Hi, I have used my travel drive to download programs for awhile now. I right clicked my travel drive and did a scan with spybot. These files i know are clean, as they are downloaded from there official pages. The following files were detected to be smitfraud c:

Microsoft malicious removal tool-was downloaded from official Microsoft page.
Dx web setup. Direct x setup-was downloaded from official Microsoft page.
Comodo free firewall-was downloaded from comodos page.
Hijack this-downloaded from official page.
Internet explorer 7 setup file from offical microsoft page.

All of these were detected to be smitfraud c.

What is interesting is:

under the right click menu scan with spybot that i did, the window that spybot scans in, under spybot search and destroy (malware) it says nothing found. Yet the next line, for the same items under spybot search and destroy (heuristic) it says smitfraud c.

So i think this is a false positive.

* Windows XP home edition sp3
* Internet Explorer 7, FireFox latest version
* Latest spybot 1.6
* false positive occurred using right click scan with spybot on travel drive.

Hi, I just updated to version 1.6, and tried scanning some files using the right-click scanning, and it also detected Smitfraud-C in a couple of files.

It seems like it does this with almost every file, though I wonder why you don't get an option to do anything besides clicking "Close" when it has finished scanning...

I'm gonna say this is a false positive.

Windows XP Professional w/SP3
Firefox 2.0.0.15
Spybot 1.6 final, with July 9, 2008 updates
The following FPs occurred only after a right-click manual scan of a particular saved folder. No infections were reported under Malware, only Heuristic.

After updating to Spybot 1.6 and the July 9 definitions and rebooting, I also tried right-click scans on some old saved executable files from MSDOS 6.22, from the 1990's. Some (not all) of these old files were reported as being infected with either "Smitfraud-C" or "Worldsecurityonline.FakeAlert" under "Heuristic." These are false positives that have been scanned to death over the years, including last week, when nothing evil was detected in them.

These files are all in one folder on a backup disk and are inert.

Suspected FP of Worldsecurityonline.FakeAlert in MSDOS 6.22 files:
Attrib.exe
Chkdsk.exe
Debug.exe
Deltree.exe
Edit.com
Edlin.exe
Fdisk.exe
Mem.exe
Move.exe
Mscdex.exe

Smitfraud-C FP in:
Start.exe (DOS 6.22)

Hi! I've the same problem! With a normal scan (SB-1.6.0.30) everything is ok. With the right buton i've Smitfraud-c in (line Heuristics) the file "mbam.exe" (Malwarebytes'Anti-Malware) and in the file "mbamcatdhme.sys" it says Worldsecurityonline.Fakealert.
Anyone can tell something about that?
Thanks

hello,

thank you for reporting this.
I can confirm that these are false positives.

Those reported by 129260 and Wizcrafts have been confirmed and will be fixed with the next update.

When reporting such heuristics false positives, please tell us where the files are located or where you got the files, naming the operating system and versions of software is also helpful (see above how 129260 and Wizcrafts reported).

Alternatively you can also send us the files in question with a reference to this thread to detections@spybot.info

Windows XP Home/SP3
IE7
SpyBot 1.6 updated

In my case the files are C:\Programas\Malwarebytes' Anti-Malware/mbam
and C:\WINDOWS\system32\drivers/mbamcatchme

Thanks for your interest
Regards from Portugal

hello,

thank you for reporting this.
I can confirm that these are false positives.

Those reported by 129260 and Wizcrafts have been confirmed and will be fixed with the next update.

When reporting such heuristics false positives, please tell us where the files are located or where you got the files, naming the operating system and versions of software is also helpful (see above how 129260 and Wizcrafts reported).

Alternatively you can also send us the files in question with a reference to this thread to detections@spybot.info

Thanks tashi!!! your welcome!! :laugh:

Confirmed. Some SmitFraud.C files found in my Photos.

:oops: i mean yodama haha same avatars make it hard to remember not everyone is the same person. sorry haha!

I'm In the UK and I have Smitfraud-C on right click. Just want to confirm as well. Thank You. :clown:

Same here with MSCOMCTL.OCX file. :(

otherwise check properties and see if the file is in the correct place where the ms file is supposed to be and that the file size is what it's supposed to be etc
or submit it to virus total
just do not delete - quarantine

otherwise check properties and see if the file is in the correct place where the ms file is supposed to be and that the file size is what it's supposed to be etc
or submit it to virus total
just do not delete - quarantineI already uploaded to those two online scanners. They detected it being clean.

Good move
however sometimes several of the scanners will show the same heuristics hits- like 2 or 3
Jotti is another check
if a hit has not been reported before send it in as shown earlier in this thread
with your os version etc as requested
perhaps with this one havening DOS on the machine makes a difference
Does everyone have DOS-- what version?

Good move
however sometimes several of the scanners will show the same heuristics hits- like 2 or 3
Jotti is another check
if a hit has not been reported before send it in as shown earlier in this thread
with your os version etc as requested
perhaps with this one havening DOS on the machine makes a difference
Does everyone have DOS-- what version?I have:
http://www.virustotal.com/ and http://virusscan.jotti.org/

http://scanner.virus.org/ was giving 500 internal server error, so I couldn't use it.

I don't have DOS on this box (just cmd.exe) with Windows XP Pro. SP2 with all critical updates (not SP3) and optional softwares. :)

@129260
no problem, though Tashis avatar is slightly different from mine :police:


Currently the single file scan will produce a lot of false positives with the heuristics scan.
I am currently checking the data base to avoid these false positives. It is likely that we will release the updates on this step by step to avoid a high bandwidth load with the next update and to have more time with testing.
So not all heuristics false positives will be resolved with the update tomorrow.

Thanks for the info yodama! Ya, i have been speeding through the forums lately, and sometimes i miss things like avatars and names. I need to slow down and read more carefully before i reply and such. :bigthumb:

I am just glad you guys are aware of it. :) I participate in the distributed testing process (I have the service on 2 computers) as well because i want to help with false positives and the like. I am glad you guys are working to correct the right click heuristics. Thanks for the update!

what if someone is infected?

will it then list under malware instead of heuristic. spybot, with right click scan, finds a few files under heuristic category that show smitfraud-c and Worldsecurityonline.FakeAlert.

my pc actually does have a virus or something. when booted it gives me a bunch or application errors stating that my programs failed to initialize and must either terminate or debug. also i am unable to open anything on my desktop or modify it(explorer.exe). my system lags rediculously hard making it impossible to do anything including updating my anti-virus. i am currently using mcaffee 8.5i enterprise with patch 5. the on-acess did not catch any virus and i am not able to update manually due to the lag.

i'm currently researching the symptoms of smitfraud-c and worldsecrutiyonline.fakealert and will post my results of what i think this could be.

my question is are all of "smitfraud-c" and "worldsecurityonline" in the heuristic category just brushed off to assume the user is infected with in fact "nothing"?

this is also a wierd question but i ran RAM diagnostics that cleared but could RAM be the culprit? unlikely, but this is beyond me....

thanks guys, any reply is most helpful

post in the malware removal forums since you said you are infected.....

Hi, I have used my travel drive to download programs for awhile now. I right clicked my travel drive and did a scan with spybot. These files i know are clean, as they are downloaded from there official pages. The following files were detected to be smitfraud c:

Microsoft malicious removal tool-was downloaded from official Microsoft page.
Dx web setup. Direct x setup-was downloaded from official Microsoft page.
Comodo free firewall-was downloaded from comodos page.
Hijack this-downloaded from official page.
Internet explorer 7 setup file from offical microsoft page.

All of these were detected to be smitfraud c.

What is interesting is:

under the right click menu scan with spybot that i did, the window that spybot scans in, under spybot search and destroy (malware) it says nothing found. Yet the next line, for the same items under spybot search and destroy (heuristic) it says smitfraud c.

So i think this is a false positive.

* Windows XP home edition sp3
* Internet Explorer 7, FireFox latest version
* Latest spybot 1.6
* false positive occurred using right click scan with spybot on travel drive.

Exactly my experience with right click spybot,I also scanned with mcaffe and it shows clean,so false positive it is:present:

this has been confirmed and will be fixed. See yodamas replies.

@129260
thanks for your help :)


what if someone is infected?

will it then list under malware instead of heuristic. spybot, with right click scan, finds a few files under heuristic category that show smitfraud-c and Worldsecurityonline.FakeAlert.

my question is are all of "smitfraud-c" and "worldsecurityonline" in the heuristic category just brushed off to assume the user is infected with in fact "nothing"?

i'm currently researching the symptoms of smitfraud-c and worldsecrutiyonline.fakealert and will post my results of what i think this could be.


In case of infection with these threats it would also be listed under malware.
Additionally a normal scan with Spybot S&D would also find traces of these malware. These threats in particular depend on registry entries to get started on system boot. They are not threats that are strictly file based.

Both malware usually show false warning messages to make users download and buy rogue security software.

The heuristics scan will be more reliable with the upcoming update, but changes still have to be made.
So if in doubt about a heuristics result (after the update today), you can also submit the file to detections@spybot.info for analysis.



my pc actually does have a virus or something. when booted it gives me a bunch or application errors stating that my programs failed to initialize and must either terminate or debug. also i am unable to open anything on my desktop or modify it(explorer.exe). my system lags rediculously hard making it impossible to do anything including updating my anti-virus. i am currently using mcaffee 8.5i enterprise with patch 5. the on-acess did not catch any virus and i am not able to update manually due to the lag.

this kind of errors could relate to an infection, please post in the malware removal forums and follow the helpers instructions on how to provide the log files they require to estimate the source of the issues.



this is also a wierd question but i ran RAM diagnostics that cleared but could RAM be the culprit?

As you already stated this is unlikely. Hardware issues usually cause random errors, like sudden blue screens.

Would you please check the program "Wireless Migrator" from codeplex? URL listed below

http://www.codeplex.com/wlan/Release/ProjectReleases.aspx?ReleaseId=14107 > BackupWireless.exe

Spybot 1.6 latest definitions detects "Worldsecurityonline.FakeAlert" when using the context menu option and heuristics.

I believe this is a false positive.

Thanks for your feedback.

Both downloaded images mentioned above, when scanned with version 1.6 and context menu (heuristics), are said to contain Smitfraud C.

Please advise, I believe they are false+

Kind regards

Tattenbach:

Prior posts in this thread indicate that there where confirmed false positives for Smitfraud-C using the Windows Explorer right click context menu item "Scan using Spybot-Search&Destroy".

However, in regards to:


Both downloaded images mentioned above, …
All posts prior to yours are using old updates. Have you download today's updates (2008-07-16) and tried again?

> All posts prior to yours are using old updates. Have you download today's updates (2008-07-16) and tried again?
------------------------------------------------------------------------

Thanks for the reply. No, I have not updated def. this week but will do later today (I am away from my PC now) and post the results. Thanks again.

PS: I have another post here regarding Wireless Migrator identified with another type of malware. Perhaps the update cures that one too as I believe it should be false+

Now everything is ok with the last update!
Thank you SpyBot's team!!
Carlos

> All posts prior to yours are using old updates. Have you download today's updates (2008-07-16) and tried again?
------------------------------------------------------------------------

Thanks for the reply. No, I have not updated def. this week but will do later today (I am away from my PC now) and post the results. Thanks again.

PS: I have another post here regarding Wireless Migrator identified with another type of malware. Perhaps the update cures that one too as I believe it should be false+

Neither the linux ISOs nor Wireless Migrator are reported as infected after this update. Thanks!

Tattenbach:

I'm glad that your problem was resolved with the latest (2008-07-16) updates.

I have no problems with pop-ups, etc; and no symptoms of infection. Checked a different computer and also see no problems but both computers show this when doing a right click scan on the firefox folder; located in the program files folder. (I only checked doing it this way because of the smitfraud false positive reported in Internet explorer)

The malware scan shows nothing found; the heuristic scan shows the red caution symbol at: nsDefaultCLH.js __ Win32. Zhelatin.VG

The normal S&D scan shows no issues and neither Norton or Command anti-virus show anything.

Both computers: Windows XP sp3
S&D ver1.6 updated 7-16-08
Firefox ver.3.0.1

One computer is using Command AV ver.4.95.2
One computer is using Norton Internet Security Ver.15.5.0.23

I want to report that with the definition updates on July 16, all false positives for Heuristic right-click scans are fixed, as regards my saved MSDOS 6.22 .com and .exe files.

Thank you

The malware scan shows nothing found; the heuristic scan shows the red caution symbol at: nsDefaultCLH.js __ Win32. Zhelatin.VG


Thank you for reporting this, this false positive will be fixed with the next update of the trojans.sbi which is scheduled for today ( Wednesday ).

Also thanks to everyone else for feedback and reporting the other false positives.

Spybot v1.6 found what I hope is a false indication within Mozilla Firefox
v3.0.1 installer package.

I sometimes unzip installer packages and scan the contents.
Spybot did not report this before expanding the installer.

"Firefox Setup 3.0.1.exe\nonlocalized\components\nsDefaultCLH.js"
was marked as Win32.Zhelatin.vg by Spybot Heuristics.

MD5 for this file downloaded from Mozilla.org on 07/22/08-
(using MD5 Summer) acf41e73a9844a3f6410017f09c849al

I read recently that Firefox is now a mild form of spyware for Mozilla.org.

Hello,

this is a false positive of the heuristics scan which was also addressed here (http://forums.spybot.info/showpost.php?p=214347&postcount=30)

It has been fixed with the latest detection updates released this Wednesday.

I just wanted to report that now all my issues are fixed with the right click scanning now. I have yet to see any more problems with the latest updates. I will report if anything changes. :) Thanks so much!

When I single scan my Blender folder, I get the following information:

Zlib.dll GuardianMonitor
This is under the Heuristic section only.

A regular scan with SpyBot does not show this.
My other security software does not show this.
Is this a false positive?

Windows Defender
Adaware 2008
AVG (paid version)
Windows XP Pro sp3
Internet Explorer 7, FireFox latest version
Latest spybot 1.6

Thank You.

Hello,

Please follow instructions here How to report False Positives (http://forums.spybot.info/showthread.php?t=19117)

Thank you. :)

Thank you for the quick reply.
I am sorry but I do not understand the information you requested.
I have read the page suggested and have all the information that I can find.
The single file scan does not produce a log of any of its findings. I can find the regular scan log easily, but no trace of the single file/folder scan. The window also does not allow me to do anything about the stated file, such as fixing the problem.
Again, this happens when I right click and scan a single folder. The screen that I see has a red X in front of the file, zlib.dll.
Under “status”, it states it is a “GuardianMonitor”.
Could you please tell me what other information I can give to find out is this is a threat or a false positive.
Thank you for your time.

hello,

this is a false positive with the heuristics part of the single file scanner. It will be corrected with the next update.

Windows XP Professional SP-3
FireFox 3.0.1
Spybot S&D 1.6 update: 2008-08-27

Found on the right-click Spybot scan (context scan I think) of my usb flash drive

1. FixPolicies.exe, found here - http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe, was found under Spybot - Search & Destroy (Heuristic) as Virtumonde.

2. DCProSetup.exe, found here - http: //downloads.guru3d.com/download.php?det=745#download, was found under Spybot - Search & Destroy (Heuristic) as SpyFalcon.

Nothing was fix or deleted, they were just detected in the right-click Spybot scan and seemed to worry me, cause those are 2 very nasty things to have been detected.

thank you reporting this issue,
the heuristics scan is currently being reviewed and fixes will be released during the regular updates.
we will check the files from the links you provided and adjust the rules for the heuristics scan accordingly

note: this thread will be merged with the other thread about heuristics scan false positives