Fix and remove "Smitfraud"

aside 0

This post has already been read 59 times!

Today my computer got infected by “Smitfraud” spyware. The type of computer pest that can really annoys and irritates any PC users by showing fake security alerts:

Your computer have been infected by viruses, PC users using cheap and uncool anti-virus softwares, buy our software only, your computer is so slow, our software can make your PC faster than hell, your PC need Viagra…… and the never ending torment.

See other samples.

The annoyances doesn’t stop there, “Smitfraud” will install and manifest itself deep inside your Windows system files and registry, installing junk softwares, running in the background service, appear in Add/Remove registry, animated icons in taskbar and manipulate system files. Clicking on one of these fake security alerts will either bring you to a home page where you can purchase other fraudulent software or will install automatically, without your permission.

Smitfraud properties:

  • Changes browser settings
  • Connects itself to the internet
  • Hides from the user
  • Stays resident in background

Luckily, I have this cool spyware removal tool that I always keep in case I needed it. It is by far the best and more effective than other spyware removal tool in the market.

I’m talking about “SmitfraudFix” tool and available for free. It doesn’t cost you anything to effectively remove the spyware. This tool was created by S!Ri and all he asked for a voluntary donations. I think the author/creator should be credited for such great tool and contribute financially to further support his long term effort, to keep this tool alive and future updates.


Use this URL to download the latest version (the file contains both English and French versions):

Mirrors: Alternate official download locations for

How to use:


  • Double-click SmitfraudFix.exe
  • Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Using Smitfraud with CMD


  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infect files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Cleaning process


  • To restore Trusted and Restricted site zone, select 3 and hit Enter.
  • You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.


process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”. It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.

What is “Smitfraud”

SmitFraud or W32/SmitFraud.A is a type of spyware that installs itself into a computer via adware, without any user notice. Most of the time, it installs itself after the computer user installs a fake codec, such as BrainCodec, PCodec or VideoKeyCodec. It infects a Windows DLL with a computer virus. SmitFraud changes the infected computer’s desktop background either into a Blue Screen of Death, or any background displaying a fake error message.

Infected users also receive notifications asking users to install a fake anti-spyware program such as Spylocked, Spydawn, SpySheriff, SpyAxe or Spyware Quake, on the infected computer to remove the spyware. After a fake scan, the program asks users to pay for the full version before removing the spyware it has found. When users pay, the notifications disappear and the background turns normal, but the infection is still present.

SmitFraud is now being used to term infections where in users receive fake alerts from software luring the user with installing some affiliated Fake / Rogue AntiSpyware with or without user’s knowledge.

Types of known Smitfraud

Desktop Hijack malware:

AdwarePunisher, AdwareSheriff, AlphaCleaner, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, AntivirusGolden, AVGold, BraveSentry, IE Defender, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, PSGuard,, Registry Cleaner, Security iGuard, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareSheriff, SpywareStrike,, TitanShield Antispyware, Trust Cleaner,, Virtual Maid, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Win32.puper, WinHound, Brain Codec, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec.

Smitfraud manual removal:

*I would not recommend this method because its rather complex manual removal process and can lead to undesirable results. Take caution and make sure you fully understand what are you doing.

Kill processes:
bsw.exe, helper.exe, hookdump.exe, intmon.exe, intmonp.exe, msmsgs.exe, msole32.exe, ole32vbs.exe, popuper.exe, shnlog.exe, uninstiu.exe, winhook.exe, winstall.exe, wp.exe, zloader3.exe

HELP: How to kill malicious processes

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msn messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\(Default)=[site address]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet update

Search the Windows registry for {D5BC2651-6A61-4542-BF7D-84D42228772C} entry.

HELP: How to remove registry entries

Unregister DLLs:

HELP: How to unregister malicious DLLs

Delete files:
bsw.exe, helper.exe, hookdump.exe, intmon.exe, intmonp.exe, msmsgs.exe, msole32.exe, ole32vbs.exe, popuper.exe, shnlog.exe, uninstiu.exe, winhook.exe, winstall.exe, wp.exe, zloader3.exe, hhk.dll, oleadm.dll, oleadm32.dll, param32.dll, wldr.dll, hp[X].tmp, perfcii.ini, sites.ini, wp.bmp

HELP: How to remove harmful files

Delete directories:
C:\Windows\System\Log Files
C:\Windows\System32\Log Files
C:\Winnt\System32\Log Files


Smitfraud does not install all listed objects. It creates only some of them depending on its variant.

[X] is a set of four random characters.

Exact file location:

bsw.exe, winstall.exe, wp.exe – C:
popuper.exe, uninstiu.exe, zloader3.exe, sites.ini – C:\Windows or C:\Winnt
wp.bmp – C: and C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32

helper.exe, hookdump.exe, intmon.exe, intmonp.exe, msmsgs.exe, msole32.exe, ole32vbs.exe, shnlog.exe, winhook.exe, hhk.dll, oleadm.dll, oleadm32.dll, param32.dll, wldr.dll, hp[X].tmp, perfcii.ini – C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32

In some cases it might be necessary to replace the infected wininet.dll file with a clean copy. wininet.dll is a system file located in default system directory, which is one of the following: C:\Windows\System, C:\Windows\System32, C:\Winnt\System32.