1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: SmiUpdate.exe in smitfraudfix file flagged as trojan by AVG?

Discussion in 'General Security' started by mrss, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. mrss

    mrss Guest Thread Starter

    Jun 13, 2007
    I downloaded SmitfraudFix (via a link from this form, I believe) and AVG calls SmiUpdate.exe the TrojanHorse.VB.CEC virus.

    I wasn't able to scan it with Panda's online scan because AVG had locked it. Panda picked up these other files from the smitfraudfix folder.
    It also picked up process.exe from WIndows/system32, but AVG cleared it.

    A quick google suggests that the nature of the smitfraudfix requires the above programs have access to the hard drive and to be able to connect to the internet, i.e, this is normal?

    Paranoid, as usual. I deleted the smitfraud fix folder anyway. WHat do you think?
  2. Byteman

    Byteman Gone but Never Forgotten

    Jan 24, 2002

    Included in all the authorized security helpers here at TSG's replies where SmitFraudfix is being used, is this:

    Please download SmitfraudFix (by S!Ri)
    Have the file Saved To> your Desktop, change the location while the File Download box is up
    by using the drop-down arrow....go to Desktop at the very top of the list> make it the location the file downloads TO.

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
    _ __
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    Second Part of Smitfraudfix:

    Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
    not use Safe Mode with Networking for this fix!)

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.

    _ _ _ _ _ _ _ _ ____

    Note the part about antivirus programs detecting SMFix's files...it's very common as they are detected because of what the antivirus program detects that the files DO

    Detections like this are called False Positives or false detections.

    Note also> you need to be prepared to put back your background/wallpaper if the computer is NOT infected SMFix will remove it anyway....
  3. mrss

    mrss Guest Thread Starter

    Jun 13, 2007
    Thanks, Byteman.
  4. Byteman

    Byteman Gone but Never Forgotten

    Jan 24, 2002
    Hi, You are welcome! You did the right thing to ask...."there are no foolish questions, only those you don't ask! And, they are the easiest to answer, but fools rarely ask any"
  5. gco102


    Feb 5, 2008
    i have found several posts on message board of people having the same problem as me
    but not found any of the solutions
    windows XP SP2
    downloaded smitfraudfix.exe
    doubleclicked it to extract folder onto desktop - also tried extracting it directly to c:/smitfraudfix folder
    start windows in safe mode
    however - the part where you either doubleclick smitfraudfix.cmd
    or run CMD and try to run it from command prompt
    it just opens for a split second and then closes
    it doesn't go to the screen where you can pick option #1 search

    i do see a file in the smitfraud fix folder named process.exe
    i did look at the http://www.beyondlogic.org/consulting/proc...processutil.htm
    but did not understand what i was supposed to be doing

    some messages mentioned to make sure that all of the files ended up getting downloaded - but i dont see that list - below is what i have


    my ComSpec is c:windows\system32\cmd.exe

    I know I am doing something wrong
    any help would be greatly appreciated.
  6. Byteman

    Byteman Gone but Never Forgotten

    Jan 24, 2002

    You just download the smitfraudfix file directly to your desktop, these days....if you do have the .exe version, you just double click the file, and it makes a new folder SmitFraudFix on the desktop....Open that folder, and click on Smitfraudfix.cmd

    You can run the first part from Normal Mode to get the text log, and you can post it here if you get it to run.

    The second part is the actual cleaning, when you type a "2"
    and that run is done in Safe Mode.

    Are you using an Administrator level user account?

    Is there another account you can try it with?

    *You also need to boot to Safe Mode and log onto the same user account when you go to do Part 2. Another account probably won't have the SmitFraudFix folder on it's desktop, but if you are used to using Windows Explorer, you can navigate to the account that does have the folder and run the command.

    Try downloading a fresh copy from this link:


    Do not try running any other files that are in the folder, just smitfraudfix.cmd

    Then try again.
  7. rrascal


    Apr 4, 2005
    I am responding to the initial question of why AVG detects SmitFraudFix as a trojan.
    SmiUpdate contains Process.exe, a program written by Beyondlogic. SmitFraudFix uses this program to view, kill and remove undesirable processes. In addition, SmitFraudFix might backup and modify your registry. Trojans might perform those same type of actions. Where it is undesirable to permit a trojan to do this at will, SmitFraudFix's 'fight fire with fire' design is for a good reason. Since antiviral utilities (AVG, Kaspersky, AntiVI, BitDefender to name a few) will class programs on what they can do and not whether it is for good or bad, SmitFraudFix is often flagged as a trojan. As a double whammy, the SmitFraudFix folder may contain backups of your registry. I have seen those backups appear in the list of threats.
    I'd suggest you not simply ignore the warnings. A virus could take advantage of your complacency and hide itself in there. The safest thing to do is to download a fresh copy of SmitFraudFix whenever you use it. Paranoia rules.
    Hope this helps.
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/672081

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice