Win32 removal of Smitfraud malware for Windows XP and 2K

I am writing this post because I just had a user ask me about her older Windows 2000 machine that was cursed with the Smitfraud malware. Typically I recommend Spyware Doctor by PCTOOLS because it takes care of most Malware threats on more types of Win32 machines BUT she wanted a free way to do it and I’ve thought I would detail the process.

I love free software as much as the next guy but really, unless you have a lot of experience and time just go out and buy Spyware Doctor. You won’t be disappointed and you won’t have to go searching the internet for a fix for other types of infections when you get them. Spyware Doctor handles them all.

But let’s continue with the free way called SmitFraudFix.

Just a list of some of the malware infections this is good for:  AdwarePunisher, AdwareSheriff, AlphaCleaner, AntiSpyCheck, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, Antivirus 2009, Antivirus Master, Antivirus XP 2008, AntivirusGolden, AVGold, Awola, BraveSentry, IE Defender, Internet Antivirus, MalwareCrush, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, Power-Antivirus-2009, PSGuard, quicknavigate.com, Registry Cleaner, Security iGuard, Smart Antivirus 2009, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareRemover, SpywareSheriff, SpywareStrike, Startsearches.net, TheSpyBot, TitanShield Antispyware, Total Secure 2009, Trust Cleaner, UpdateSearches.com, Virtual Maid, Virus Heat, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Win32.puper, WinHound, Vista Antivirus 2008, XP Security Center, Brain Codec, ChristmasPorn, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, IECodec, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, LookForPorn, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, NetProject, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SearchPorn, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec…

Download:

Use this URL to download the latest version (the file contains both English and French versions):
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Mirrors: Alternate official download locations for Smitfraudfix.exe
http://siri.geekstogo.com/SmitfraudFix.exe
http://downloads.securitycadets.com/SmitfraudFix.exe
Zebulon.fr

Use:

• Search:
  • Double-click SmitfraudFix.exe
  • Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt



• Clean:
  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infect files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt



• Optional:
  • To restore Trusted and Restricted site zone, select 3 and hit Enter.
  • You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”. It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm