# Solved: SmiUpdate.exe in smitfraudfix file flagged as trojan by AVG?



## mrss (Jun 13, 2007)

I downloaded SmitfraudFix (via a link from this form, I believe) and AVG calls SmiUpdate.exe the TrojanHorse.VB.CEC virus. 

I wasn't able to scan it with Panda's online scan because AVG had locked it. Panda picked up these other files from the smitfraudfix folder. 
Process.exe
Reboot.exe
Restart.exe 
It also picked up process.exe from WIndows/system32, but AVG cleared it. 

A quick google suggests that the nature of the smitfraudfix requires the above programs have access to the hard drive and to be able to connect to the internet, i.e, this is normal?

Paranoid, as usual. I deleted the smitfraud fix folder anyway. WHat do you think?


----------



## Byteman (Jan 24, 2002)

Hi,

Included in all the authorized security helpers here at TSG's replies where SmitFraudfix is being used, is this:

Please download *SmitfraudFix* (by *S!Ri*) 
Have the file *Saved To> your Desktop,* change the location while the File Download box is up
by using the drop-down arrow....go to Desktop at the very top of the list> make it the location the file downloads TO.

Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.
_ __ 
Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
_______________________
Second Part of Smitfraudfix:

*Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
not use Safe Mode with Networking for this fix!)*
Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in *Safe Mode, then press "Enter".*
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "*Yes*" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.

_ _ _ _ _ _ _ _ ____

Note the part about antivirus programs detecting SMFix's files...it's very common as they are detected because of what the antivirus program detects that the files *DO*

Detections like this are called *False Positives or false detections*.

*Note also>* you need to be prepared to put back your background/wallpaper if the computer is NOT infected SMFix will remove it *anyway....*


----------



## mrss (Jun 13, 2007)

Thanks, Byteman.


----------



## Byteman (Jan 24, 2002)

Hi, You are welcome! You did the right thing to ask...._"there are no foolish questions, only those you don't ask! And, they are the easiest to answer, but fools rarely ask any"_


----------



## gco102 (Feb 6, 2008)

i have found several posts on message board of people having the same problem as me
but not found any of the solutions
windows XP SP2
downloaded smitfraudfix.exe
doubleclicked it to extract folder onto desktop - also tried extracting it directly to c:/smitfraudfix folder
start windows in safe mode
however - the part where you either doubleclick smitfraudfix.cmd
or run CMD and try to run it from command prompt
it just opens for a split second and then closes
it doesn't go to the screen where you can pick option #1 search

i do see a file in the smitfraud fix folder named process.exe
i did look at the http://www.beyondlogic.org/consulting/proc...processutil.htm
but did not understand what i was supposed to be doing

some messages mentioned to make sure that all of the files ended up getting downloaded - but i dont see that list - below is what i have

dumphive.exe
exit.exe
GenericRenosFix.exe
HostsChk.exe
IEDFix.exe
Process.exe
Reboot.exe
restart.exe
SmitfraudFix.cmd
SmiUpdate.exe
SrchSTS.exe
swreg.exe
swsc.exe
swxcacls.exe
unzip.exe
VACFix.exe
UCCLSID.exe
WS2Fix.exe

my ComSpec is c:windows\system32\cmd.exe

I know I am doing something wrong
any help would be greatly appreciated.


----------



## Byteman (Jan 24, 2002)

Hi,

You just download the smitfraudfix file directly to your desktop, these days....if you do have the .exe version, you just double click the file, and it makes a new folder SmitFraudFix on the desktop....Open that folder, and click on Smitfraudfix.cmd

You can run the first part from Normal Mode to get the text log, and you can post it here if you get it to run.

The *second part* is the actual cleaning, when you type a "2" 
and that run is done in *Safe Mode*.

Are you using an Administrator level user account?

Is there another account you can try it with?

*You also need to boot to Safe Mode and log onto the same user account when you go to do Part 2. Another account probably won't have the SmitFraudFix folder on it's desktop, but if you are used to using Windows Explorer, you can navigate to the account that does have the folder and run the command.

Try downloading a fresh copy from this link:

*http://siri.urz.free.fr/Fix/SmitfraudFix.exe*

Do not try running any other files that are in the folder, just smitfraudfix.cmd

Then try again.


----------



## rrascal (Apr 4, 2005)

I am responding to the initial question of why AVG detects SmitFraudFix as a trojan.
SmiUpdate contains Process.exe, a program written by Beyondlogic. SmitFraudFix uses this program to view, kill and remove undesirable processes. In addition, SmitFraudFix might backup and modify your registry. Trojans might perform those same type of actions. Where it is undesirable to permit a trojan to do this at will, SmitFraudFix's 'fight fire with fire' design is for a good reason. Since antiviral utilities (AVG, Kaspersky, AntiVI, BitDefender to name a few) will class programs on what they can do and not whether it is for good or bad, SmitFraudFix is often flagged as a trojan. As a double whammy, the SmitFraudFix folder may contain backups of your registry. I have seen those backups appear in the list of threats.
I'd suggest you not simply ignore the warnings. A virus could take advantage of your complacency and hide itself in there. The safest thing to do is to download a fresh copy of SmitFraudFix whenever you use it. Paranoia rules.
Hope this helps.


----------

