BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine. I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date. There are 12 such files in my System32 folder. Not sure everyone's will be the same. May depend on the actual date you installed SmitfraudFix.
If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?
No, all 12 of these are exe files with the exact same size and creation date as the files in the SmitfraudFix folder. I haven't deleted (or renamed) any of these as yet. Still trying to decide the best thing to do. I just rebooted to see if I get any rootkit alarms again. There is no 'Process.exe' file present in the Sys32 folder. It's been 10 mins now and no alarm as yet.
I'm still thinking that avast rootkit is detecting the presence of 'Process.exe' because it was there and matched a signature thru heuristics. I'm still confused on the 'hidden process' running.
I have the following in my system32 folder that are the exact size and creation date as the files in the smitfraudfix folder.
dumphive.exe 7/31/2004
process.exe 3/25/2007
SrchSTS.exe 4/27/2006
swreg.exe 8/29/2006
swsc.exe 1/9/2006
swxcacls.exe 12/1/2006
VCCLSID.exe 9/5/2007
This would seem to correlate with the following section from the SmitfraudFix.cmd file:
if exist Update.cmd del Update.cmd
if not exist %syspath%\Process.exe copy Process.exe %syspath%\Process.exe >NUL
if not exist %syspath%\swreg.exe copy swreg.exe %syspath%\swreg.exe >NUL
if not exist %syspath%\swsc.exe copy swsc.exe %syspath%\swsc.exe >NUL
if not exist %syspath%\SrchSTS.exe copy SrchSTS.exe %syspath%\SrchSTS.exe >NUL
if not exist %syspath%\dumphive.exe copy dumphive.exe %syspath%\dumphive.exe >NUL
if not exist %syspath%\swxcacls.exe copy swxcacls.exe %syspath%\swxcacls.exe >NUL
if not exist %syspath%\VCCLSID.exe copy VCCLSID.exe %syspath%\VCCLSID.exe >NUL
I have only deleted the process.exe file thus far, which has stopped the alerts. Any advice as to risk of deleting the other files that could possibly be required by other processes?
Here are the other files that are in the smithfraudfix folder, but not in the system32 folder.
Exit.exe 8/21/2007
GenericRenosFix.exe 5/9/2007
HostsChk.exe 3/28/2007
Reboot.exe 1/13/2005
restart.exe 3/7/2006
SmiUpdate.exe 9/19/2006