dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

These removal tools only work for the following operating systems:

1. SmitfraudFix: Windows 2k, 2003 and XP ONLY
2. RogueRemover: Vista

Windows 98/ME users will need to follow the complete pre-cleaning FAQ here:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

SpywareQuake and SpyFalcon are just two of many examples of the Zlob/Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and try to trick you into buying the commercial version of software. The many versions of this pest can vary with the warning message shown. A list of example screenshots can be seen here:
»Security Cleanup FAQ »Screenshots of Desktop Hijack

Other Zlob/Smitfraud variants include:
Search Maid
Security IGuard
Virtual Maid
{This list of names has become to long to list all of the possibilities)

Zlob/Smitfraud Removal

Note: Not for Vista users. If you are running Windows Vista, please use the RogueRemover tool described in the next section.

The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. {WinXP, 2k only!) Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop.
How to extract (decompress) zipped or compressed files

A folder named SmitfraudFix will be created on your Desktop.

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

3. Reboot into Safe Mode
How to start the computer in Safe mode:

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter

5. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

6. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier (or the Adaware log) and the Panda report. We will also need the log from SmitFraudFix called rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Fresh HijackThis log
VISTA users, please use this tool instead

Please download Rogue Remover from here: [code]
[/code] & save it to your desktop.

    [*]Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
    [*]Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
    [*]Once the program runs, select Check for Updates.
    [*]When prompted, select Check for Updates.
    [*]If prompted again, click Download to receive the latest updates.
    [*]When completed, close the update window.
    [*]Finally, select Scan and the program will walk you through the remaining steps.

Additional Instructions

a. How to Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.

b. Instructions for HijackThis:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
This is to ensure it makes the necessary backups for recovery if needed.

Download HijackThis

Unzip/decompress the file and save the contents (HijackThis.exe) to the new folder you made and doubleclick on HijackThis.exe to open the program. On the Main Menu page, Choose *Do a system scan and save a log*

When the scan finishes, you will get a popup to save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results here.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.


Edit 01 Sep 2007 by CalamityJane : Added additional instructions for Vista

Edit: 08 Aug 2007 by CalamityJane: Adjusted HJT instruction for new ver. 2.02 by Trend-Micro

16 Oct 2006 by CalamityJane. Removed Ewido and Panda scan instructions as SmitfraudFix can do the whole job.

Edit 16 Jul 2006 by CalamityJane: Adjusted instructions for Ewido new ver 4.0

Edit 16 April 2006 by CalamityJane: Added SmitfraudFix tool to replace SmitRem and roguescanfix tools.

Expand got feedback?

by CalamityJane See Profile
last modified: 2007-09-01 22:12:04