Remove Data Recovery,S.M.A.R.T HDD,Repair and Check virus

If you are seeing a Serious Disk Error Writing Drive C:\ alert on your computer screen,then as you probably already suspect you’re computer has been infected with a rogue software.
The malicious software is known as Smart HDD,Data Recovery,S.M.A.R.T Virus or S.M.A.R.T Check and has changed your desktop background,hidden your files and shortcuts and it’s causing browsing redirects.
In addition the S.M.A.R.T Virus will display fake alerts, claiming that several hard drive errors were detected on your computer.In reality, none of the reported issues are real, and are only used to scare you into buying S.M.A.R.T Virus and stealing your personal financial information.
We strongly advise you to follow our S.M.A.R.T Virus removal guide and ignore any alerts that this malicious software might generate.Under no circumstance should you buy this rogue security software as this could lead to identity theft.
If you’ve got a S.M.A.R.T Virus infection , you’ll be seeing this screens :
[Image: Smart-HDD.png]

[Image: Smart-HDD.png]

[Image: Smart-HDD.png]

Registration codes for S.M.A.R.T Virus

As an optional step,you can use the following license key to register S.M.A.R.T Virus and stop the fake alerts.
Data Recovery Rogue: 08869246386344953972969146034087
SMART HDD Rogue: 15801587234612645205224631045976

Please keep in mind that entering the above registration code will NOT remove S.M.A.R.T Virus from your computer , instead it will just stop the fake alerts so that you’ll be able to complete our removal guide more easily.

Removal guide for S.M.A.R.T Virus

STEP 1 : Start your computer in Safe Mode with Networking

  1. Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
  2. Press and hold the F8 key as your computer restarts.Please keep in mind that you need to press the F8 key before the Windows  start-up logo appears.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER.
    [Image: Safemode.jpg]
  4. Log on to your computer with a user account that has administrator rights

STEP 2: Remove S.M.A.R.T Virus malicious proxy server

S.M.A.R.T Virus may add a proxy server which prevents the user from accessing the internet,follow the below instructions to remove the proxy.

  1. Start Internet Explorer [Image: S.M.A.R.T Virus- IE] and if you are using Internet Explorer 9 ,click on the gear icon   [Image: IE gear icon] (Tools for Internet Explorer 8 users) ,then select Internet Options.
    [Image: Internet-options-IE.png]
  2. Go to the tab Connections.At the bottom, click on LAN settings.
    [Image: Remove-proxy-server2.png]
  3. Uncheck the option Use a proxy server for your LAN. This should remove the malicious proxy server and allow you to use the internet again.
    [Image: Remove-proxy-server3.png]

If you are a Firefox users, go to Firefox(upper left corner) → Options → Advanced tab → Network → Settings → Select No Proxy

STEP 3: Run RKill to terminate known malware processes associated with S.M.A.R.T Virus.

RKill is a program that attempts to terminate any malicious processes associated with S.M.A.R.T Virus ,so that your normal security software can then run and clean your computer of infections.

As RKill only terminates a program’s running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.

  1. While your computer is in Safe Mode with Networking ,please download the latest official version of RKill.
    [Image: download-rkill.png
  2. Double-click on the RKill iconin order to automatically attempt to stop any processes associated with S.M.A.R.T Virus.
    [Image: run-rkill-1.png]
  3. RKill will now start working in the background, please be patient while the program looks for various malware programs and tries to terminate them.
    [Image: run-rkill-2.png]
    IF you receive a message that RKill is an infection, that is a fake warning given by the rogue. As a possible solution we advise you to leave the warning on the screen and then try to run RKill again.Run RKill until the fake program is not visible but not more than ten times.
    IF you continue having problems running RKill, you can download the other renamed versions of RKill from here.
  4. When Rkill has completed its task, it will generate a log. You can then proceed with the rest of the guide.
    [Image: S.M.A.R.T Virus rkill3.jpg]

WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.

STEP 4: Remove S.M.A.R.T Virus malicious files with Malwarebytes Anti-Malware FREE

  1. Please download the latest official version of Malwarebytes Anti-Malware FREE.
    download Malwarebytes
  2. Install Malwarebytes’ Anti-Malware by double clicking on mbam-setup.
    [Image: malwarebytes-installer.png]
  3. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finishbutton. If Malwarebytes’ prompts you to reboot, please do not do so.
    [Image: install-malwarebytes.png]
  4. Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
    [Image: decline-trial-malwarebytes.png]
  5. On the Scanner tab,please select Perform full scan and then click on the Scan button to start scanning your computer for any possible infections.
    [Image: malwarebytes-full-system-scan.png]
  6. Malwarebytes’ Anti-Malware will now start scanning your computer for S.M.A.R.T Virus malicious files as shown below.
    [Image: malwarebytes-scanning.png]
  7. When the scan is finished a message box will appear, click OK to continue.
    [Image: malwarebytes-scan-finish.png]
  8. You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
    [Image: malwarebytes-scan-results.png]
  9. Malwarebytes’ Anti-Malware will now start removing the malicious files.If during the removal process Malwarebytes will display a message stating that it needs to reboot, please allow this request.
    [Image: malwarebytes-reboot-prompt.png]

STEP 5: Double check your system for any left over infections with HitmanPro

  1. This step can be performed in Normal Mode ,so please download the latest official version of HitmanPro.
    [Image: Download Hitman Pro]
  2. Double click on the previously downloaded file to start the HitmanPro installation.
    [Image: hitmanpro-icon.png]
    NOTE : If you have problems starting HitmanPro, use the “Force Breach” mode. Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
  3. Click on Next to install HitmanPro on your system.
    [Image: installing-hitmanpro.png]
  4. The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
    [Image: hitmanpro-setup-options.png]
  5. HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
    [Image: hitmanpro-scanning.png]
  6. Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click Next.
    [Image: hitmanpro-scan-results.png]
  7. Click Activate free license to start the free 30 days trial and remove the malicious files.
    [Image: hitmanpro-activation.png]
  8. HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.

STEP 6: Unhide your files and folders

S.M.A.R.T Virus modifies your file system in such a way that all files and folders become hidden, to restore the default settings , you’ll need to run the below program.

  1. Download Unhide.exe, to unhide your files and folders.
    Download Unhide.exe
  2. Double-click on the Unhide.exe icon on your desktop and allow the program to run.The whole process should not take more than 5 minutes to complete,and at the end this utility will generate a report.
    Unhide files utility

STEP 7 : Restore your shortcuts and remove any left over malicious registry keys

S.M.A.R.T Virus has moved your shortcuts files in the Temporary Internet folder and added some malicious registry keys to your Windows installation , to restore your files we will need to perform a scan with RogueKiller.

  1. Please download the latest official version of RogueKiller.
    download RogueKiller
  2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
    [Image: roguekiller-1.png]
  3. After the scan has completed, press the Delete button to remove any malicious registry keys.
    [Image: roguekiller-2.png]
  4. Next we will need to restore your shortcuts, so click on the ShortcutsFix button and allow the program to run.
    [Image: roguekiller-1.png]

STEP 8: Get your desktop look back!

S.M.A.R.T Virus changes your desktop background to a solid black color,to change it back to default one follow the below instruction.

    • Windows XP : Click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Display icon. From this screen you can now change your Theme and desktop background.
    • Windows 7 and Vista : Click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Appearance and Personalization category. Then select Change the Theme or Change Desktop Background to revert back to your original Theme and colors.

What’s next? Join our amazing community and build up your malware defenses !

IT’S YOUR TURN TO HELP!

If we have managed to help with your computer issues, then please let other people know that this article will help them!
You can share this article on Facebook,Twitter or Google Plus by using the below buttons.

ABOUT STELIAN PILICI

I am the creator and owner of MalwareTips.com.
My area of expertise includes malware removal and computer forensics. I'm active in the various online anti-malware communities where I do researches for new malware threats as they are released.
I live in Bucharest (Romania), where I run my own local computer repair shop.
I repair both hardware and other operating systems related issues, however most of my business is malware related problems.

You can follow me on Google+ , and I will keep you up-to-date with the latest computer infections and malware threats.

SUPPORT MALWARETIPS! (OPTIONAL)

All our malware removal guides and utilities are completely free!
We do not request any kind of payment for our services, however if you like to support us with our website costs, you can make a small donation. Any amount is appreciated, and will support our fight against malware.
  • lullu

    Hola cool that you’re a Barce fan :) I was infected by the file restore virus I then got a programme on line that said it would kill it pctools spyware they told me to rename it then delete it and it has relaunched itself as hidden it stops me from using my various email accounts makes browsing very tricky and previously I tried to save my data on a usb stick and windows wouldn’t upload it’s a cyber nightmare real messy and it seems no way out of this cyber maze . I went to the registry but was uncertain of what to delete there any help at all would you be so much appreciated . I have downloaded malaware but not sure if that works either !

    • Stelian Pilici

      Hello lullu,
      Please follow the instructions from this article,it should remove the infection and restore your files!

  • http://malwaretips.com Jan

    Thank you so much for the help in getting my computer files back again. I followed instructions however I cannot turn on the Firewall or access any Windows updates. I have McAfee Security on the system. I have read the comments about the fix for Windows 7 please could you let me know if there is a fix for Vista?

  • Dick

    Thank you for providing this information. I almost fell into the identity theft trap until I read your blog. And the repair instructions were perfect and easy to follow. Thanks!!!!!!

  • John

    I have malware which has completely wiped my desktop leaving a window instructing me that my computer is locked and to pay to have it unlocked. I have tried to implement your instructions but within a couple of seconds starting in safe mode reverts to normal mode leaving me back in square one, so I cannot access the internet or anything else. How can I overcome this, can you help?

    • Stelian Pilici

      Hello John,
      You have a ransomware virus on your computer.Please follow the instructions from this guide: http://malwaretips.com/blogs/remove-fbi-alert-moneypak-virus/

      Good luck!

      • John

        Thank you very much for your advice but I’m afraid it’s beaten me. I succeeded in burning kav_10 and used it to boot but when I try to prompt ‘windowsunlocker’ (via ‘Terminal’) I receive ‘Command not found’. The Scan/Update window is already there and the Update takes about 10 minutes but scan does not progress beyond 0%, takes only a few seconds, and finds nothing (it appears not to work – is the virus blocking it?). After 2 or 3 attempts the program will advance no further than the licence agreement as it will no longer allow me to accept it. My PC now will not even allow me to choose between SAFE or NORMAL mode as the very first screen stops halfway for about 3 minutes, then askes me to change the disk (it requires a CD ROM). Is this all the virus, or do I now have a hardware fault? I am a pensioner using the PC for my projects and am not at all computer literate, I was actually proud of myself for having got this far which is a testimony to your instructions.

        • Stelian Pilici

          Lets see if we can fix this John.
          Please see: http://support.kaspersky.com/viruses/rescuedisk/all?page=1&qid=208286101

          Using Kaspersky Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
          – userinit parameter is supposed to be C:\Windows\system32\userinit.exe,
          -shell parameter is supposed to be Explorer.exe

          Please make a note of the malware parameters and then post the malware parameters and then change the parameters to the correct.Reboot you machine.

          If still no go, using Kaspersky Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and
          HKEY_USERS\<name of the problem user>\Software\Microsoft\Windows\CurrentVersion\Run
          and post back with anythig that looks abnormal (entries with random letters or numbers…etc).

  • SMITA

    Thank Lord Jesus first of all a trillion times for your great brain, kind heart, mind and hardworking … Please give all glory to Him… you or me is nothing on earth… and finally thanks for your precious time for all of us here…with similar kind of issues. Before getting your site here, I had installed malwarebytes as soon as I saw all files n fldrs disappearing on my desktop. Hence had started scanning as well, before your detailed instructions. After that I removed all virus by checking all boxes in the result. next in a hurry I just tried to unhide files from folder settings, so in a sense I have recovered files on my desktop, but few issues still remain, like I cannot see system restore button in start menu, progs, accesories, sys tools. I thought of doing sys restore, since there are few changes after this virus attack. And few programme files still show that its empty, means all are not unhidden still that means. And I see a shortcut icon on desktop saying file restore, which I dont know how it came, had’nt seen it before I guess. And in your 8 steps, I have done only 1 that is installed malwarebytes and scanned my system. Is it imp for me to do other steps, if yes which I should. And as I use snaggit for official work, shortcut key to capture snagit is missing although snagit is there right now. so please hurry to answer my last question atleast since I’m in a hurry to do my official work as of now.

    • Stelian Pilici

      Hello SMITA,
      1.Can you please follow the instructions from this guide: http://malwaretips.com/Thread-Files-still-hidden-after-smart-hdd-removal-and-unhide-exe?pid=55462#pid55462
      2.Please perform the following scans:
      STEP 1: Run a scan with Emsisoft Emergency Kit.

      1. Please download the latest official version of Emsisoft Emergency Kit.
        EMSISOFT EMERGENCY KIT DOWNLOAD LINK (This link will open a download page in a new window from where you can download Emsisoft Emergency Kit)
      2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip and then double click on EmergencyKitScanner.bat
      3. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC“.
      4. Select “Smart scan” and click-on the below “SCAN” button.When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects‘ button.

      STEP 2: Run a scan with Eset Online Scanner.

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish
  • Jennifer

    Thank you so much for this instructions!

  • Anna

    Hi Stelian,

    Thank you so much for this it worked wonderfully the only thing is I still have a file on my computer called data recovery which when clicked on is the S.M.A.R.T checker that came up originally with all the pop up boxes. I’ve run malware bytes and my anti virus mcafee and it says there is no risk, is this the case? I’ve also tried to uninstall it but it does not show up there. Please help, I’m scared to use my computer still.

    Thank you

    • Stelian Pilici

      Hello Anna,
      That should be just an left over file from this infection.Right click on it and select delete to get rid of it.
      NEXT,for your peace of mind, please perform the following scans:
      STEP 1: Run a scan with Emsisoft Emergency Kit.

      1. Please download the latest official version of Emsisoft Emergency Kit.
        EMSISOFT EMERGENCY KIT DOWNLOAD LINK (This link will open a download page in a new window from where you can download Emsisoft Emergency Kit)
      2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip and then double click on EmergencyKitScanner.bat
      3. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC“.
      4. Select “Smart scan” and click-on the below “SCAN” button.When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects‘ button.

      STEP 2: Run a scan with Eset Online Scanner.

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish
      • Anna

        Thank you so much Stelian! I had tried to delete this leftover file a number of times and it just kept coming back but following these last instructions it has gone completely. It’s a great to know there is somewhere to come if this happens as I was ready to just buy a new computer. I have told all my friends about this site and you. Thank you again.

  • Gabistrumf

    Thank you so much. So helpful your article ! Worked for me like a charm.
    God bless you !

  • Jason

    I followed your instructions and removed the SMART virus from my computer about 2 months ago. However, I seem to have the virus again on my computer (actually on two of my computers… grrrrrrrrrrr.) The virus seems to have changed. It is not called the SMART virus but it most of the windows look the same.

    I am unable to get connection to the internet. I did use a thumb drive to run malwarebytes. However, I cannot run hitman pro, because it asks for an internet connection. Malwarebytes is unable to remove the virus by itself. Any suggestions? Thanks! Jason

    • Stelian Pilici

      Hello Jason,
      Can you please run a scan with Combofix and Complete Internet Repairso that I can get an idea on what’s going on :
      STEP 1 : Run a scan with Combofix
      Download ComboFix from one of the following locations:
      COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
      COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
      VERY IMPORTANT !!! Save as Combo-Fix.exe during the download.ComboFix must be renamed before you download to your Desktop

      • Close any open browsers.
      • Very Important!: Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      1. Double click on ComboFix.exe & follow the prompts.
      2. Accept the disclaimer and allow to update if it asks
      3. When finished, it shall produce a log for you.

      Notes:

      1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
      2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
      3. If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

      STEP 2: Run a scan with Complete Internet Repair utility

      1. Download Complete Internet Repair utilityto your desktop
      2. Unzip all the files to their own folder on the desktop
      3. Within the folder double click CIntRep
      4. Select the following items,then press the GO button.
        • Reset Interent Protocol (TCP/IP)
        • Repair Winsock (Reset Catalog)
        • Renew Internet Connection
        • Flush DNS Resolver Cache
        • Reset Windows Firewall Configuration
        • Reset the default hosts fie

      Waiting for your reply to tell me if your machine is ok and the logs from this utilities.

  • Scott St. John

    Hello Stelian, You saved My Bacon. I have executed all steps. I have a dual boot system. Both drives were compromised. (A.) Drive Start Menu shows folders with prog. names. When clicked on programs do not run. When right clicked folders show as empty. (B.) Drive Start Menu show programs as icons with name of prog. left sigle click opens prog. right click will not expose sub folders. What is to be done next ? Once again you Rock. I wil be donating as well as liking you and singing your praises .

    • Stelian Pilici

      Hello Scott,
      No need for money,just stay safe from now on!!
      Have an awesome life!:D

  • Scott St. John

    Wow : I`ve been working at a distance w/my Tech. He suggested a search which turned up _U_ YOU ROCK ! Detailed accurate easy to follow advice. I am on IT at this moment. It is looking less bleak thanks to you.

  • majortrouble

    I had all these same things pop up as you have stated thru the article but when I start my computer I get nothing but a black screen with a blinking cursor!!! I can press F2 for system setup but that is all if i try & do anything else it says keyboard failure!! Please HELP!!!!

    • Stelian Pilici

      Hello,
      Did you go into Safe Mode with Networking as seen in Step 1 of this guide?

  • Wendy

    Excellent instructions. You are fantastic. Thank you!

  • Carlota

    Hello, I went through all your steps and they were amazing, solved my problem right away. I have however only one issue left. Internet works 10 times slower after my virus and skype doesnt work. Starts signing in and then sais it has an error and closes down. Ive trying uninstalling and installing again but it doesnt work. Any clues what might be happening?

    thanks again

    • Stelian Pilici

      Hello Carlota,
      STEP 1 : Run a scan with Combofix

      Download ComboFix from one of the following locations:

      COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
      COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)

      VERY IMPORTANT !!! Save as Combo-Fix.exe during the download.ComboFix must be renamed before you download to your Desktop

      • Close any open browsers.
      • Very Important! Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      1. Double click on ComboFix.exe & follow the prompts.
      2. Accept the disclaimer and allow to update if it asks
      3. When finished, it shall produce a log for you.

      Additional notes:

      1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
      2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
      3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

      STEP 2: Run a scan with ESET Online Scanner:

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish

      Next, download Windows Repair All In One and install this utility.
      Go to the Startup Repairs tab and click the Start button (bottom right)
      Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.

      1. Click Unselect All
      2. Put a checkmark in the following items:
        • Repair Hosts File
        • Remove Temp Files
        • Repair Windows Firewall
        • Remove Policies Set By Infections
        • Set Window Services To Default Startup

        Note: Leave everything else unchecked

      3. Put a checkmark in Restart System When Finished
      4. Now click the Start button (bottom right)
  • Melanie

    Yup I have it to but I think my case is worse! I started gatting attacked with all these pop ups. I can get to safemode with networking however after that my screen remains black and I get the following:
    Detecting primary master: Maxtor 4g120J6
    Detecting primary slave: none
    Detecting secondary master: CR-48x97e
    detecting secondary slave: hl-dt-stdvd-rom GDR8160b
    SMART Failure Predicted on Primary Master: Maxtor 4g120J6
    Warning (this is flashing): Immediatley back up your data and replace your hard disk. A failure may be imminent

    It then Tell me to press F2 to continue, or F1 to enter set up

    F2 just reboots my computer
    F1 brings to the BIOS utility

    I do not see anything wrong in bios but I am no expert. Can you help? This is an old CPU but still have items on their I hate to loose.

    • Stelian Pilici

      Hello Melanie,
      Lets work in Normal Mode then:
      STEP 1: Run a scan with Malwarebytes Anti-Malware in Chameleon Mode in Norman mode:

      1. Download Malwarebytes Chameleon from here and extract it to a folder in a convenient location
      2. Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.
      3. If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose)
      4. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you
      5. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
      6. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
      7. Upon completion of the scan, if anything has been detected, click on Show Result
      8. Have Malwarebytes Anti-Malware remove any threats that are detected and click Yes if prompted to reboot your computer to allow the removal process to complete
      9. After your computer restarts, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats

      STEP 2: Run a scan with RogueKiller

      1. Please download the latest official version of RogueKiller.
        RogueKiller Download Link (This link will automatically download RogueKiller on your computer)
      2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Scan button to perform a system scan.
      3. After the scan has completed, press the Delete button to remove any malicious registry keys.
      4. Next we will need to restore your shortcuts, so click on the ShortcutsFix button and allow the program to run.

      STEP 3 Please perform a scan with HitmanPro as seen on the guide.
      If you are having problems starting this program please use the ForceBreach mode as described in the guide.


      STEP 4: Run a scan with ESET Online Scanner:

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish

      Waiting for your reply to tell me how everything is running!
      Good luck…

  • Stelian Pilici

    Hello Frank,
    Did you run any cleaning tools while you were infected???

    • frank

      Hi, Stelian,

      Many thanks a lot for your prompt reply. My labtop is using Norton360, when it was infected. I checked by Norton, I am not sure whether something is cleared, it only reminded me some malious file to fix.

      I have checked your old answers to Bernie Mack who has similar problem, indeed I found in the user->myname->Appda->local->temp->smtmp folds, there are only two folds named “1” and “4”, there is no “2” or”3″. As you advised, I copy the content of fold “4” to the right location, I recover the destkop icons. But, when I copy and paste the content of “1” fold into the right location: ProgramData->Microsoft->Windows->StartMenu, it still does NOT work (all the programs in the start menu are empty). If I copy the whole fold “1” (including the content) to the StartMenu fold, then in the start menu, I got a “1” fold, in the Program Fold in “1” fold, the programs are not empty and could be linked. I could not understand why I copy only the content under the start menu fold, it does NOT work.
      Thanks in advance really
      cheers
      frank

      • Stelian Pilici
        • Kath L

          I can’t thank you enough! I followed step-by-step and was able to get things back to normal. I still have a folder for smtmp and File_Recovery_License that were part of the recovery process- the file for my hidden folders and the file the creepy fake SMART program gave me when I used your code to get the process started- I put them in my recycle bin, but do I need them? Can I just permanently delete them now that my files and folders are restored? Thanks again!

          • Stelian Pilici

            Hello Kath,
            If everything is working,then you can delete those two files.
            Stay safe!

            • Melody M

              Stelian

              My hp laptop seams to have this or a similar virus. When I turn it on it goes to a black screen and says: 1720 SMART hard drive detects imminent failure failing attribute 5 – I hit f1 to continue and then I get popup windows title bar Microsoft windows and it states windows detected a hard disk problem – back up your files immediately and contact the computer manufacturer. Then it has two boxes to click start the backup process or ask me again later.

              Is this a virus or a hard drive issue? The hard drive was replaced in May of this year.

              Thanks in advance for any advice and/or help.

              Melody

              • Stelian Pilici

                Hello Melody,
                It’s not a hardware issue, this is how this virus behaves.You need to follow the guide from this page.
                If you’ll have any problems ,you can just reply here and I’ll help you!
                Good luck!

                • Melody M

                  Stelian

                  Thank you so much for your quick response! I followed all of the steps mentioned in the first part before the replies start and I am still getting the black screen at startup and the window is still popping up. Is there something else I should try? The popup does look different than your examples at the top of the page. I didn’t try anything else mentioned throughout the replies as I am unsure what exactly I should try.

                  Thank you so very much

                  • Stelian Pilici

                    Lets fix your computer.Can you please run a scan with Combofix, ESET online scanner and post the logs here so that I can get an idea on what’s going on:
                    STEP 1 : Run a scan with Combofix
                    Download ComboFix from one of the following locations:
                    COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
                    COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
                    VERY IMPORTANT !!! Save as Combo-Fix.exe during the download.ComboFix must be renamed before you download to your Desktop

                    • Close any open browsers.
                    • Very Important! Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
                    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
                    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
                    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
                    1. Double click on ComboFix.exe & follow the prompts.
                    2. Accept the disclaimer and allow to update if it asks
                    3. When finished, it shall produce a log for you.

                    Notes:

                    1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
                    2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
                    3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

                    STEP 2: Run a scan with ESET Online Scanner:

                    1. Download ESET Online Scanner utility.
                      ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
                    2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
                    3. Check Yes, I accept the Terms of Use
                    4. Click the Start button.
                    5. Check Scan archives
                    6. Push the Start button.
                    7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
                    8. When the scan completes, push Finish

                    NEXT,please run a scan with HitmanPro and RogueKiller as seen on the guide.
                    Waiting for your reply to tell me if your machine is ok and the logs.

                    • Melody M

                      Thank you!!!

                      Two questions before I start should I do these scans in normal modes and when I download something it goes directly to download folder and does not let me rename until it is downloaded – can I rename there and then put on desktop?

                      Thank U Thank u Thank u!!!!

                    • Stelian Pilici

                      Yes,you can do this scans while your computer is in Normal mode.And yes,you can re-name it and then copy this file on your desktop.
                      Good luck!

                    • Melody M

                      Sorry if this is a repeat reply – I had to change computers as the one in question is not acting right ( : The combo fix stayed on a blue screen and basically said it should only take 10 minutes but maybe longer if it is badly infected. Then it said ‘HANDLE’ is not recognized as an internal or external operable program or batch file.
                      It stayed on that screen for hours until I finally shut it down.

                      I did not run ESET scanner because I am unsure if it is safe.

                      Is it safe to run the ESET scanner?

                      Thank you.

                      Melody

                    • Stelian Pilici

                      Hello Melody,
                      Please delete any copy of Combofix that you have and then download an updated version and try to run a scan while in Safe Mode with Networking.
                      Next,please run the ESET Scan.

                    • Melody M

                      ComboFix 12-10-04.01 – Owner 10/04/2012 9:16.1.2 – x86 NETWORK
                      Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2999.2470 [GMT -4:00]
                      Running from: c:\users\Owner\Downloads\ComboFix.exe
                      AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
                      SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
                      SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
                      SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
                      .
                      .
                      ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      .
                      C:\DFR1997.tmp
                      c:\programdata\Roaming
                      c:\users\Owner\Documents\~WRD3824.tmp
                      c:\users\Owner\Documents\~WRL0462.tmp
                      c:\users\Owner\Documents\~WRL3768.tmp
                      c:\users\Owner\g2mdlhlpx.exe
                      .
                      .
                      ((((((((((((((((((((((((( Files Created from 2012-09-04 to 2012-10-04 )))))))))))))))))))))))))))))))
                      .

                    • Stelian Pilici

                      Hello Melody,
                      It looks like Combofix and ESET got the hardcore part of this infection.How is your computer running?
                      We still have a malicious file that we need to remove.Can you please go to c:\windows\ADAFC0B4FC1545D9BAB3BC7A8829D0C4.TMP and delete this file?
                      NEXT,while your computer is in Normal Mode,please run a scan with Malwarebytes,HitmanPro,RogueKiller and Unhide as see on the guide.

                    • Melody M

                      Sorry Stelian – my stupid computer is still starting with a black screen that says 1720 SMART hard drive detects imminent failure and the popup microsoft window that gives the option to backup or ask again later. I just keep hitting the X at the top right.

                      The Malware scan took 7 hours and did not detect anything. Below are the results from the unhide process and the rogue killer did not find anything.

                    • Stelian Pilici

                      Hello Melody,
                      How old is this machine?
                      Your computer is malware free,and it really seems that your computer is experiencing a hardware problem.At this point,you’ll need to bring the machine to a local shop and get the hard drive fixed.

                    • Melody M

                      Okay – Thank you very much for your help! The Machine is 4 years old and the hard drive was replaced in May of this year. Oh well.

                      Thanks again.

                      Melody

  • HenLee

    Thanks so much for superb step by step instruction. Very easy to follow and the best thing is working 100%. Everything working and back as normal. Thanks for your help. God Bless You.

    • Nick

      Thank you very very very much.

  • jan

    Thank you for good instruction.I get this virus and get rid of it without any problem.You are the man.

  • The Raven

    Thank you SO much…worked like a charm…

    • Coolguy

      Great step-by-step information. Caveman can do it !!

  • Pingback: Theguy()

  • Carl

    Like the August 5 and July 19 posts, my computer (running XP) will not connect to the internet in safe mode. I followed the suggestions (using a usb stick), but they don’t seem to work. ComboFix (renamed) starts to produce a log, then freezes. Hitman Pro immediately says it has suspended 2 files, but then continually tries to update on the internet (no matter what the settings are). Rkill also says it has suspended some files, but doesn’t seem to affect anything else. Just for completeness, I also tried Kaspersky (continuously said there was an error requiring reboot), Malwarebytes (runs with 70 day old definitions, but there’s no way to get updates using a usb), ESET (requires internet), and Emisisoft (quarantined 2 files, but no way to update on usb). All these were tried in both normal and safe modes. Links to any log files are lost on every reboot, and I would lose too much data on a reformat. What’s the next logical step?

    • Stelian Pilici

      Hello Carl,
      While in Normal Mode , can you connect to the Internet?
      IF yes,please follow this steps:
      STEP 1: Run a scan with Malwarebytes Anti-Malware in Chameleon Mode in Norman mode:

      1. Download Malwarebytes Chameleon from here and extract it to a folder in a convenient location
      2. Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.
      3. If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose)
      4. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you
      5. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
      6. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
      7. Upon completion of the scan, if anything has been detected, click on Show Result
      8. Have Malwarebytes Anti-Malware remove any threats that are detected and click Yes if prompted to reboot your computer to allow the removal process to complete
      9. After your computer restarts, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats

      STEP 2: Run a scan with RogueKiller

      1. Please download the latest official version of RogueKiller.
        RogueKiller Download Link (This link will automatically download RogueKiller on your computer)
      2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Scan button to perform a system scan.
      3. After the scan has completed, press the Delete button to remove any malicious registry keys.
      4. Next we will need to restore your shortcuts, so click on the ShortcutsFix button and allow the program to run.

      STEP 3 Please perform a scan with HitmanPro as seen on the guide.
      If you are having problems starting this program please use the ForceBreach mode as described in the guide.


      STEP 4: Run a scan with ESET Online Scanner:

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish

      Waiting for your reply to tell me how everything is running!
      Good luck…

  • Mike

    I am glad I found your website. I have followed all of your steps above and, I think I have removed all of the malware but now when I boot up. My desktop starts to load but after a while it shuts down giving me the fatal error blue screen then reboots. If left alone it will do this endlessly. Can you help me out? How can I fix this?

    • Stelian Pilici

      Hello Mike,
      Can you please run a scan with Combofix,RogueKiller and ESET online scanner and post the logs here :

      STEP 1 : Run a scan with Combofix

      Download ComboFix from one of the following locations:

      COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
      COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)

      VERY IMPORTANT !!! Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

      • Close any open browsers.
      • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
        ———————————————————–

        • Very Important! Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
        • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
          ———————————————————–
        • Close any open browsers.
        • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
        • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
        • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

        ———————————————————–

       

      1. Double click on ComboFix.exe & follow the prompts.
      2. Accept the disclaimer and allow to update if it asks
      3. When finished, it shall produce a log for you.

      Notes:

      1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
      2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
      3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

      STEP 2: Run a scan with RogueKiller

      1. Please download the latest official version of RogueKiller.
        RogueKiller Download Link (This link will automatically download RogueKiller on your computer)
      2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
      3. After the scan has completed, press the Delete button to remove any malicious registry keys.
      4. Next we will need to restore your shortcuts, so click on the ShortcutsFix button and allow the program to run.

      STEP 3: Run a scan with ESET Online Scanner:

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish

      Next,please run HitmanPro and Malwarebytes as seen on the guide.
      Waiting for your reply to tell me if your machine is ok and the logs from this utilities.

      • Jerry AG

        Hi, got this STRANGE problem, according to SMART my disk has run for over 47 YEARS! I think this may be an indication that my SMART data is bad, it also has triggered the disk failure feature on the SMART HD so every time I boot, I get the DISK FAILURE SOON please backup. This hard drive came in an Ebay purchased laptop and the seller said it was a NEW drive when he installed it, however he had NEVER been able to get an OS on the laptop because it has a SATA drive and he couldn’t figure out how to boot it, I simply hooked up a USB floppy and installed the driver, however the HD immediately gave me that error. I have been using it for an external in one of those cheap carriers, however I decided to replace my regular HD with this one to try out Windows 8. Still every boot I get your hard drive is failing. I tried to turn off SMART in BIOS but it seems DELL doesn’t allow such things. I have used another program to turn it off after boot but I still get the error on booting. I am almost sure the disk is OK, it boots very quickly and I have never had any trouble except the smart warning, and I am well aware that this drive never existed 47 years ago.

        • Stelian Pilici

          Hello Jerry,
          Did you follow the instructions from the article?

  • Jon Crawford

    One of our work computers got hit by this Data Recovery Malware and your blog was an absolute lifesaver. Thank you for your wealth of knowledge and the ease of use for getting rid of this pest.

  • Nelson

    My, my, easy as pie. Thanks a stack, this really helped.

  • malwareadd

    Thank you so much Stelian!!

  • Steve

    Hi, i got the smart hdd and cannot even get to the internet in safe mode. everything is missing and i no longer get the messages to be able to input the the code to bypass. is there anything that can be done since i cant even connect to the internet at all?

    • Stelian Pilici

      Hello Steve,
      Get a USB stick and copy on it Combofix, then transfer it to the infected computer and perform the following steps:
      Please read and follow all the steps very carefully.

      Download ComboFix from one of the following locations:

      COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
      COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)

      VERY IMPORTANT !!! Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

      • Close any open browsers.
      • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
        ———————————————————–

        • Very Important! Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
        • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
          ———————————————————–
        • Close any open browsers.
        • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
        • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
        • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

        ———————————————————–

       

      1. Double click on ComboFix.exe & follow the prompts.
      2. Accept the disclaimer and allow to update if it asks
      3. When finished, it shall produce a log for you.

      Notes:

      1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
      2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
      3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

      Next, please post the log back here and let me know how things are running.

      • Steve

        Hi Stelian,
        I tried but it has now moved to constantly auto re-booting. It just loops no matter what I do. I just found the original recovery disks and my question is if the disks are able to perform the recovery, will the virus still be there or will it be removed during the recovery process?

        • Stelian Pilici

          Heelo Steve,
          If you format your PC then the virus will be gone…. :)

          • Steve

            thanks! wish i would have found this before igto so bad. thanks for your help

      • Will

        Hi
        The Hitman Trial is not showing up. I was wondering if it was taken down? Thanks.

        • Stelian Pilici

          Hello Will,
          Is this your personal computer or a machine from work??Please note that HitmanPro doesn’t allow removal for the corporate computers….
          Hello Hayley,
          Did you run the registryfix.reg file??
          Can you please run a scan with Combofix and ESET online scanner and post the logs here :

          STEP 1 : Run a scan with Combofix

          Download ComboFix from one of the following locations:

          COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
          COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)

          VERY IMPORTANT !!! Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

          • Close any open browsers.
          • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
            ———————————————————–

            • Very Important! Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
            • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
              ———————————————————–
            • Close any open browsers.
            • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
            • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
            • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

            ———————————————————–

           

          1. Double click on ComboFix.exe & follow the prompts.
          2. Accept the disclaimer and allow to update if it asks
          3. When finished, it shall produce a log for you.

          Notes:

          1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
          2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
          3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

          STEP 2: Run a scan with ESET Online Scanner:

          1. Download ESET Online Scanner utility.
            ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
          2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
          3. Check Yes, I accept the Terms of Use
          4. Click the Start button.
          5. Check Scan archives
          6. Push the Start button.
          7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
          8. When the scan completes, push Finish

          Next,please run RogueKiller,Unhide uility and Malwarebytes as seen on the guide.
          Waiting for your reply to tell me if your machine is ok and the logs from this utilities.

  • CM

    YOU Rock! Thanks :)

  • Bb

    Thank you, thank you, thank you!
    Only issue was not being able to boot into safe mode with with F8 on my Dell Studio running Win7.
    Instead I ran msconfig and chose it that way.
    I was a bit nervous at downloading all the software you indicated,
    Went through CNET downloads when I could and then took the leap of faith..
    And now all back to normal, what a relief!!
    Thank you soooo much.

  • Click Here

    Thank you!!!!!!! IT WORKED GREAT!!!THANK YOU!!!!!!!!!!!!!!!!

  • Bernie Mack

    I’m not too sure what planet your from… but wherever it is i wanna live there!!!! Your thread is EXCELLENT, clear, concise, step by step with pics with explanations and at the end of the day it works. I went into such a panic thinking i was going to loose my data and then everything looked suspicious. Thanks for helping and being very very generous with your knowledge base. As soon as I ran Unhide and the Rogue utility everything was fine.

    However, I did notice two things. (1) my desktop had a shortcut pointing to the original exe file which i deleted anyway and (2) my pinned programs never came back. Should i be concerned about the shortcut for the virus exe showing up on the desktop after everything was done? And is there a way to recall the missing pinned programs?

    • Stelian Pilici

      Hello,
      This rogue software has moved your shorcuts in a folder in the Temporary Internet files called smtmp, so now we will need to copy them back to their original locations.

      • Windows 7 and Vista users can find the smtmp folder in C:\Users\[Your Username]\AppData\Local\Temp
      • Windows XP users can find smtmp folder the in : C:\DOCUMENTS AND SETTINGS\[Your Username]\LOCAL SETTINGS\Temp

      [Image: Show hidden files, folders, and drives.png]

      The smtmp folder will contain 4 folders and you’ll need to copy the content of this folders back to their original locations.

      • Copy the content from %Temp%\smtmp\1\ to:
        Windows XP: C:\Documents and Settings\All Users\Start Menu
        Windows Vista and Windows 7: C:\ProgramData\Microsoft\Windows\Start Menu
      • Copy the content from %Temp%\smtmp\2\ to:
        Windows XP: C:\Documents and Settings\[your username]\Application Data\Microsoft\Internet Explorer\Quick Launch\
        Windows Vista and Windows 7: C:\Users\[your username]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
      • Copy the content from %Temp%\smtmp\3\ to:
        Windows XP: It does not exist on Windows  XP.
        Windows Vista and Windows 7 C:\Users\[your username]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
      • Copy the content from %Temp%\smtmp\4\ to:
        Windows XP : C:\Documents and Settings\All Users\Desktop
        Windows Vista and Windows 7: C:\Users\Public\Desktop

      Next,please run Unhide Non System Files

      • Bernie Mack

        Thanks for the information. I followed the directions to the letter. But there were only 2 folders in that directory. # 1 and # 4. And those directories and subfolders everything was empty. I suspect the unhide program may have done the trick. So I deleted all the pinned shortcuts where they are normally stored and pinned them back manually. Considering everything you have done for me and all the other people on this site it was the least I can do. Felt like I was being a bit lazy.

        Im going to run the Kaspersky, ESET and unhide hidden files apps you recommended to be on the safe side. I already download AVAST so I should be good to go. Interestingly enough I had Clamwin Installed and it didn’t catch this virus. So I was wondering how much better will Avast be and do I need to keep all the Avast, Hitman, Malwarebytes, Kaspersky, etc running simultaneously or would Avast be good enough?
        Even with 16Gig of RAM and and 965BE I’m a stickler for resources (70 processes running at startup now!!!)

        Will let you know if the other software found some leftover after the fact

        • Stelian Pilici

          Hello,
          Hitman,Malwarebytes and the other tools that we’ve used are only on-demand scanners (tools that you can use to regularly scan your computer, which aren’t running real time)
          Regarding Clamwin , Avast is way better than this product so my advise would be to stick with it.

          Stay safe!

          • Bernie Mack

            Thanks a million billion times. Your advice is truly priceless. Last question and this is just out of curiosity. When I had a problem like this before I used ComboFix and it worked like magic. This time I panicked so hard I forgot it was already on my hard drive and didn’t try to use it. I was wondering would it have been capable or have this virus evolved beyond what ComboFix can do?

            • Stelian Pilici

              Hello,
              Combofix is a very powerful tool which is always updated so you need to download a fresh copy every time you need it….. :D

  • Debi

    You just saved my hide…last week of the semester. Now time to set backup and restore points! Thank you!

  • Doug

    I have booted into the safe mode with networking and my problem is I use Verizon’s usb modem for wifi. It will not connect while in the safe mode. I tried to remove Hdd while online and it seems to have hijacked any site that has anything to do with removal. I downloaded rkill from my my desktop computer and applied it to my laptop and waited. Saw a couple of blank screens but no report came up . Is there a way to download those programs to my flash drive and using them from my flash drive to my laptop?

    • Stelian Pilici

      Hello,
      Lets try do this another way.Please follow the below steps…

      STEP 1. While in NORMAL MODE,download HitmanPro and then start this program in ForceBreach Mode
      1.Here are the direct download links for HitmanPro,
      http://dl.surfright.nl/HitmanPro36.exe (For 32bit)
      http://dl.surfright.nl/HitmanPro36_x64.exe (For 64bit)
      2.Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including this rogue malicious process
      Here is a video that explains with graphic details how to do this : http://www.youtube.com/watch?v=m6eRWTv2STk
      3. Let HitmanPro scan and remove the detected infections.

      STEP 2: While in NORMAL MODE,download/Run Rkill and then run a scan with Malwarebytes
      1.Download any re-named version of Rkill (direct download links bellow):
      RKILL DOWNLOAD LINK #1
      RKILL DOWNLOAD LINK #2
      RKILL DOWNLOAD LINK #3
      2.Next,please perform a scan with Malwarebytes and then do a RogueKiller and Unhide.exe scan as seen on the guide


      STEP 3. Run a scan with ESET Online Scanner

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push List of found threats
      9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note – when ESET doesn’t find any threats, no report will be created.
      10. Push the back button.
      11. Push Finish

      Waiting for your reply to tell me how everything is working.. :) Good luck!

  • Chandra

    Hi…I am from India and i really scared when my system got SMART stupid issue..but thanks a lot for providing detailed steps…after following all the steps my ssystem is up and working fine nw…thanks dude

  • Laura

    Tears of joy. My computer is back the way it was. Thank you so much for easy to follow instructions. What a life saver.

  • Davide

    Stelian:
    Using to the info you have posted I was able to get back my pc!!!

    Thank you very much !
    Davide

  • Kellie

    Hi there! I have managed to et the virus off completely except one small thing.. My background won’t change from black, I have run unhide 3 times and all my programs and icons are back but I can’t change my background! Please help! I have also done the tweaking

    • Stelian Pilici

      Hello,
      Try this :

      Download Windows Repair by Tweaking.com to your desktop.  Use the direct download link for the Portable version of Windows Repair by Tweaking.com

      1. Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com – Windows Repair folder to your desktop.
      2. Now open this folder and double-click Repair_Windows.exe.
      3. Click the Start Repairs tab on the far right.
      4. Click the Start button (bottom right)
        Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
      5. Click Unselect All
      6. Put a checkmark in the following items:
        • Reset Registry Permissions
        • Remove Policies Set By Infections

        Note: Leave everything else unchecked

      7. Put a checkmark in Restart System When Finished
      8. Now click the Start button (bottom right)
      • Kellie

        Have tried above, background still missing and notes left by repair windows says it failed :(

        • Stelian Pilici

          Lets try this:

          Open the Start Menu and enter gpedit.msc into the Search box and hit Enter.

          gpedit_start

          When Local Group Policy Editor opens, navigate to User Configuration \ Administrative Templates \ Control Panel \ Personalization. Then in the right column double-click onPrevent changing desktop background.

          Now check the radio button next to Disable, then click OK.

          • Kellie

            I am using windows 7 and local group policy editor displays: MMC could not create the snap-in

  • Vicki

    Thank you so very much for you post. The smart check virus is gone. I finally have my computer back. But I still have missing icons and when I click on the windows button to open all programs my microsoft office, itunes and quick books are all empty. I ran the Roggue Killer shortcut fix. Did I do something wrong. Thank you for your help.

    • Stelian Pilici

      Hello Vicki,

      1. Right click on your Windows Start menu and select Properties.
        [Image: Eu2Aq.png]
      2. Next put a check mark on
        Store and display recently opened programs in the start menu
        Store and display recently opened items in the start menu and taskbar
        [Image: h0z5v.png]
      3. Click on Customize and click on Use default settings at the bottom
        [Image: kxZSH.png]
      4. Browse to
        Code:
        C:\ProgramData\Microsoft\Windows

        [Image: vZZUz.png]

      5. Right click on Start Menu folder and click on Restore previous versions
      6. Now select a snapshot before you were infected by the rogue,click on restore
  • steph

    I have followed your instructions to the letter, yet the virus will not go away. I’ve followed guides from a million different websites and no matter what I do, the virus is still here. Is there anything else I can do?

    • Stelian Pilici

      OK,lets make some further check-ups:
      1.Run a scan with Kaspersky Virus Removal Tool
      Click here to download the Kaspersky Virus Removal Tool.

      1. Save it to your desktop.
      2. Double click the setup file to run it.
      3. Follow the onscreen prompts until it is installed
      4. Click the Options button (the ‘Gear’ icon), then make sure only the following are ticked:
        • System Memory
        • Hidden startup objects
        • Disk boot sectors
        • Local Disk (C:)
        • Also any other drives (Removable that you may have)
      5. Then click on Actions on the left hand side
      6. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
      7. Click on Automatic Scan
      8. Now click the Start Scanning button, to run the scan
      9. After the scan is complete, click the reports button (‘Paper icon’, next to the ‘cog’ icon) on the right hand side
      10. Click Detected threats on the left
      11. Now click the Save button, and save it as kaslog.txt to your Desktop
      12. Please copy and paste the contents of kaslog.txt in your next reply.

      2.Run a scan with Eset Online Scanner.

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push List of found threats
      9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note – when ESET doesn’t find any threats, no report will be created.
      10. Push the back button.
      11. Push Finish

      Waiting for your reply to tell me how everything is working.. :) Good luck!

      • steph

        okay, I actually think it’s completely gone now, thank you.

  • Phil

    oops, I made my comment as a reply. Let me try again. I have followed the steps through using Hitman Pro, rebooted as instructed but still have the virus. What do I do now?

    • Stelian Pilici

      OK,lets make some further check-ups:
      1.Run a scan with Kaspersky Virus Removal Tool
      Click here to download the Kaspersky Virus Removal Tool.

      1. Save it to your desktop.
      2. Double click the setup file to run it.
      3. Follow the onscreen prompts until it is installed
      4. Click the Options button (the ‘Gear’ icon), then make sure only the following are ticked:
        • System Memory
        • Hidden startup objects
        • Disk boot sectors
        • Local Disk (C:)
        • Also any other drives (Removable that you may have)
      5. Then click on Actions on the left hand side
      6. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
      7. Click on Automatic Scan
      8. Now click the Start Scanning button, to run the scan
      9. After the scan is complete, click the reports button (‘Paper icon’, next to the ‘cog’ icon) on the right hand side
      10. Click Detected threats on the left
      11. Now click the Save button, and save it as kaslog.txt to your Desktop
      12. Please copy and paste the contents of kaslog.txt in your next reply.

      2.Run a scan with Eset Online Scanner.

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push List of found threats
      9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note – when ESET doesn’t find any threats, no report will be created.
      10. Push the back button.
      11. Push Finish

      Waiting for your reply to tell me how everything is working.. :)Good luck!

      • Phil

        Wow! That seems to fix everything. You’re as lifesaver! One problem remains that I hope you can help me with. It won’t let me turn on the Windows firewall. Any ideas? Thanks.

        • Stelian Pilici

          Good to head that Phil,
          Can you please run this utility:

          Download Windows Repair by Tweaking.com to your desktop.  Use the direct download link for the Portable version of Windows Repair by Tweaking.com

          1. Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com – Windows Repair folder to your desktop.
          2. Now open this folder and double-click Repair_Windows.exe.
          3. Click the Start Repairs tab on the far right.
          4. Click the Start button (bottom right)
            Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
          5. Click Unselect All
          6. Put a checkmark in the following items:
            • Repair Windows Firewall
            • Repair Hosts File
            • Repair Temp Files
            • Remove Policies Set By Infections
            • Set Windows Services To Default Startup

            Note: Leave everything else unchecked

          7. Put a checkmark in Restart System When Finished
          8. Now click the Start button (bottom right)
          • Phil

            Sure am glad I found you. That did the trick.

  • Cecilia

    Thanks a million! Your thorough step-by-step illustrations have saved a student’s endless hours’ assignments. You ROCK!

  • Lilly

    Thanks for putting this info out there, I picked this virus up and these steps cleaned it all up perfectly, only thing different I did was run the tweaking.com file for the unhide files portion, the one above didn’t seem to be doing anything for me, but all is a go again, thanks!

  • Ashley

    I followed all the steps but once I booted in normal mode I could see the icons and files but things were still not working and it was super slow. So I followed your steps and ran hitmanpro in force breech and ran ikill which ran but gave me some messages saying installed failed. I tried to run it several times. Now I’m running malware scan but it taking forever, its been going for over 3 hours so I’m not sure if it’s working or if I need to do something else, please help.

    • Ashley

      I think the problem is with the rkill, I don’t think it’s working for me, I keep getting messages saying installation failed. I tried downloading the other versions of rkill and it does the same thing. In normal mode everything is super slow, what can I run in safe mode to stop the processes.

      • Stelian Pilici

        OK,lets make some further check-ups:
        1.Run a scan with Kaspersky Virus Removal Tool
        Click here to download the Kaspersky Virus Removal Tool.

        1. Save it to your desktop.
        2. Double click the setup file to run it.
        3. Follow the onscreen prompts until it is installed
        4. Click the Options button (the ‘Gear’ icon), then make sure only the following are ticked:
          • System Memory
          • Hidden startup objects
          • Disk boot sectors
          • Local Disk (C:)
          • Also any other drives (Removable that you may have)
        5. Then click on Actions on the left hand side
        6. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
        7. Click on Automatic Scan
        8. Now click the Start Scanning button, to run the scan
        9. After the scan is complete, click the reports button (‘Paper icon’, next to the ‘cog’ icon) on the right hand side
        10. Click Detected threats on the left
        11. Now click the Save button, and save it as kaslog.txt to your Desktop
        12. Please copy and paste the contents of kaslog.txt in your next reply.

        2.Run a scan with Eset Online Scanner.

        1. Download ESET Online Scanner utility.
          ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
        2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
        3. Check Yes, I accept the Terms of Use
        4. Click the Start button.
        5. Check Scan archives
        6. Push the Start button.
        7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
        8. When the scan completes, push List of found threats
        9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note – when ESET doesn’t find any threats, no report will be created.
        10. Push the back button.
        11. Push Finish
        • Ashley

          I ran the Kaspersky tool and this is the log from it.

          Status: Deleted (events: 32)
          7/10/2012 10:05:49 PM Deleted Trojan program Trojan-FakeAV.Win32.FakeSysDef.adv C:\Documents and Settings\All Users\Lavasoft\AntiMalware\Quarantine\{5612F253-17AE-41DE-A00A-3A2C44C7EF17}_ENC2 High High
          I also ran the ESET utility but it didn’t find anything.
          After that I rebotted in normal mode and the same problem everything is super slow, I can’t do anything. What do I know now?

          • Stelian Pilici

            Ok..lets do a check:

            Lets proceed as follows shall we…

            StartUpLite:

            Please download this small application from here.

            It is very simple to use and quite effective and will advise about any unnecessary system startups that can be safely removed.


            Hard-Drive Maintenance/Repair:

            Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

            Click on Start >> Run and type cleanmgr in the box and press OK.

            • Ensure the boxes for Temporary FilesTemporary Internet Files and Recycle Bin are checked.
            • You can choose to check other boxes if you wish but they are not required.
            • Click on OK then Yes.

            Next:

            • Click Start >> Run… then type in CMD and click on OK.
            • At the Command Prompt C:\ > type the following:
            • CD C:\ and hit the Enter/Return key.
            • Now type in DEFRAG C: -F
            • A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
            • This may take some time, when completed the Command Promtp C:\ > will appear.
            • Now type in CHKDSK C: /R and hit the Enter/Return key.
            • When prompted with:

            CHKDSK cannot run because the volume is in use by another process
            Would you like to schedule this volume to be checked next time the system
            restarts (Y/N)

            • Hit the key then at the Command Prompt C:\ >
            • Type in EXIT and and hit the Enter/Return key.
            • Now Reboot(Restart) your computer.

            Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

            You should see a screen like this just after the Post(power on self test) screen:

            Posted Image

            Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.

            • Ashley

              When I ran the defrag command nothing happened I got the c prompt back right away. The chkdsk came up when I restarted but also went away very quickly and I still have the same problems when I boot up in normal mode. Thanks for all your help so far. I’m wondering if I’m going to have to reformat my hard drive, nothing seems to be working, I was really hoping to avoid that.

              • Stelian Pilici

                Lets try to run a “scf /scannow” command – guide here: http://malwaretips.com/Thread-How-to-repair-corrupted-and-damaged-system-files-in-Windows-7-and-Vista . Make sure you insert you Windows Instalation CD before running the command.
                What antivirus protection are you using?

                • Ashley

                  I don’t have the windows installation CD since this is a work laptop. I have McAfee installed.

                  • Stelian Pilici

                    Can you please remove McAfee and see if this will fix the problem?I would also suggest to replace this antivirus with Avast 7 Free.
                    Try to run the “sfc /scannow” command even without the CD….

                    • Ashley

                      Is it ok if I run it in safe mode?

                    • Stelian Pilici

                      Yes,if Normal Mode is very slow then yes…

                    • Ashley

                      I finally got it working, I’m not sure exactly what did it but things are running fine. I can’t thank you enough for all your help, I was ready to send it in to get it reimaged but you saved me from the hassle. If you lived closer would definitely take you out to celebrate. Thanks a million!

  • Liz

    I think I MAY have finally removed the virus, but there is still a problem! I followed this guide step by step, and at first I didn’t think anything was working at all until FINALLY HitmanPro popped up saying there was a malicious file that it found, that for some reason didn’t delete when it scanned initially. Anyway, HitmanPro deleted this malicious file and rebooted the computer, and after it rebooted, for this first time none of the Data Recovery windows popped up, nor any of its fake alert messages. After that I downloaded Unhide.exe, which worked perfectly. Then I downloaded RogueKiller which also worked and even brought my desktop background back. But now I’m worried because even though everything else seems fine- the Data Recovery shortcut is still on my desktop for some reason. Nothing from Data Recovery pops up anymore, but the fact that the icon is still on my desktop worries me. Any help or explanation for this would be greatly appreciated.

    • Stelian Pilici

      OK,lets make some further check-ups:

      1.Run a scan with Kaspersky Virus Removal Tool
      Click here to download the Kaspersky Virus Removal Tool.

      1. Save it to your desktop.
      2. Double click the setup file to run it.
      3. Follow the onscreen prompts until it is installed
      4. Click the Options button (the ‘Gear’ icon), then make sure only the following are ticked:
        • System Memory
        • Hidden startup objects
        • Disk boot sectors
        • Local Disk (C:)
        • Also any other drives (Removable that you may have)
      5. Then click on Actions on the left hand side
      6. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
      7. Click on Automatic Scan
      8. Now click the Start Scanning button, to run the scan
      9. After the scan is complete, click the reports button (‘Paper icon’, next to the ‘cog’ icon) on the right hand side
      10. Click Detected threats on the left
      11. Now click the Save button, and save it as kaslog.txt to your Desktop
      12. Please copy and paste the contents of kaslog.txt in your next reply.

      2.Run a scan with Eset Online Scanner.

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push List of found threats
      9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note – when ESET doesn’t find any threats, no report will be created.
      10. Push the back button.
      11. Push Finish
  • Mark

    Great writeup. All of the other sites that I tried on this virus lead me down the wrong path. Thanks for the screen shots and the links to the software that we needed. You are a true professional (and very patient).

  • MORD

    I have a problem! I followed this guide step by step but when I ran Malearebytes’ Anti Malware it caused my laptop to crash after like 20 min. What does that mean now?
    Any help you can offer would be greatly appreciated.

    • Stelian Pilici

      Hello,
      It means that you have a really infected computer!:)

      STEP 1. While in NORMAL MODE,download HitmanPro and then start this program in ForceBreach Mode
      1.Here are the direct download links for HitmanPro,
      http://dl.surfright.nl/HitmanPro36.exe (For 32bit)
      http://dl.surfright.nl/HitmanPro36_x64.exe (For 64bit)
      2.Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including this rogue malicious process
      Here is a video that explains with graphic details how to do this : http://www.youtube.com/watch?v=m6eRWTv2STk
      3. Let HitmanPro scan and remove all the detected threats.

      Step 2: While in NORMAL MODE,download/Run Rkill and then run a scan with Malwarebytes
      1.Download any re-named version of Rkill (direct download links bellow):
      http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
      http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
      http://download.bleepingcomputer.com/grinler/rkill.scr
      2.Next,please follow the guide starting with the Malwarebytes scan.
      Let me know , how everything goes.

      • MORD

        I did it! I spent the whole night long and finally did it :D Thank you! I really appreciate it.
        But I’ve still got one question, the file Data Recovery is still on my desktop just next to the Start button. I once deleted it because I thought it might be nothing good but it appeared again in a few minutes. Is that normal?

        • Stelian Pilici

          Lets double check to see if everything is OK.
          1.Run a scan with Kaspersky Virus Removal Tool
          Click here to download the Kaspersky Virus Removal Tool.

          1. Save it to your desktop.
          2. Double click the setup file to run it.
          3. Follow the onscreen prompts until it is installed
          4. Click the Options button (the ‘Gear’ icon), then make sure only the following are ticked:
            • System Memory
            • Hidden startup objects
            • Disk boot sectors
            • Local Disk (C:)
            • Also any other drives (Removable that you may have)
          5. Then click on Actions on the left hand side
          6. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
          7. Click on Automatic Scan
          8. Now click the Start Scanning button, to run the scan
          9. After the scan is complete, click the reports button (‘Paper icon’, next to the ‘cog’ icon) on the right hand side
          10. Click Detected threats on the left
          11. Now click the Save button, and save it as kaslog.txt to your Desktop
          12. Please copy and paste the contents of kaslog.txt in your next reply.

          2.Run a scan with Eset Online Scanner.

          1. Download ESET Online Scanner utility.
            ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
          2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
          3. Check Yes, I accept the Terms of Use
          4. Click the Start button.
          5. Check Scan archives
          6. Push the Start button.
          7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
          8. When the scan completes, push Finish
          • MORD

            Hopefully, I got that right Lol The only thing is that the content of kaslog.txt is in German but I hope you don’t mind.

            Status: Desinfiziert (Ereignisse: 5)
            10.07.2012 13:34:36 Desinfiziert Trojanisches Programm Exploit.Java.CVE-2012-0507.kf C:\Documents and Settings\samsung\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\63f34b9-665d3ea6 Hoch
            10.07.2012 13:34:36 Desinfiziert Trojanisches Programm Exploit.Java.CVE-2012-0507.kf C:\Documents and Settings\samsung\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\63f34b9-665d3ea6/l_t_a/l_t_c.class Hoch
            10.07.2012 19:02:23 Desinfiziert Trojanisches Programm Exploit.Java.CVE-2012-0507.kf D:\SAMSUNG-PC\Backup Set 2012-01-08 190000\Backup Files 2012-07-08 190001\Backup files 2.zip Hoch
            10.07.2012 19:02:23 Desinfiziert Trojanisches Programm Exploit.Java.CVE-2012-0507.kf D:\SAMSUNG-PC\Backup Set 2012-01-08 190000\Backup Files 2012-07-08 190001\Backup files 2.zip/C\Users\samsung\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\63f34b9-665d3ea6 Hoch
            10.07.2012 19:01:14 Desinfiziert Trojanisches Programm Exploit.Java.CVE-2012-0507.kf D:\SAMSUNG-PC\Backup Set 2012-01-08 190000\Backup Files 2012-07-08 190001\Backup files 2.zip/C\Users\samsung\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\63f34b9-665d3ea6/l_t_a/l_t_c.class Hoch

          • MORD

            I’m now into running a scan with ESET online Scanner but shall both (Remove found threats and Scan archives) settings be checked or just Scan archives?

            • Stelian Pilici

              Both Remove found threats and Scan archives should be checked :)

  • Brian Fisk

    Instructions worked great!

  • Art

    Hello, I followed this guide but my display is stuck on 640 x 480, in 4 bit color…help!

    • Art

      Forgot to mention changing the display settings via control panel doesn’t work.

    • Stelian Pilici

      Hello,
      Please follow the below steps:
      1.Run a scan with Eset Online Scanner.

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push Finish

      2.Download Windows Repair by Tweaking.com to your desktop.  Use the direct download link for the Portable version of Windows Repair by Tweaking.com

      1. Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com – Windows Repair folder to your desktop.
      2. Now open this folder and double-click Repair_Windows.exe.
      3. Click the Start Repairs tab on the far right.
      4. Click the Start button (bottom right)
        Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
      5. Click Unselect All
      6. Put a checkmark in the following items:
        • Repair Windows Firewall
        • Repair Hosts File
        • Repair Temp Files
        • Remove Policies Set By Infections
        • Set Windows Services To Default Startup

        Note: Leave everything else unchecked

      7. Put a checkmark in Restart System When Finished
      8. Now click the Start button (bottom right)
      • Art

        Thank you for the help. I can boot into safe mode and do this but I can’t do this in normal mode. My video gets all crazy after about 20 minutes and I have to reset. Also, my normal video is to corrupt and the graphics of the program you recommended cannot be accessed (the buttons are scrolling off the edge of the program..definitely not programmed for such a low resolution).

        I’m wondering if I should just download and re-install my video drivers? I managed to scan the system fully with the viruscheckers you recommended, but it was in safe mode. The video is fine in safe mode for some reason.

        • Art

          Sorry, forgot to mention that I ran RKill before running the viruschecker and it said this:

          Processes terminated by Rkill or while it was running:
          C:\PROGRA~1\MICROS~4\rapimgr.exe

          Isn’t that just the Microsoft ActiveSync Module?

          • Stelian Pilici

            RKILL is killing any process that aren’t need it in memory while we are performing the malware removal process….You don’t need to worry because this program didn’t uninstall/remove any files. :)

        • Stelian Pilici

          Lets try first to remove the malicious files and then we will see how we can fix the video problem…..
          Did you run the HitmanPro (in ForceBreach mode) scan? Did you run the Rkill and Malwarebytes scan?

          • Art

            Hello Stelian,

            First thanks very much for your gracious efforts here with your blog. I know you’ve saved many people quite a bit of misery. You’ve done so at great expense of your personal time. My appreciation.

            I ran everything suggested in the guide, but I ran it in safe mode. For some reason when I try to run Malwarebytes in normal mode, it causes my screen to get crazy (the screen gets jittery and unreadable. I wish I could describe it better) and the only thing I can do is a hard restart to get it back to normal (while in normal mode)
            While in safe mode, my screen is normal, and I have run all the virus checkers you mentioned. It picked up a great many things..all deleted now but for some reason while in normal mode the system will not let me adjust my screen settings back to 1024 x 768, or to a bit depth greater than 4.

            Would the virus checkers I ran in safe mode not be able to detect something that is affecting my system in normal mode?

            Thank You

            • Stelian Pilici

              It should be able to detect a infected file even if it’s Normal Mode…. If you don’t scan your PC , the screen looks ok in Normal Mode?

  • Nadya

    Thank you!! This helped me so much and I was struggling for hours! =)

  • andreea

    multumesc foarte mult !

  • Chuck D.

    You are a lifesaver!!! Followed instructions and my laptop is back to normal. The only issue is the Data Recovery icon is still in my quick start menu. Thanks!

  • Kaihgaishii McCoy

    How Does Smat Repair Virus removal Get into the computer in the first place?

  • Shawn

    Mr Pilici, please help! I have followed this blog to the letter , step by step, and the virus wont go away. I removed infected items in malwarebytes, then. In hitmanpro, and upon resetting when it asks me too during the scanning process, it resets with the virus still in place doing the same thing. I also read in your comments to try eset online scanner and that didnt work either! What am i doing wrong? Youve helped out many people alrdy and hopefully you can do the same for me… thank you in advance!

    • Stelian Pilici

      Hello,
      Can you please re-scan with Malwarebytes?
      Next,scan with Emsisoft Anti-Malware.

      1. Please download the latest official version of Emsisoft Emergency Kit : http://www.emsisoft.de/en/software/eek/
      2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip
        [Image: ekk1.png]
      3. Open the Emsisoft Emergency Kit Folder and double click EmergencyKitScanner.bat
        [Image: ekk2.png]
      4. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.

        [Image: ekk3.png]

        [Image: ekk4.png]

      5. After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC”.

        [Image: ekk5.png]

      6. Select “Smart scan” and click-on the below “SCAN” button.

        [Image: ekk6.png]

      7. Emsisoft Emergency Kit will now start scanning your computer for malicious files as shown below.

        [Image: ekk7.png]

      8. When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Please note that the infections found may be different than what is shown in the image.
        Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects’ button.
        [Image: ekk8.png]
      9. Emsisoft Emergency Kit will now start removing the malicious files.
        If during the removal process Emsisoft will display a message stating that it needs to reboot, please allow this request.

      If you are still experiencing problems , start a thread in our Malware Removal Support forum : http://malwaretips.com/Forum-Malware-Removal-Assistance

    • Daniel

      Shawn, have you resolved the problem? Because I’m in the same case..

  • Shirley

    Thank you!! Thank you!! THANK YOU!!! My laptop was infected slightly more than 36 hours ago, and I’ve been fighting the malware for the same number of hours. I’ve read other tutorials, watched countless youtube videos, and nothing worked, until I FOLLOWED YOUR INSTRUCTIONS. You are a lifesaver. And I would like to add that I’m running on Windows Vista, so for anyone who has the same malware attack to their Windows Vista, please follow these instructions closely, because they really work. Don’t waste time looking at youtube videos, especially when you’re very iffy about working on safe mode. I’m so, so thankful that I found your site. Thank you so much, once again!

  • B. Everts

    Bedankt,

    Je bent goed bezig, ga zo door. Kost een paar uur werk en een fles wijn maar alles werkt weer.

    Thanks,

    Continu with what you are doing. It cost some time and a bottle of wine but everything works again. Greetings from the Netherlands.

  • devin taylor

    WhenI ran Rkill i got a log saying that it terminated nothing i ran it multiple times with the same results i then ran malwarebytes and it didnt detect any malicious software how do i go about getting rid of this smart recovery virus when it cant find it?

    • Stelian Pilici

      Did you run the HitmanPro scan?
      Please Please run a scan with ESET Online Scanner

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. Push Finish when the scan has completed.
  • Joe Nieberding

    this solved all my problems. YOUR AWESOME!!!!!!!!!

  • (not)smart

    Salut Stelian,

    Ca si ceilalti care au comentat aici, as vrea sa iti multumesc foarte mult pentru frumosul mod de a eradica acest urat virus. Aseara mi-a paralizat tot si ma gandeam cum o sa lucrez astazi, avand in vedere ca 90 % din jobul meu este pe PC.

    Efectiv m-ai salvat.

    Sper sa ti se intoarca inzecit acest gest.

    Multumesc inca o data. Toate cele bune,

    C.

    • Stelian Pilici

      Salut,
      Ai grija in viitor!;D

  • Glen

    Thank you!! God bless u

    • Crystal

      thank you so much, this has got rid the virus – you clever thing!!

  • Javed

    Hi, my laptop freezes in safe mode after mup.sys so I cannot continue with your procedure. Help,

    • Stelian Pilici

      OPTION 1 : While in NORMAL MODE,download HitmanPro and then start this program in ForceBreach Mode
      1.Here are the direct download links for HitmanPro,
      http://dl.surfright.nl/HitmanPro36.exe (For 32bit)
      http://dl.surfright.nl/HitmanPro36_x64.exe (For 64bit)
      2.Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including this rogue malicious process
      Here is a video that explains with graphic details how to do this : http://www.youtube.com/watch?v=m6eRWTv2STk
      3. Let HitmanPro scan and remove all the detected threats.
      VERY IMPORTANT!: When HitmanPro will detect the infections, make sure that they aren’t false possitive or compromised critical system files before removing them!I’m saying this because usually when you can’t connect to the internet while in Safe Mode with Networking could mean that you have other infections besides this Smart HDD Rogue.
      4.Run Rkill and then a scan with Malwarebytes.

      OPTION 2: While in NORMAL MODE,download/Run Rkill and then run a scan with Malwarebytes.!
      1.Download any re-named version of Rkill (direct download links bellow):
      http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
      http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
      http://download.bleepingcomputer.com/grinler/rkill.scr
      2.Next,please perform a scan with Malwarebytes as seen on the guide and then a scan with HitmanPro.

      Let me know , how everything goes

  • Alex

    I tried to run the unhide program, and as it was running it highjacked my desktop, which now reads “Rocky2 Jackman Rev. 003″ How did this come about from your link? I need help, because instead of unhiding anything, it seems I have lost everything! Thanks for anything you can do

    • Stelian Pilici

      Did remove all the infected objects by the recommended software?
      Please run a scan with ESET Online Scanner

      1. Download ESET Online Scanner utility.
        ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
      2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
      3. Check Yes, I accept the Terms of Use
      4. Click the Start button.
      5. Check Scan archives
      6. Push the Start button.
      7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      8. When the scan completes, push List of found threats
      9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.Note – when ESET doesn’t find any threats, no report will be created.
      10. Push the back button.
      11. Push Finish

      Next,please run Unhide.exe again!

  • Stephanie Duncan

    Hello,
    You are a lifesaver! i thought that i had lost everything, and then found this!
    The screenshots from the virus are identical to what i have and now i need some additional help, PLEASE!~
    i am running windows 7 and when i start up, hitting F8 does nothing. i can F12 or F2 to enter Setup Utilitiy, however i do not see anything about a safe mode. I saw one post that suggested the same issue and they were able to disable something however, i do not even see that! (i cannot remember exactly what it was, boot something~ it was many posts ago)
    What do i do, or can i do from the setup utility to get started on your suggested process?
    Also, i am accesing this via my ipod, not the infected lattop, so actual links to things wont work for me… :(
    Thanks a million in advance~

    • Stelian Pilici

      OPTION 1 : While in NORMAL MODE,download HitmanPro and then start this program in ForceBreach Mode
      1.Here are the direct download links for HitmanPro,
      http://dl.surfright.nl/HitmanPro36.exe (For 32bit)
      http://dl.surfright.nl/HitmanPro36_x64.exe (For 64bit)
      2.Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including this rogue malicious process
      Here is a video that explains with graphic details how to do this : http://www.youtube.com/watch?v=m6eRWTv2STk
      3. Let HitmanPro scan and remove all the detected threats.
      VERY IMPORTANT!: When HitmanPro will detect the infections, make sure that they aren’t false possitive or compromised critical system files before removing them!I’m saying this because usually when you can’t connect to the internet while in Safe Mode with Networking could mean that you have other infections besides this Smart HDD Rogue.
      4.Run Rkill and then a scan with Malwarebytes.

      OPTION 2: While in NORMAL MODE,download/Run Rkill and then run a scan with Malwarebytes.
      1.Download any re-named version of Rkill (direct download links bellow):
      http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
      http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
      http://download.bleepingcomputer.com/grinler/rkill.scr
      2.Next,please perform a scan with Malwarebytes as seen on the guide and then a scan with HitmanPro.

      Let me know , how everything goes!

  • Susan Marston

    Stelian, Sir- you are an absolute life-saver! Thank you SO much for having this series of steps available. Granted, when this nightmare occurred at about 9:45pm est yesterday I was skeptical of my skills and computer knowledge in executing this “fix”- but you made it pretty painless. I will say that I too, was unable to reboot in safe mode (f8), but when I hit (f2) at start-up and “disabled” the “quickboot” mode, I was able to boot in “safe-mode” but then I was unable to gain internet access. I also noticed that with each subsequent “reboot”/ gimme “f8″ safe-mode dang it, the Virus “hid” more items, making it nearly impossible to do anything- I could no longer even search for “internet explorer” under the start menu search and open it from there. (I write all of this hoping it may help anyone else with these little “nuance” issues.) Luckily, If it weren’t for the fact that I knew one program under my control panel (Revo Uninstaller) trial has expired and automatically opens a web browser to purchase– I don’t think I would have been able to fix it– as this became the new procedure by which I opened a web-browser each time to access and download from this website. But thank you so much again!!

  • didinny

    Thanks ! U r a great life saver. I did follow your steps and fixed the problem.But when I check the start-program- I still can c the “Data recevery”. then I select to Uninstall them , the Smartchek window came back… how to clean that next ( in the start -program..).?

    • Stelian Pilici

      Right click on the Folder/Icon and select Delete….And you’re done!

  • razar

    my computer was rendered useless this week with the SMART Virus and not being a technical type person I thought everything was lost. Fortunately I found this blog when searching for SMART CHECK before doing anything else. These instructions were easy to follow and completely guided me through fixing the mess the malware created. I can’t thank you all enough!

  • Reine

    Thanks, this guide helped me fix things much faster than I normally would have!

  • Steve

    After having the SMART virus a few days ago and believing I had fixed it I am left with a problem…

    I am hearing random audio ads (only audio – no images on screen) when in internet explorer and even when running Windows XP alone with no windows open.

    Is this a remnant of the SMART virus or something else?

    Any help would be appreciated.

  • carmen

    Thank you for the detailed removal instructions, my laptop is now fully functioning and back to normal (I followed your instructions for Normal start up as internet was unavailable in safe mode) ! Just one odd thing though- when I ran RKill it shut down the whole system process and caused my laptop to crash instead of just stopping any virus processes. I followed the other steps without using RKill after restarting.
    Also I didn’t have the administrator password so I did it all on my user profile. Will this effect the removal success of the S.M.A.R.T. virus?

    Many Thanks,
    Carmen

    • Stelian Pilici

      The Rkill step is used just to stop the malicious process , if you manage to complete the guide without using it …it’s ok!:D
      When the computer was infected it was using a limited account or administrator?
      Stay safe!

      • Marc

        Hi,

        I have gone through all the steps and all programs work fine, but neither Rkill nor Malwarebytes detects anything. So nothing is removed. But when i restart my computer, the SMART check is performed again (although this time it indicates that all files are fine…). So the Malware is still there.
        How can i get rid of it?
        Thanks.

        • Stelian Pilici

          You’ll need to use an Administrator account when logging into Safe Mode and performing the scans/removing the infections….
          Next,perform a system scan with Emsisoft Anti-Malware:

          1. Please download the latest official version of Emsisoft Emergency Kit : http://www.emsisoft.de/en/software/eek/
          2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip
            [Image: ekk1.png]
          3. Open the Emsisoft Emergency Kit Folder and double click EmergencyKitScanner.bat
            [Image: ekk2.png]
          4. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.

            [Image: ekk3.png]

            [Image: ekk4.png]

          5. After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC”.

            [Image: ekk5.png]

          6. Select “Smart scan” and click-on the below “SCAN” button.

            [Image: ekk6.png]

          7. Emsisoft Emergency Kit will now start scanning your computer for malicious files as shown below.

            [Image: ekk7.png]

          8. When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Please note that the infections found may be different than what is shown in the image.
            Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects’ button.
            [Image: ekk8.png]
          9. Emsisoft Emergency Kit will now start removing the malicious files.
            If during the removal process Emsisoft will display a message stating that it needs to reboot, please allow this request.

          If you are still experiencing problems , start a thread in our Malware Removal Support forum : http://malwaretips.com/Forum-Malware-Removal-Assistance

  • Danielle

    I have google chrome instead of internet explorer. What do I do?

  • http://Biz2mob.com Matt

    Hey, I am currently in safe mode, but no Internet is available to download rkill. I do have Internet in normal mode though, any ideas??

    • Stelian Pilici

      Hello,
      Ok,try to do this…
      STEP 1 : While in NORMAL MODE,download HitmanPro and then start this program in ForceBreach Mode
      1.Here are the direct download links for HitmanPro,
      http://dl.surfright.nl/HitmanPro36.exe (For 32bit)
      http://dl.surfright.nl/HitmanPro36_x64.exe (For 64bit)
      2.Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including this rogue malicious process
      Here is a video that explains with graphic details how to do this : http://www.youtube.com/watch?v=m6eRWTv2STk
      3. If it start ,let it scan and remove all the detected threats.

      STEP 2: Download/Run Rkill and then run a scan with Malwarebytes.
      1.Download a different named Rkill (direct download links bellow):
      http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
      http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
      http://download.bleepingcomputer.com/grinler/rkill.scr
      2.And then follow the guide starting with the Malwarebytes scan.

      STEP3 : Perform a system scan with Emsisoft Anti-Malware:

      1. Please download the latest official version of Emsisoft Emergency Kit : http://www.emsisoft.de/en/software/eek/
      2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip
        [Image: ekk1.png]
      3. Open the Emsisoft Emergency Kit Folder and double click EmergencyKitScanner.bat
        [Image: ekk2.png]
      4. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.

        [Image: ekk3.png]

        [Image: ekk4.png]

      5. After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC”.

        [Image: ekk5.png]

      6. Select “Smart scan” and click-on the below “SCAN” button.

        [Image: ekk6.png]

      7. Emsisoft Emergency Kit will now start scanning your computer for malicious files as shown below.

        [Image: ekk7.png]

      8. When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Please note that the infections found may be different than what is shown in the image.
        Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects’ button.
        [Image: ekk8.png]
      9. Emsisoft Emergency Kit will now start removing the malicious files.
        If during the removal process Emsisoft will display a message stating that it needs to reboot, please allow this request.

      If you are still experiencing problems , start a thread in our Malware Removal Support forum : http://malwaretips.com/Forum-Malware-Removal-Assistance

  • Steve

    You are a lifesaver!!! Your website has gone straight to my favourites list. Everything worked (although I had to take a few detours) and HitmanPro had no free trial. But thankyou soooooo much.

  • Chris

    I am trying to repair someone’s computer that had this virus. Thanks to this handy guide, I was able to get rid of the virus and bring back all the desktop icons that were hidden. However, in the Start Menu, many of the boxes in the submenus say “Empty” I have repeatedly followed the final instructions that SHOULD have brought them back but have since been unsuccessful.

    • Stelian Pilici

      Hello Chris,

      1. Right click on your Windows Start menu and select Properties.
        [Image: Eu2Aq.png]
      2. Next put a check mark on
        Store and display recently opened programs in the start menu
        Store and display recently opened items in the start menu and taskbar
        [Image: h0z5v.png]
      3. Click on Customize and click on Use default settings at the bottom
        [Image: kxZSH.png]
      4. Browse to
        Code:
        C:\ProgramData\Microsoft\Windows

        [Image: vZZUz.png]

      5. Right click on Start Menu folder and click on Restore previous versions
      6. Now select a snapshot before you were infected by the rogue,click on restore
      • Chris

        In Windows XP the Program Data folder doesn’t exist. Going by the screenshots, these fixes seem to be for Windows 7.
        In XP I can get to that Start Menu Folder in Documents and Settings but the menu doesn’t have a “restore previous versions” option. I was hoping a System Restore might bring all the submenus back but every checkpoint I try returns a Restoration Incomplete message. Just to get the System Restore running required me to run (%systemroot%\system32\restore\rstrui.exe) since the System Tools submenu under Accessories is empty. I have already tried the Tweaking fixes that were supposed to bring all the Shortcuts and Start Menu items back but have had no more luck than the first. I am rapidly running out of options. At this rate, ghosting the hard drive and reinstalling the OS might be my only option. I’m hoping you know of an easier solution

        • Stelian Pilici

          For Windows XP,you can try this fix:
          1)Go to the Startup icon
          2)then put cursor over “All Programs” and right click and click on “Open”
          3) Select the “Programs” folder and right click and select “Properties”
          4) Then select the “previous version” tab, await the previous versions to show up and select the folder that existed prior to your problems and hit restore and follow through with prompts.

          • Chris

            I don’t see a previous versions Tab unfortunately. Just these: General, Sharing and Customize.
            Could it be that this is wasn’t added until Service Pack 3? The owner runs Service Pack 2 and is a firm believer in the “if its not broken, don’t fix it” policy. I can update their system to Service Pack 3 but if I have a feeling that while this may give me the previous versions option, it will not give me any options to choose from since it was just updated. I will try anyway and get back to you.

          • Chris

            No still nothing. Service Pack 3 is up but nothing has changed. I think the submenus are gone for good. Unless you have yet another solution (I wouldn’t be surprised if you did) I am going to need to backup the documents and then reinstall the OS. It will be a pain since this is a company computer.

            • Stelian Pilici

              This is a manual fix for XP users:

              1. Copy the entire content of this folder:
              C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\1
              and paste it to this folder:
              C:\Documents and Settings\All Users\Start Menu

              2. Copy the entire content of this folder:
              C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\2
              and paste it to this folder:
              C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch

              3. Copy the entire content of this folder:
              C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\3
              and paste it to this folder:
              C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

              4. Copy the entire content of this folder:
              C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\4
              and paste it to this folder:
              C:\Documents and Settings\All Users\Desktop


              If the above does not work then you can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:

          • Chris

            Perfect. The system tools are back in it. The only things left are the extra programs like Microsoft Office, Skype, etc. I guess those will have to be reinstalled. I appreciate the help. Back when I found the smtmp folder, I copied everything in it back to the Start Menu folder but it didn’t fix anything. Since I was not the first person to try and fix this computer, I can only assume that the majority of the shortcuts were somehow deleted.

  • pfeilstein

    This is the worst case I was worried about for the last 15 years.
    And it happened inspite always updating my browsers, OS, AV-software and plugins – just a few moments before finishing an important work. Instead I
    had a thrilling night session.
    Most puzzling was to figure out which sources throughout the web are reliable and which ones are free-riders or even part of the original fraud. Too many – commercial- offers seemed suspicious. But thanks to this great guide, I got my machine working again and met the deadline next morning.
    Unfortunately one symptom I supposed to be part of the infection appeared once again in the morning: a vertical striped freezed monitor.
    So I run the whole procedure a second time. Now – a few days later – the system appears stable.
    One question is left: What was the infection path of the trojan? Just drive-by?

    Thanks a lot!

  • Sunshine

    Your directions were magnificent!!! Thank u sooooo much!!! I do have one question…my mouse pad on my laptop is not working properly…I can tap to select n scroll the right button works but the left doesnt. Could this b from the virus?

    • Stelian Pilici

      Sounds more like a hardware problem than a side effect….. Try to disconnect – reconnect the cable….

  • Francine

    Hi everything worked fine BUT I still have not a single icon on my desktop and cannot access to the xontrol panel and some of my programs have that ufly “empty” box next to it.
    Help!

    • Stelian Pilici

      Hello Francine;
      1.Plese run Unhide.exe

      1. Download  >> Unhide.exe. < <<
      2. Double-click on the Unhide.exe icon on your desktop and allow the program to run.When it has completed its task it will generate a report.

      2.Restore your Start menu to a previous date

      1. Right click on your Windows Start menu and select Properties.
        [Image: Eu2Aq.png]
      2. Next put a check mark on
        Store and display recently opened programs in the start menu
        Store and display recently opened items in the start menu and taskbar
        [Image: h0z5v.png]
      3. Click on Customize and click on Use default settings at the bottom
        [Image: kxZSH.png]
      4. Browse to
        Code:
        C:\ProgramData\Microsoft\Windows

        [Image: vZZUz.png]

      5. Right click on Start Menu folder and click on Restore previous versions
      6. Now select a snapshot before you were infected by the rogue,click on restore
      • Francine

        Thanks a lot Stelian, everything is fine now!

  • Rol Girard

    Thank you very much. I followed all the steps to remove the SMART virus and it worked just fine.
    I do have a problem yet but i do not know if it is from the SMART virus or not.
    I am using Windows 7 and Trend Micro anti virus.
    I can not turn on the Windows Security Center. Error says it can not be started. Also I can not start the Windows firewall service. I get error code 1068. When I try to start the firewall I get error code 0x8007042c.
    Thank You

  • Trudie000

    Fantastic!!! I freaked out when my desktop turned black and all my files and folders had disappeared! Quite frankly I didn’t know what to do and was about to make the damn purchase the virus was prompting me to but it looked suspicious so I decided to google S.M.A.R.T and this awesome link came up!! I read through and realised that I wasn’t alone?

    Followed every step in the link and bang! All my folders and files came back!

    You are indeed a STAR! God Bless you big time!!!

  • Kelly

    Thank you for this website. I have followed all the steps listed above, and the popups have stopped, my files are no longer hidden, and the system is allowing me access to my programs now.

    But I still have a couple issues. I am running Windows XP, and when I click on Start, then All Programs, it lists the installed programs, but when I try to click on a program, it gives me a little box that says (Empty). I can access the programs through desktop icons or by going into Explorer program files. Secondly, although all the subsequent scans I have run using all the programs listed above as well as two paid anti-virus programs all show my system to be clean. But Internet Explorer (which I don’t use – I use Firefox) keeps opening on its own to websites I’ve never heard of.

    Any insight you can offer on these problems would be greatly appreciated.

    • Stelian Pilici

      1.Plese run Unhide.exe

      1. Download Unhide.exe.
      2. Double-click on the Unhide.exe icon on your desktop and allow the program to run.When it has completed its task it will generate a report.

      2.Restore your Start menu to a previous date

      1. Right click on your Windows Start menu and select Properties.
        [Image: Eu2Aq.png]
      2. Next put a check mark on
        Store and display recently opened programs in the start menu
        Store and display recently opened items in the start menu and taskbar
        [Image: h0z5v.png]
      3. Click on Customize and click on Use default settings at the bottom
        [Image: kxZSH.png]
      4. Browse to
        Code:
        C:\ProgramData\Microsoft\Windows

        [Image: vZZUz.png]

      5. Right click on Start Menu folder and click on Restore previous versions
      6. Now select a snapshot before you were infected by the rogue,click on restore

      3.This malicious software has changed your homepage in Internet Explorer…..You can go into the Internet option and chose ‘Use blank’ or add your own… OR you can just reset IE options.

      Reset Internet Explorer options

      To reset Internet Explorer options….. Go here : http://malwaretips.com/blogs/remove-whitesmoke-translator/ : and check step 3 to see how to reset IE to its default settings..

  • Linda

    how long does it normally take for the RKill program to generate a log? I got the black screen but it disappeared after a couple of seconds….I have been waiting about 45 minutes now but nothing has happened, so not sure if it’s working or not

    • Stelian Pilici

      Hello Linda,
      The RKILL scan should not take more than 5 minutes or so. Lets try another thing:

      Option 1 : Try to download a different named Rkill (direct download links bellow):
      http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
      http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
      http://download.bleepingcomputer.com/grinler/rkill.scr
      And then follow the guide starting with the Malwarebytes scan.


      If that doesn’t work please try to do this:
      Option 2: Download HitmanPro and then start this program in ForceBreach Mode
      1.Here are the direct download links for HitmanPro,
      http://dl.surfright.nl/HitmanPro36.exe (For 32bit)
      http://dl.surfright.nl/HitmanPro36_x64.exe (For 64bit)
      2.Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including this rogue malicious process
      Here is a video that explains with graphic details how to do this : http://www.youtube.com/watch?v=m6eRWTv2STk
      3. If it start ,let it scan and remove all the detected threats , then perform a scan with Malwarebytes.

      Next , perform a system scan with Emsisoft Anti-Malware:

      1. Please download the latest official version of Emsisoft Emergency Kit : http://www.emsisoft.de/en/software/eek/
      2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip
        [Image: ekk1.png]
      3. Open the Emsisoft Emergency Kit Folder and double click EmergencyKitScanner.bat
        [Image: ekk2.png]
      4. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.

        [Image: ekk3.png]

        [Image: ekk4.png]

      5. After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC”.

        [Image: ekk5.png]

      6. Select “Smart scan” and click-on the below “SCAN” button.

        [Image: ekk6.png]

      7. Emsisoft Emergency Kit will now start scanning your computer for malicious files as shown below.

        [Image: ekk7.png]

      8. When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Please note that the infections found may be different than what is shown in the image.
        Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects’ button.
        [Image: ekk8.png]
      9. Emsisoft Emergency Kit will now start removing the malicious files.
        If during the removal process Emsisoft will display a message stating that it needs to reboot, please allow this request.

      If you are still experiencing problems , start a thread in our Malware Removal Support forum : http://malwaretips.com/Forum-Help-my-PC-is-infected

  • Burninchilli

    You are a * (star!). I think I got SMARTED from E-bay (if this is possible) looking at bikes. Followed the instructions on this site and I got my life back. I assess students and have about 100 hours of work that I thought had gone for good. Thank you so, so much. My concern is that my firewall was on, Microsoft security essentials wes running in real time and my explorer is patched and up to date. So how does it by-pass my security Stelian? Is there more I should be doing to protect my computer?

    • Stelian Pilici

      Hello Burninchilli.
      Your antivirus didn’t have signatures for this particular threat and because it doesn’t have any other powerful layers of protection it didn’t have any way to stop it.
      You should really change your antivirus to one that has additionl layers of protection besides the antivirus component!
      Here is one of the reasons why Avast is better than Microsoft Security Essentials: https://blog.avast.com/2012/03/20/autosandbox-why-are-you-annoying-me/
      Quick tips:
      Free – Avast 7 Free version or COMODO Internet Security
      Paid : Norton Internet Security 2012 or Avast Internet Security 7
      Anyway ,you should really start a thread in our Security Configuration forum as you need to build a layerd security config: http://malwaretips.com/Forum-Security-Configuration-Wizard

  • terri

    thank so much. thought i had lost everything on my laptop, & thought that I would need a new one. thanks to you I now have my stuff back!!!!

  • Bill

    awesome….you deserve a lot more than a medal..worked perfectly..

  • Bill

    Friggin awesome….you deserve a lot more than a medal..worked perfectly..

  • Ruth

    I have tried Malwarebytes when I saw the smart hdd message but the problem is my C drive shows with nothing in it and also I do not have icons on the taskbar and desktop and all the programs are gone. Please I will like to know if the instruction will bring back my C drive and my icons and programs. I am able to log in now. This is a work computer.

    • Stelian Pilici

      Hello Ruth,
      Yes, if you follow this step by step guide , you’re folders,icons and files should be back!
      If you have any problems please post back here, and I’ll help you!!
      Stay safe!

  • Oz

    Brilliant. Complete documented set of instructions that worked perfectly.

    Thank you, you deserve a medal.

  • Tony Paige

    I had tried a couple others before this so I was fairly skeptical of it working. But it worked great and the user is happy. Awesome documentation. Thanx very much

  • Paul

    Great job and excellent documentation. Worked great!

  • Emmitt

    I thought this was a disaster on multi levels. Thanks for the help…

    • Walter

      You’re Awesome! Thank you.

  • Simon Moyer

    Thank you SO much for these instructions. They were WAY more helpful than Microsoft’s forum entry regarding removal of this humongously annoying malware. You are indeed a life saver!

  • Matthew

    I have two computers, a tower, which is my primary, and a laptop, which is my backup/highrisk use pc. Not sure where I picked up this particularly nasty piece of Malware from but I suspect Uploading.com or another file site when I was cruising for some vids. Normally I’m savvy enough that I can solve most problems on my own but with this little bathturd I needed some outside help. Praise be to Google which led me to this fantastic article, and thank you very much kind sir for making it and explaining things step by step so well.

    • Jason

      You may have to use “msconfig” to load safe mode as this new strain of virus would not allow me to use F8 on bootup to get into safemode. Also in my case I had to use the cmd window to run “tasklist” to see the running processes and “taskkill /f /pid ####” where #### is the task pid you need to kill. It has a wierd name (random characters) so you’ll proably know which one to kill. Once you run taskkill type msconfig and choose safemode and then restart and follow the remaining directions.

  • Scott

    Thought I would have to haul my computer to the shop but I followed your step by step instructions and they worked! Thank you so much!!!!

  • David Hufford

    Thank you so much for your info. I got the smart virus two days ago and I followed these steps. Took me about an hour but the computer is back to normal. The only issue I still have is I cant see anything on my external harddrive. I can click on the J drive but I cant see anything in it. Should I run these steps again with the external drive plugged in?

    Thanks for your help

    • Jason

      How to Unhide Files and Folders
      To avoid manual execution of programs and files, Smart HDD will hide files and folders on the infected computer. Most victims think that files and folders are deleted, but it is not. The malware simply changed the attributes to hide the data. Follow this guide to show all hidden files and folders if it remains hidden after activating Smart HDD.

      1. Open My Computer or Windows Explorer.
      2. On top menu of upper left corner, click on Organize, then choose Folder and Search Options.

      3. Folder Options dialog box will appear. Select the View tab.
      4. On Advance Settings, mark “Show hidden files, folders and drives.”

      5. Click OK to save the settings. You can now view the folders and files, though, they are still concealed because Smart HDD sets the attributes to hidden.
      6. While still on Windows Explorer, click on the drive (C: or D:). On right pane, mouse over on the folder or file you wanted to unhide. To select all folder, you may use the keyboard shortcut Ctrl+A. Right-click, then select Properties .

      7. On the Attributes area, remove the check mark on Hidden . This will change the attributes of affected files and folders. Click OK to save the settings.

  • ISDTech

    WOWOWOW – The steps worked! Thank you Stelian Pilici!

  • Gregg

    You guys are GREAT!!!! Never thought i could get pc back to normal!!!! This worked wonderful!!!!

  • Hayley2277

    THANK YOU SO MUCH!! I thought all was lost. I’m right in the middle of finishing the last touches of my dissertation (luckily I had just emailed a copy to my professor, but lost all my research articles). You have NO IDEA how much you just saved me.

  • dogsoldier

    Tried a lot of different websites that didn’t help me a lot further, but thanks to you I finally got rid of Data Recovery. Thank you so much, I thought I’d lose everything on this computer.

  • Dave

    My 30 day trial of Norton ran out on my new laptop, then I got this virus. This website solved my problem fast and free. Next step for me is to install AVG free virus scan.

    • http://malwaretips.com/ Stelian Pilici

      I would suggest that you try Avast 7 Free… It’s way better than AVG FREE. :)

  • AK

    Amazing.. Thank you very much.. I thought Ilost all my data….

  • Lokesh

    Thanks a lot for the guided support. I was so scared I lost all my data which was around 300GB.. Thanks to you I am saved now.
    This blog has helped many by now and in future also. Great

  • Sarah

    Thank you so much! I was so worried I had lost everything until I found this site. Thank you!!

  • Agy

    Hi, I just got infected by this annoying virus, and thanks to you i’ve been able to get back in place! Great guide!! thanks

    • Greg

      Awsome! You bailed me out!!! Thanks so much!

  • Matt

    Nice work, Great guide and screenshots

  • Jeff

    Thank you for your help.
    You are providing a great service to all!

  • prem

    great work.
    thank you

  • Floyd

    How can I thank you, I did in fact donate to your support.
    I believe I am back straight now, I will for ever be a little worried now about just what is happening when I am going to a website.
    The only thing not mentioned above is that the RogueKiller took me to the RogueKiller website and I am not certain if I need to be doing anything further. I have convinced myself it takes me there just in case I want to leave a comment or such.
    THANK YOU Sir!

  • Mick Creedon

    Is there not a download available to create a USB rescue drive that will rid ones computer of this SMART HDD malware rather than have to download and run all these programs?

  • Andrew

    Fantastic guide. Thanks so much :)

  • Anon23456

    A++++++++++++++. Excellent instructions, well thought out and easy to follow. An exemplary job. You sir are amazing. Thank you. Now I don’t need to reformat my computer. :)

  • Anthony Bustamante

    Your the man!!! I love when it when you can follow simple directions and they work.

  • Debi

    I can not thank you enough… i thought i had lost all my business stuff!

  • Ken VanBree

    Thanks so much for a thorough recipe for undoing the problems that the S.M.A.R.T. malware. I used the instructions on another site but they only got me part way there. I can now access QuickBooks and write invoices. In other words I am back in business. Thanks for your help.

    Ken

  • BQJN

    Thank you! Excellent instructions and easy to follow. You are fantastic. Thank you!

  • Emma Gullblom

    Thank you!!

  • guilherme

    omg… thanks.. very very thanks
    i almost change my HDD, but i visited your site and fixed all

    • Matty

      Thank you so much you have saved me a lot of money literally haha! Absolutely genius thanks a billion!!

      • vtango

        Thanks a ton, for the detailed and step by step instructions…!!!! Awesome!!!