I was informed of CLIStart.exe being Fraud.VirusDoctor today upon boot. This file is part of my ATI graphics driver which I downloaded from Dell several months ago. I found ran a context menu scan on it from Windows Explorer and found that the detection was not based on signatures but heuristics.

If it helps to note my AV is avast! Professional. From Resident.log

3/28/2009 9:32:50 AM Allowed (based on user decision) value "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}" (new data: "") added in Browser Helper Object!
3/28/2009 9:32:56 AM Allowed (based on user decision) value "AirShare" (new data: ""C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe" 0;1;1;1.6.65;C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\;") added in System Startup global entry!
3/28/2009 9:33:19 AM Allowed (based on user decision) value "AirShare" (new data: "") deleted in System Startup global entry!
3/29/2009 11:48:45 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
3/29/2009 11:48:56 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "C:\Windows\system32\AvastSS.scr") added in Desktop settings!
4/3/2009 11:33:38 AM Encountered and terminated Fraud.VirusDoctor in C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe!

I most recently updated Spybot late last night and I got the TeaTimer update March 13 according to the log. I will send an email with the detected file and full logs shortly.

OS - Windows XP Pro - SP3
Graphics Card - ATI All-In-Wonder 9600 XT
Catalyst V 08.12
Spybot V 1.6.2.46 - last update Apr 1, 2009 (no I'm not kidding!)
This has nothing to do with my browsers.

I was looking at some of my video settings using the Catalyst Control Center video settings for Presets, Basic Color, and Basic Quality and received the following error:

Spybot Search & Destroy has encountered and terminated a process that is listed as part of a malicious software.

Spybot terminated the program (MMACEPrev.exe!) but I didn't allow the file to be deleted because I've been using ATI's Catalyst and the software for several years without any warnings or errors coming up. This is a first. I have scanned repeatedly with various security software before my reinstall and a couple of times since then and have received no errors at all. I've done 2 complete XP reinstalls over the last 3 or 4 years without any errors involving ATI software.

This has to be a false positive so I'm going to tell Spybot to let the process run unless someone knows something that I don't.

Anybody out there have anything that would shed some light on this?

Thx,
C

Hi cindy5663,

I left a note for our detectives attention Monday.

Thank you for reporting. :)

the false positive on Fraud.VirusDoctor is a detection false positive and will be corrected with the next detection update

Hello,

Thank you for reporting this issue. This is a false positive.

Corrections to the detection database will be released with the next update.

Best regards
Sandra
Team Spybot

After starting my computer this a.m. Was greeted w/message from Spybot that it had detected Fraud.VirusDoctor in the pppeuser.exe file. That file is from my backup battery (Cyber Power).
I unchecked the delete file from the spy-bot pop up but left the inform me button highlighted if it encounters again.
I've attached the report.

OS is windows xp sp2 and my last spybot update was 04/04/09.

Is there anything else you need?

Hi,

SD-Resident detectet: "Fraud.VirusDoctor" I hav deletet over the Botton in Checkbox. :bigthumb:
My Work in this Time, Configuration in the ATI-CCC,Avivo,Presets.

OS WIN XP/Home SP3
SpybotSD V 1.6.246 last Update 01.04.09
Catalyst V: 9.3 Driver V: 8.591...ATI
Avira premium V:9.0.0421 Vir-def.7.01.03.27 date 07.04.09

I think this is not Danger, and hope this Report help for the next Update in SD.
Result for CCC, not Image/Video in Avivo-Presets, thats all.

by GL