PDA

View Full Version : Smitfraud-C False Positive



Oppressed
2005-12-11, 00:46
My computer is deemed to be clean so I am also reporting the following.

My computer is running Windows XP and when I scan with Spybot I get the following Smitfraud-C False Positive that can't be fixed:

User settings

HKEY_USERS\S-1-5-21-3631192919-4047014472-3028651874-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\ *!=W=4

Registry change

md usa spybot fan
2005-12-11, 02:24
Although your "computer is deemed to be clean" that may not be a false positive.

Please go into Internet Explorer > Tools > Internet Options … > Security tab. One at a time click on each of the following buttons:

Internet
Local Internet
Trusted sites
Restricted sites
While in each of those buttons, click the Sites button and inspect the lists for:
*.free-spy-cam.net
Under which of the four buttons did you find the entry?

Note: Hopefully you can find the entry because the detection is for a registry hive other than the current user hive.

Oppressed
2005-12-11, 03:36
Hello md usa spybot fan,

Thank you for replying to my post.

This is what I found by following your instructions.

I have NO Sites listed for:

Internet *
Local Intranet
Trusted sites

Under Restricted sites I have these which are similar:

http:// *.free-spy-cam.net
https:// *.free-spy-cam.net

* Edit: I guess it should be noted that while the Internet description reads "This zone contains all Web sites you haven't placed in other zones" the button is inaccessible, as is the "Default Level" button. Could this be because of other Security Software?

stevie2
2005-12-11, 18:57
Oppressed and Spybot Helpers,

I have the exact same problem as Oppressed. I was infected by Spyaxe. By running the smitrem.exe, many files were deleted and my PC became stable.

I run Spyware Doctor, and Mcaffee and the report shows no virus or trojans. However, Spybot shows that I still have the Smithfraud trojan, and Spybot can not remove it. The detail of the Spybot is as follows:

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-3834227258-2264835413-2960356022-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

I also have the two websites listed in my Restricted Zone:

http:// *.free-spy-cam.net
https:// *.free-spy-cam.net

tashi
2005-12-11, 19:28
I have brought this topic to Team's attention. :)

Yodama
2005-12-12, 15:17
thanks for reporting,

the issue has been found and corrected, and will be available with the next update scheduled for the end of the week.

Oppressed
2005-12-12, 19:27
thanks for reporting,

the issue has been found and corrected, and will be available with the next update scheduled for the end of the week.

Thank you :bigthumb:

Silent Smith
2006-11-09, 21:00
I have just reformatted my laptop and then I installed spybot, ad aware pro and symantec.

I get clear results on both ad aware and symantec but spybot is returning "Smithfraud-C." It shows as 3 entries but will delete all but 1, then upon start up there is 2 or more entries.

I have checked for the mentioned files in I.E and did not find them. The values are in the registry under "netsh.exe"

Any ideas?

spybotsandra
2006-11-10, 10:17
Hello,

Please wait for the update that will be released today.

Best regards
Sandra
Team Spybot

slewis
2007-01-04, 02:17
Its jan 07 and ive updated spybot and i still have smitfraud showing when i run sb and it want remove it

vanderhoff
2007-01-04, 14:44
Hi, Can someone please tell me if the Spybot result showing Smitfraud-C Toolbar888 as a Reg entry HKEY_USERS\S-1-5-21-4190550987-2138113849-4060233106-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}, is in fact a false positive or not? It has a 'value not set' in Reg Editor, and I have never had any pop-ups, page redirections, slow downs or virus. I have win XP Home and Zone Alarm Internet Security Suite.

Thanks

md usa spybot fan
2007-01-04, 19:00
vanderhoff:

MisterW (http://forums.spybot.info/member.php?u=162) replied to your other query here:
Smitfraud-c Toolbar888
http://forums.spybot.info/showthread.php?t=10184



I can confirm that it is a false positive that will be fixed with the next update scheduled for friday :oops:

regards,
Markus

Rinasaunce
2007-01-21, 22:47
A scan of my Windows XP pc with Spybot shows the following entry:

Smitfraud.C-Toolbar888
executable
C:\Documents and Settings\User Name\Local Settings\Temp\removalfile.bat

I use Spybot 1.4 and have downloaded the lastest updates (as of January 21, 2007)

Am I infected or is this also a false positive??? Thanks so much in advance for any assitance.... this is my first post in here - :red:

Yodama
2007-01-26, 14:14
Smitfraud.C-Toolbar888
executable
C:\Documents and Settings\User Name\Local Settings\Temp\removalfile.bat

this is not a false positive, it is a part of Smitfraud-C.Toolbar888.
It is used by Smitfraud-C.Toolbar888 to remove some of its files.

You will most likely need to get help in the malware removal section of the forums.

tashi
2007-01-26, 17:42
Thank you Yodama. :) Rinasaunce, please follow the procedure in this link: "BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Once you have posted a helper will advise you as soon as available.

Cheers.

Proampedprocessor
2008-10-20, 21:59
So I found a fix for this problem. Least wise with XP OS. If you remove everything you can with spybot then do a system restore to an earlier point, "say two days before", the bug is gone. Hope this helps everyone out.

tashi
2008-10-20, 22:13
Hello Proampedprocessor,

System restore is not an option to ensure a computer is clean. If files are infected and not removed by security software they will still be present, however perhaps made more difficult to find.

Also, everyone please note:

Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Cheers.

decurser
2009-01-18, 10:36
still not fixed, I'm getting it now

tashi
2009-01-18, 11:54
Hello,

still not fixed, I'm getting it now

What isn't fixed? Not sure which part of the thread you are referring to. ;)

Best regards.

Lpence
2009-02-03, 13:13
okay
still doing some research but it seems like Smitfraud-C.gp was found by SSnD in an exe called autorun.exe that installs Diskeeper. I downloaded this copy of DK from the official website. This is the only instance found and DK is of course installed on my computer. Lets hope this is actually a false :) I don't really wanna deal with removal and password changes :/

Lpence
2009-02-03, 13:34
Follow up:
Smitfraudfix scan/removal program finds nothing
AVG finds nothing
with the deletion of the autorun.exe which I DID run :) SSnD finds nothing
Trend online scan finds nothing

typing the phrase "cheese is good" in both Firefox and IE browsers in both user name and password fields, WoW login, in chat messages, and in an email then searching for the phrase in a file including system and hidden files yields no result of the phrase being logged.

Also, I've never shown any signs or symptoms of infection

Lpence
2009-02-03, 14:22
Arrrgh

My apologies to Diskeeper
that was Perfectdisk's autorun.exe (which now I recall would not properly install) Diskeeper2009-home.exe is Diskeeper's installer

Honest mistake the exe's icon was a hard disk. Case of mistaken identity.

Yodama
2009-02-03, 16:26
hello,

I think it is best if you email your file to detections@spybot.info for analysis.