Tutorial SmitfraudFix

Utilisation – english version

SmitfraudFix fixes DesktopHijack-like infections: Smitfraud, Win32.puper, AVGold, Security iGuard, Spyware Vanisher, quicknavigate.com, updateSearches.com, startsearches.net, Virtual Maid, SpySheriff, PSGuard, SpyAxe, WinHound, SpyFalcon, AlfaCleaner, SpywareStrike…

SmitfraudFix, a tool for Windows 2000 and XP, has got 3 separate options:
– option #1 displays infected Smitfraudwise files (run option #2 in case of displayed files).
– option #2 deletes infected files and is to be run if option #1 showed their presence.
This operation is to be performed in Safe mode.
– option #3 is independent and will be run to re-initialize the Trusted and Restricted Sites zones (O15 lines on a HijackThis log).
This option must not be run by chance as protection information might be in this Restricted Site zone!

Given the recent random file names, this step must be part of an infected hard disk file removal procedure and a system cleaning by Ewido or similar.

Download SmitfraudFix.
Extract all the smitfraudfix.zip archive.

SmitfraudFix files

Option 1 – Search:
Double-click smitfraudfix.cmd
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt.

SmitfraudFix

Option 2 – Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually).
Double-click smitfraudfix.cmd.
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt.

SmitfraudFix : registry cleaning

Option 3 – restore Trusted and Restricted site zone:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone (lines HijackThis O15).

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”. It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user (see Command Line Process Viewer/Killer/Suspender).