False positive - Smitfraud-C

[phalanx]

I updated Spybot S&D this date and then ran a scan.

Here is the log entry:

Smitfraud-C.: Autorun settings (Matrox Powerdesk) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Matrox Powerdesk

Note that Matrox Powerdesk is part of the Matrox driver package for my Matrox Millennium G450 AGP Graphics card.

This would have been a false positive run amok if I had let Spybot "fix" the problem!

[bimsix]

My Spybot is unable to complete a scan because computer freezes up when it gets to smitfraud-c. Updated today. Still a problem. Suggestions welcomed.

[Yodama]

@phalanx

yes it looks like a false positive, but to find what is causing it in our database, we need more information.

- was there more found than the item you posted? Normally a file is asociated with an autorun
- which Spybot Version are you using? 1.3 or 1.4, if you are using 1.3 or older, please update to 1.4
- if possible please post the commandline for the Matrox Powerdesk as well as the file that is called with that command.


@bimsix
please switch to advanced mode in spybot and go to 'Settings' an then 'File Sets' , there disable all filesets, check the first and scan with spybot.
After the scan, if it completes, uncheck the first fileset and check the next, scan again. Use this procedure to cycle through all filesets.
This way you will only scan with a small part of our detcion Database and if you experience any difficulties with one specific fileset, we can take a closer look at that one.

[bimsix]

Went to advanced mode. In MalwareC.SBI, I noticed Smitfraud-C running across the bottom. After finishing, "No immediate threats."

In Security.SBI, "Microsoft.WindowsSecurityCenter.Antivirus Disable."
Settings: HKEY_Local_Machine\Software\Microsoft\Sec Registry changes
Did nothing. Didn't know what this meant.

After this, I reran entire Spybot. Again, when scanning, Smithfraud-C ran across the bottom and the computer froze again. I also noticed , across the bottom, SpySheriff, Golden Palace Casino, VirtuMond, Deep Dive, PSW.WOW, Smitfraud-C toolbar, SurfsideKick. I have never visited these sites.

[Yodama]

In Security.SBI, "Microsoft.WindowsSecurityCenter.Antivirus Disable."
Settings: HKEY_Local_Machine\Software\Microsoft\Sec Registry changes

This is a notification that has been disabled, this is usually done by your antivirus software. Check if your antivirus is running properly, if it is, you can set Spybot to ignore this.

If I understood you correctly you tested scanning with each sbi, seperately and there were no errors, but when scanning with all, the scann freezes with Smitfraud-C. again? Meaning the freeze did not occur with any single sbi?
Please note that Smitfraud-C. detection rules exists in multiple sbis.

[Tiit_Helimut]

Hi. I'm having the same problem where Spybot freezes when it scans for Smitfraud-C.
I changed the file sets, and it freezes (on Smitfraud-C) when I have "MalwareC" selected.
Also it detected Smitfraud-C when I had just "TrojansC" selected, but this time it did not freeze and after going into safemode I managed to remove 4 Smitfraud-C objects.

Spybot also detects (and freezes on) BackOrifice.B when only the "Trojans" file set is selected.

I have re-run the scan for Smitfraud after removing those 4 objects and it still freezes when I scan for everything, when I scan for "MalwareC", and when I scan for "Trojans" (though this is still BackOrifice.B).
The only thing removing the objects changed was when not detecting anything when rescanning "TrojansC".

Any ideas?
Do you reckon it's just a case of false positive? If so, is there any solution to this? Thanks!

[Yodama]

Hello Tiit_Helimut,

thank you for your description. Please check if emptying your temp directories increases the scanning speed with the respective filesets.

Please also attach a Spybot S&D scanning report about the 4 Smitfraud-C. items that are found

[Tiit_Helimut]

Hi Yodama.

Unfortunately when it removed the 4 objects it found for Smitfraud-C, I didn't save any details on them. I know that one was a file, and two were reg entries (both found in Windows\System32\Drivers\), but I can't remember what the fourth was. Originally spybot was unable to remove these files as it said they were in use, which is why I went into safe mode where it managed to removed them. Subsequent rescans have not found these files again.

I have cleared my temp files but it still freezes where I mentioned before (program stops responding so I have to kill the process). The scanning speed was reasonably fast before I cleared the temp files and remains so even after emptying the temp folders.

Thanks!