Confirmed (Heuristics): right click scanning of spybot detects smitfraud c all over the place!

Hi, I have used my travel drive to download programs for awhile now. I right clicked my travel drive and did a scan with spybot. These files i know are clean, as they are downloaded from there official pages. The following files were detected to be smitfraud c:

Microsoft malicious removal tool-was downloaded from official Microsoft page.
Dx web setup. Direct x setup-was downloaded from official Microsoft page.
Comodo free firewall-was downloaded from comodos page.
Hijack this-downloaded from official page.
Internet explorer 7 setup file from offical microsoft page.

All of these were detected to be smitfraud c.

What is interesting is:

under the right click menu scan with spybot that i did, the window that spybot scans in, under spybot search and destroy (malware) it says nothing found. Yet the next line, for the same items under spybot search and destroy (heuristic) it says smitfraud c.

So i think this is a false positive.

* Windows XP home edition sp3
* Internet Explorer 7, FireFox latest version
* Latest spybot 1.6
* false positive occurred using right click scan with spybot on travel drive.

Hi, I just updated to version 1.6, and tried scanning some files using the right-click scanning, and it also detected Smitfraud-C in a couple of files.

It seems like it does this with almost every file, though I wonder why you don't get an option to do anything besides clicking "Close" when it has finished scanning...

I'm gonna say this is a false positive.

False positives found in old DOS commands

Windows XP Professional w/SP3
Firefox 2.0.0.15
Spybot 1.6 final, with July 9, 2008 updates
The following FPs occurred only after a right-click manual scan of a particular saved folder. No infections were reported under Malware, only Heuristic.

After updating to Spybot 1.6 and the July 9 definitions and rebooting, I also tried right-click scans on some old saved executable files from MSDOS 6.22, from the 1990's. Some (not all) of these old files were reported as being infected with either "Smitfraud-C" or "Worldsecurityonline.FakeAlert" under "Heuristic." These are false positives that have been scanned to death over the years, including last week, when nothing evil was detected in them.

These files are all in one folder on a backup disk and are inert.

Suspected FP of Worldsecurityonline.FakeAlert in MSDOS 6.22 files:
Attrib.exe
Chkdsk.exe
Debug.exe
Deltree.exe
Edit.com
Edlin.exe
Fdisk.exe
Mem.exe
Move.exe
Mscdex.exe

Smitfraud-C FP in:
Start.exe (DOS 6.22)

Hi! I've the same problem! With a normal scan (SB-1.6.0.30) everything is ok. With the right buton i've Smitfraud-c in (line Heuristics) the file "mbam.exe" (Malwarebytes'Anti-Malware) and in the file "mbamcatdhme.sys" it says Worldsecurityonline.Fakealert.
Anyone can tell something about that?
Thanks

hello,

thank you for reporting this.
I can confirm that these are false positives.

Those reported by 129260 and Wizcrafts have been confirmed and will be fixed with the next update.

When reporting such heuristics false positives, please tell us where the files are located or where you got the files, naming the operating system and versions of software is also helpful (see above how 129260 and Wizcrafts reported).

Alternatively you can also send us the files in question with a reference to this thread to detections@spybot.info

Windows XP Home/SP3
IE7
SpyBot 1.6 updated

In my case the files are C:\Programas\Malwarebytes' Anti-Malware/mbam
and C:\WINDOWS\system32\drivers/mbamcatchme

Thanks for your interest
Regards from Portugal

Yodama said:

hello,

thank you for reporting this.
I can confirm that these are false positives.

Those reported by 129260 and Wizcrafts have been confirmed and will be fixed with the next update.

When reporting such heuristics false positives, please tell us where the files are located or where you got the files, naming the operating system and versions of software is also helpful (see above how 129260 and Wizcrafts reported).

Alternatively you can also send us the files in question with a reference to this thread to detections@spybot.info

Click to expand...

Thanks tashi!!! your welcome!! :laugh:

i mean yodama haha same avatars make it hard to remember not everyone is the same person. sorry haha!

Me Too

I'm In the UK and I have Smitfraud-C on right click. Just want to confirm as well. Thank You. :clown:

Same here for my MSCOMCTL.OCX file.

Same here with MSCOMCTL.OCX file.

We can all Chill till the next update

otherwise check properties and see if the file is in the correct place where the ms file is supposed to be and that the file size is what it's supposed to be etc
or submit it to virus total
just do not delete - quarantine

wyrmrider said:

otherwise check properties and see if the file is in the correct place where the ms file is supposed to be and that the file size is what it's supposed to be etc
or submit it to virus total
just do not delete - quarantine

Click to expand...

I already uploaded to those two online scanners. They detected it being clean.

Good move
however sometimes several of the scanners will show the same heuristics hits- like 2 or 3
Jotti is another check
if a hit has not been reported before send it in as shown earlier in this thread
with your os version etc as requested
perhaps with this one havening DOS on the machine makes a difference
Does everyone have DOS-- what version?

wyrmrider said:

Good move
however sometimes several of the scanners will show the same heuristics hits- like 2 or 3
Jotti is another check
if a hit has not been reported before send it in as shown earlier in this thread
with your os version etc as requested
perhaps with this one havening DOS on the machine makes a difference
Does everyone have DOS-- what version?

Click to expand...

I have:
http://www.virustotal.com/ and http://virusscan.jotti.org/

http://scanner.virus.org/ was giving 500 internal server error, so I couldn't use it.

I don't have DOS on this box (just cmd.exe) with Windows XP Pro. SP2 with all critical updates (not SP3) and optional softwares.

@129260
no problem, though Tashis avatar is slightly different from mine olice:


Currently the single file scan will produce a lot of false positives with the heuristics scan.
I am currently checking the data base to avoid these false positives. It is likely that we will release the updates on this step by step to avoid a high bandwidth load with the next update and to have more time with testing.
So not all heuristics false positives will be resolved with the update tomorrow.

ok

Thanks for the info yodama! Ya, i have been speeding through the forums lately, and sometimes i miss things like avatars and names. I need to slow down and read more carefully before i reply and such. :bigthumb:

I am just glad you guys are aware of it. I participate in the distributed testing process (I have the service on 2 computers) as well because i want to help with false positives and the like. I am glad you guys are working to correct the right click heuristics. Thanks for the update!

what if someone is infected?'

what if someone is infected?

will it then list under malware instead of heuristic. spybot, with right click scan, finds a few files under heuristic category that show smitfraud-c and Worldsecurityonline.FakeAlert.

my pc actually does have a virus or something. when booted it gives me a bunch or application errors stating that my programs failed to initialize and must either terminate or debug. also i am unable to open anything on my desktop or modify it(explorer.exe). my system lags rediculously hard making it impossible to do anything including updating my anti-virus. i am currently using mcaffee 8.5i enterprise with patch 5. the on-acess did not catch any virus and i am not able to update manually due to the lag.

i'm currently researching the symptoms of smitfraud-c and worldsecrutiyonline.fakealert and will post my results of what i think this could be.

my question is are all of "smitfraud-c" and "worldsecurityonline" in the heuristic category just brushed off to assume the user is infected with in fact "nothing"?

this is also a wierd question but i ran RAM diagnostics that cleared but could RAM be the culprit? unlikely, but this is beyond me....

thanks guys, any reply is most helpful

I would......

post in the malware removal forums since you said you are infected.....

Big help there! Thanks!

129260 said:

Hi, I have used my travel drive to download programs for awhile now. I right clicked my travel drive and did a scan with spybot. These files i know are clean, as they are downloaded from there official pages. The following files were detected to be smitfraud c:

Microsoft malicious removal tool-was downloaded from official Microsoft page.
Dx web setup. Direct x setup-was downloaded from official Microsoft page.
Comodo free firewall-was downloaded from comodos page.
Hijack this-downloaded from official page.
Internet explorer 7 setup file from offical microsoft page.

All of these were detected to be smitfraud c.

What is interesting is:

under the right click menu scan with spybot that i did, the window that spybot scans in, under spybot search and destroy (malware) it says nothing found. Yet the next line, for the same items under spybot search and destroy (heuristic) it says smitfraud c.

So i think this is a false positive.

* Windows XP home edition sp3
* Internet Explorer 7, FireFox latest version
* Latest spybot 1.6
* false positive occurred using right click scan with spybot on travel drive.

Click to expand...

Exactly my experience with right click spybot,I also scanned with mcaffe and it shows clean,so false positive it isresent: