBR.

      Insert the Windows CD into the CD-ROM drive and restart the computer.
      Click on "Repair Your Computer"
      When the System Recovery Options dialog comes up, choose the Command Prompt.
      Issue 'bootrec /fixmbr' command to restore the Master Boot Record
      Follow onscreen instructions
      Reset and remove the CD from CD-ROM drive.

       

      System info:

       

      Mcafee Security Center

      Version 11.0

      Build 11.0.669

       

      Virus Scan

      Version 15

      Build 15.0.300

       

      Windows 7 Home Premium

      Version 6.1

      Build 7601: Sevice Pack 1

        • 1. Re: Removing SMART Recovery Malware
          Hayton

          I wasn't aware that McAfee was detecting this, because McAfee gives these infections names which are hard to reconcile with their commonly-used names. The other name I know is used for this detection is "Win32:FakeSysdef".

           

          Where did you find the removal information that you include in your post? It came from a vil.nai database entry, from the look of it.

           

          Before I offer any advice please read this blog entry from Avast

          https://blog.avast.com/2012/05/09/%E2%80%9Cfix-your-hard-disk%E2%80%9D-with-fake -s-m-a-r-t-repair-tool

          and let me know if this is what you've got. If the malware is still demanding an activation code you could try the one that was current when the blog was written, which was "08869246386344953972969146034087". Do not ring any phone number that may be offered in the malware's accompanying screen text as a Customer Support number. I checked the one for the UK and it redirects to an overseas number (at premium rates, I would guess).

          • 2. Re: Removing SMART Recovery Malware
            Hayton

            I belatedly realised this one belongs in Top Threats, so the discussion has been moved there.

            • 3. Re: Removing SMART Recovery Malware

              Thanks for your help. I am going to try it. How would you recomend uninstalling once I have it registered?

               

              I did not notice if Mcafee actually named the infection or not, it just advised that it had detected it and removed it. The SMARTRecovery tool that came up looked suspicious, so I went to another PC for research.

               

              The removal info I refered to was at

              http://www.mcafee.com/apps/search/threat.aspx?q=smart recovery&v=malware

              • 4. Re: Removing SMART Recovery Malware
                Hayton

                Well, McAfee says it's detected and removed it, which is good. I searched a bit more, and this so-called "S.M.A.R.T. Recovery" program is a reissue of an existing Fake AV program with a new name. According to Microsoft this basic program now has dozens of variants, with mostly minor differences between them. It's been around for quite some time, which is why that link to the McAfee database produced at least a thousand hits.

                 

                I don't know why the particular entry you quoted from is requiring you to replace the MBR. Microsoft says nothing about it in its Encyclopedia entry for this. Check the following Microsoft articles :

                http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Tro jan:Win32/FakeSysdef

                http://support.microsoft.com/kb/2617291 - "How to remove the PC Repair virus".

                 

                Note the warning at the end of the first article -

                This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat

                For more information on returning an infected computer to its pre-infected state, please see the following article/s

                 

                McAfee's cure may or may not include that additional step, but it's worth looking to see what needs to be done.

                 

                If you want to be sure that all traces of the infection are gone you can download and run Microsoft's Safety Scanner (link in the article) and/or Malwarebytes (the free version only).

                 

                Before you do anything about the MBR it's as well to make sure that it really is infected. Read this article for instructions on what to do :

                http://windows7themes.net/how-to-check-mbr-for-virus-infection-via-mbrcheck.html


                The article has a link to follow if your MBR is infected. The information in the article is intended for Windows 7 users.

                 

                Edit - I missed something important in your post. Try it first from the user account with the infection. If you have any problems, reboot into Safe Mode with Networking and run as Adminstrator. You might also need to do some extra cleaning up afterwards, according to this removal guide -

                http://malwaretips.com/blogs/remove-data-recoverys-m-a-r-t-hddrepair-and-check-v irus/

                Note, steps 6, 7, and 8 only - and only if you're not seeing files, shortcuts, icons and so on (they may be hidden). All the rest will already have been taken care of.

                 

                As a final step, you could clear your restore points and then immediately re-enable System Restore, just in case the infection has found a home in a restore point.

                 

                Message was edited by: Hayton on 02/06/12 17:18:16 IST
                • 5. Re: Removing SMART Recovery Malware

                  Thanks  Entering the key worked, however many programs are now missing. Is there a way to get them back? System Restore possibly?

                  • 6. Re: Removing SMART Recovery Malware
                    Hayton

                    Follow the advice I gave above. Summary : McAfee scan - Quick or Full. Then a secondary scan with another detector, Microsoft or Malwarebytes (or both). Follow the Microsoft advice about undoing "lasting changes". Run this program to unhide any hidden files -

                    "http://download.bleepingcomputer.com/grinler/unhide.exe"

                     

                    If anything else looks wrong go to steps 6,7 and 8 in the malwaretips.com blog post. Then check the MBR.