First Case:

I updated Spybot S&D and ran it on my Vista Ultimate system that is on my laptop. After a scan, it showed

Note: This is version 1.4 of Spybot with latest updates.

Smitfraud-C. in the directory

C:\Program Files\Security Tools\


I install all my Anti-Spyware and Antivirus software into the Security Tools folder and each program has its default folder to install to.

Upon asking Spybot to fix the problem, the following happens:

1. Lavasoft directory, which contains Adaware, is deleted.

2. My Avast AV program stops. Its directory is missing.

3. Spybot closes after asking to fix and upon restart, definitions are corrupted and it asks me to update because Blindman is not found. When I update, it says that no newer updates are available.


Second Case:

I reformatted the OS partition on my laptop's harddrive. I cannot afford to lose my D partition because it contains all my data and do not have any way to backup right now.

Assuming that my system was infected in the First Case, a reformat should have wiped the drive clean. Assuming that the data on the D partition is infected, the infection should not be able to spread unless I run an infected file from the D partition. The D partition was not accessed after the reinstall of the OS.

Note: This is a clean reformat/reinstall of Vista Ultimate

Without updateing or installing any drivers for the new installation, I downloaded Spybot S&D, installed it to C:\Program Files\Security Tools\, updated, and ran the scan. After a scan, it showed

Note: This is the latest version of Spybot with latest updates.

Smitfraud-C. in the directory

C:\Program Files\Security Tools\

Upon asking Spybot to fix the problem, the following happens:


1. Spybot closes after asking to fix and upon restart, definitions are corrupted and it asks me to update because Blindman is not found. When I update, it says that no newer updates are available.


Third Case:

I called home, since I am at college I cannot do this myself, and asked my brother to update Spybot S&D and run a scan. After a scan, it showed

Note: This is version 1.4 of Spybot with latest updates.

Smitfraud-C. in the directory

C:\Program Files\Security Tools\


I install all my Anti-Spyware and Antivirus software into the Security Tools folder and each program has its default folder to install to.

I told him not to remove because I do not know if the results shown are true or not.


Thank you.

Is it possible for Smitfraud-C. to spread to another system through a remote desktop or remote assistance connection?

I ask because I did remote assistance connect to my home PC a couple days ago using Windows Live Messenger.


Thank you.

Please delete this thread. I've rushed to conclusions without enough knowledge. Sorry for the trouble. Just that I wanted to think my system was clean and safe.


Thank you.

Topic in the malware removal forum: http://forums.spybot.info/showthread.php?t=19475 :)

Duplicate: http://forums.spybot.info/showthread.php?p=130537

metril, please post the information as requested by a detective in this topic:
How to report False Positives.
http://forums.spybot.info/showthread.php?t=19117

Also is there any reason you have not updated to Spybot-S&D version 1.5?

Best regards.

Oct 31,2007
SpyBot v1.5
Oct 31 updates

Updated Spybot ran a check for problems and this reg entry turned up as a problem:

-------------------------------
Smitfraud-C.: [SBI $72299D84] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\


--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-10-24 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-10-31 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-10-31 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-31 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-10-24 Includes\Malware.sbi (*)
2007-10-31 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-10-31 Includes\PUPSC.sbi (*)
2007-10-31 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-31 Includes\SecurityC.sbi (*)
2007-10-24 Includes\Spybots.sbi (*)
2007-10-31 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-10-24 Includes\Trojans.sbi (*)
2007-10-31 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
----------------------------

If someone could tell me if this reg entry should be deleted or not, I would be very greatful. If I need to report other info or logs, please so indicate. Attached is a zip file of the log text generated by the header post instructions in this thread. Thank you for you help in this.

Kavu2

I'm uploading a small update without this troublesame detection for now, someone will look into details tomorrow :)