smt.exe – FakeAV “XP Anti-Virus 2011″

Dmitry Sokolov recommends UnHackMe!


UnHackMe quickly removes pop-up ads, search redirecting, browser hijack, spyware, keyloggers, PC slowdown issues. Download Now!

Download step by step PDF manual

Join us on Facebook
Click to Download
Solved! The issue has been fixed!
5 Stars (5 / 5)


Share This:

The file smt.exe is a part of Fake Antiviral software.
You must delete the file smt.exe immediately!
Delete the file smt.exe without delay!
Kill the process smt.exe and remove smt.exe from Windows startup.

Malware Analysis of “XP Anti-Virus 2011″
Executed: 16.exe
Removed: smt.exe. Full path: C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe


Your Vote?
0 0

—————————————————————————————————————————-
Detected by RegRun Warrior:

1. RegRun Reanimator:

Item Name: .exe
Author: Unknown
Related File: “C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “%1″ %*
Type: Main File Extensions

2. Multi AntiVirus scan:

- none -

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\:
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe””

Registry: HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\:
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”

Registry: HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\:
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe””

Files:
C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe
—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys deleted:5
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000
HKLM\System\CurrentControlSet\Services\wuauserv
HKLM\System\CurrentControlSet\Services\wuauserv\Parameters
HKLM\System\CurrentControlSet\Services\wuauserv\Security

———————————-
Values deleted:16
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\Service: “wuauserv”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\DeviceDesc: “Automatic Updates”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\wuauserv\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\wuauserv\Parameters\ServiceDll: “C:\WINDOWS\system32\wuauserv.dll”
HKLM\System\CurrentControlSet\Services\wuauserv\Type: 0×00000020
HKLM\System\CurrentControlSet\Services\wuauserv\Start: 0×00000002
HKLM\System\CurrentControlSet\Services\wuauserv\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\wuauserv\ImagePath: “%systemroot%\system32\svchost.exe -k netsvcs”
HKLM\System\CurrentControlSet\Services\wuauserv\DisplayName: “Automatic Updates”
HKLM\System\CurrentControlSet\Services\wuauserv\ObjectName: “LocalSystem”
HKLM\System\CurrentControlSet\Services\wuauserv\Description: “Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.”

———————————-
Values added:6
———————————-
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0×00000001
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0×00000001
HKCU\Software\Microsoft\Windows\Identity: 0x897E84E8

———————————-
Values modified:14
———————————-
(-) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “C:\Program Files\Mozilla Firefox\firefox.exe”
(+) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe””
(-) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: “”C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”
(+) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”
(-) HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “C:\Program Files\Internet Explorer\iexplore.exe”
(+) HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe””
(-) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000001
(-) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000001
(-) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000004
(-) HKCU\Software\Clients\StartMenuInternet\: “FIREFOX.EXE”
(+) HKCU\Software\Clients\StartMenuInternet\: “IEXPLORE.EXE”

———————————-
Files added:5
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\olralxi5ci8w
C:\Documents and Settings\Administrator\Local Settings\Application Data\smt.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\olralxi5ci8w
C:\Documents and Settings\Administrator\Templates\olralxi5ci8w
C:\Documents and Settings\All Users\Application Data\olralxi5ci8w

———————————-
Files [attributes?] modified:1
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

———————————-
Total changes:47
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

1. Download UnHackMe free 30-day version

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

What to do if you are unable to solve a problem?

UnHackMe Remote Assistant
  1. Open UnHackMe main screen.
  2. Click on a Remote Assistant button.
  3. Follow instructions on a screen.
  4. We will contact you and send a solution of your problem.
  5. Remote assistance is free during trial period.

Enjoy!

Dmitry Sokolov - author of UnHackMe