Results 1 to 7 of 7

Thread: Spybot S&D and malware

  1. #1
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default Spybot S&D and malware

    I just loaded a Zoom/Modem V.92 PC card on my old Sony Vaio with Win98.
    When I run my Spybot - Search & Destroy (1.6), it picks up the following file which it is claiming is MALWARE.

    Smitfraud.C/gp (SB)$77A6C034)
    "C:\windows\country.exe"

    When I go to this file and click on Properties it indicates Zoom, Thelphonics - World Traveler Country Setup.

    Search & Destroy wamts to delete this file. Should I allow it to be deleted? Please advise. Thank you.
    Alice

  2. #2
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    This "country.exe" process seems to be listed as malware from results in the Google search engine, however, I cannot be sure because you have a file, not a process. Is "country.exe" running in the Windows Task Manager?

    Find the file and upload it to VirusTotal and see if it is flagged:
    http://www.virustotal.com/
    -

  3. #3
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default Thank you

    Thank you.
    I clicked on Ctrl/Alt/Del and it brings up a box that has Close Program on the top. There are several programs listed, but nothing relating to 'country.exe.'

    #1- Isn't there someplace at S&B where I can send a copy of this file to be analyzed?

    Alice

    P.S.
    #2- Doesn't S&D allow us to scan a floppy drive all by itself?\
    My Zoom CD is in drive G: and I thought I could do a scan of that Zoom CD while it is in the G: drive.
    Last edited by alicez; 2008-12-13 at 18:34.

  4. #4
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    alicez:

    Did you scan the file at VIRUSTOTAL - Free Online Virus and Malware Scan as suggested? If so what were the results?

    There is also another site with an online scan:
    Both those sites use multiple products to scan a single file. That should give you an indication if the file you are dealing with is malicious or not.

    To answer your specific questions:
    1. Yes.
    2. No
    Last edited by md usa spybot fan; 2008-12-13 at 19:14.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  5. #5
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default Thank you

    I believe this is what you requested. (In the meantime I have removed the file from my Vaio Win98se and put it on a 3 1/2" disk...)
    Alice

    File Country.exe received on 12.14.2008 16:09:52 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

    Result: 2/38 (5.27%)

    Loading server information...
    Your file is queued in position: ___.
    Estimated start time is between ___ and ___ .
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact
    Print results

    Antivirus Version Last Update Result
    AhnLab-V3 2008.12.12.2 2008.12.14 -
    AntiVir 7.9.0.45 2008.12.12 -
    Authentium 5.1.0.4 2008.12.13 -
    Avast 4.8.1281.0 2008.12.13 -
    AVG 8.0.0.199 2008.12.14 -
    BitDefender 7.2 2008.12.14 -
    CAT-QuickHeal 10.00 2008.12.13 (Suspicious) - DNAScan
    ClamAV 0.94.1 2008.12.14 -
    Comodo 749 2008.12.13 -
    DrWeb 4.44.0.09170 2008.12.14 -
    eSafe 7.0.17.0 2008.12.14 -
    eTrust-Vet 31.6.6258 2008.12.12 -
    Ewido 4.0 2008.12.14 -
    F-Prot 4.4.4.56 2008.12.12 -
    F-Secure 8.0.14332.0 2008.12.14 Suspicious:W32/Malware!Gemini
    Fortinet 3.117.0.0 2008.12.14 -
    GData 19 2008.12.14 -
    Ikarus T3.1.1.45.0 2008.12.14 -
    K7AntiVirus 7.10.553 2008.12.13 -
    Kaspersky 7.0.0.125 2008.12.14 -
    McAfee 5463 2008.12.13 -
    McAfee+Artemis 5463 2008.12.13 -
    Microsoft 1.4205 2008.12.14 -
    NOD32 3689 2008.12.14 -
    Norman 5.80.02 2008.12.12 -
    Panda 9.0.0.4 2008.12.14 -
    PCTools 4.4.2.0 2008.12.14 -
    Prevx1 V2 2008.12.14 -
    Rising 21.07.62.00 2008.12.14 -
    SecureWeb-Gateway 6.7.6 2008.12.12 -
    Sophos 4.36.0 2008.12.14 -
    Sunbelt 3.2.1801.2 2008.12.11 -
    Symantec 10 2008.12.14 -
    TheHacker 6.3.1.4.187 2008.12.13 -
    TrendMicro 8.700.0.1004 2008.12.12 -
    VBA32 3.12.8.10 2008.12.13 -
    ViRobot 2008.12.12.1514 2008.12.12 -
    VirusBuster 4.5.11.0 2008.12.14 -
    Additional information
    File size: 139264 bytes
    MD5...: 14c7769875b49d20a0af1d7c571617fb
    SHA1..: 92d8eb7771dff4a92d521572f2f03cd35aff6b39
    SHA256: 80fd8b2fca1593d39ab0848b1d063889f73445a13e628de530d8d1a36c21fedd
    SHA512: e27e73c7466e2417fde655ebe9329b7ec818135851b806b45c693535e7c61524
    a3a84874d560f8f863669d1947a491793d1200f4bafeb2e77318e39a2ea10270

    ssdeep: 3072:f60nWeEiCqPG/pmqx/pEjKOGPKxALX6s8z5TopfaL4Skmo:r7EdgaBpEjKO
    +eLT

    PEiD..: -
    TrID..: File type identification
    Win64 Executable Generic (54.6%)
    Win32 Executable MS Visual C++ (generic) (24.0%)
    Windows Screen Saver (8.3%)
    Win32 Executable Generic (5.4%)
    Win32 Dynamic Link Library (generic) (4.8%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x403312
    timedatestamp.....: 0x3b38c110 (Tue Jun 26 17:06:24 2001)
    machinetype.......: 0x14c (I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x14b16 0x15000 7.75 ecf77c7ea1c6a972f0efcc50b5116f1a
    .rdata 0x16000 0x4bac 0x5000 4.71 7d8907cb5e96558668f6215b656a7def
    .data 0x1b000 0x5a08 0x2000 2.95 5ff1f990c88741a1bf596d09e06b0f50
    .rsrc 0x21000 0x4310 0x5000 3.65 51ff3e079de5f3170c17d820e4abbd44

    ( 7 imports )
    > KERNEL32.dll: RtlUnwind, HeapFree, HeapAlloc, GetStartupInfoA, GetCommandLineA, ExitProcess, TerminateProcess, HeapSize, GetACP, GetTimeZoneInformation, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, HeapReAlloc, RaiseException, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, GetDriveTypeA, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetPrivateProfileIntA, GetWindowsDirectoryA, WritePrivateProfileStringA, GetCurrentThreadId, GetCurrentThread, lstrcmpiA, lstrcmpA, GlobalDeleteAtom, GlobalAlloc, GetProfileStringA, GetFullPathNameA, FlushFileBuffers, SetFilePointer, WriteFile, GetCurrentProcess, FileTimeToSystemTime, SetErrorMode, FileTimeToLocalFileTime, SizeofResource, GetOEMCP, GetCPInfo, GlobalFlags, GetProcessVersion, GetCurrentDirectoryA, LocalReAlloc, lstrcpynA, TlsGetValue, GlobalReAlloc, TlsSetValue, EnterCriticalSection, GlobalHandle, LeaveCriticalSection, TlsFree, InitializeCriticalSection, DeleteCriticalSection, TlsAlloc, FindNextFileA, LocalFree, LocalAlloc, GetEnvironmentStrings, FindClose, FindFirstFileA, GetModuleFileNameA, GetLastError, GetEnvironmentStringsW, LoadLibraryA, GlobalLock, MulDiv, SetLastError, FreeLibrary, GetPrivateProfileStringA, GetVersion, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, lstrcpyA, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, CloseHandle, SetHandleCount, GetStdHandle, GetFileType
    > USER32.dll: ScreenToClient, AdjustWindowRectEx, SetFocus, GetSysColor, MapWindowPoints, SendDlgItemMessageA, UpdateWindow, IsDialogMessageA, SetWindowTextA, ShowWindow, LoadStringA, ClientToScreen, GetDC, ReleaseDC, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyMenu, LoadCursorA, GetClassNameA, PtInRect, GetSysColorBrush, InvalidateRect, GetTopWindow, GetCapture, WinHelpA, wsprintfA, CopyRect, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessagePos, GetForegroundWindow, SetForegroundWindow, SetWindowPos, RegisterWindowMessageA, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, EndDialog, SetActiveWindow, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetDlgItem, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, SetCursor, PostQuitMessage, PostMessageA, LoadIconA, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageA, AppendMenuA, DrawIcon, MessageBoxA, GetSystemMetrics, GetClassInfoA, RegisterClassA, SetWindowLongA, GetWindow, IntersectRect, OffsetRect, GetMessageTime, ShowCaret, IsWindowUnicode, CharNextA, InflateRect, DefDlgProcA, DrawFocusRect, ExcludeUpdateRgn, HideCaret, UnregisterClassA
    > GDI32.dll: SetBkColor, SetTextColor, GetObjectA, DeleteDC, SaveDC, RestoreDC, SelectObject, GetStockObject, SetBkMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, GetClipBox, DeleteObject, GetDeviceCaps, CreateSolidBrush, PtVisible, TextOutA, ExtTextOutA, RectVisible, Escape, CreateDIBitmap, BitBlt, GetTextExtentPointA, CreateCompatibleDC, CreateBitmap, PatBlt
    > WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter
    > ADVAPI32.dll: RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA
    > SHELL32.dll: ShellExecuteA
    > COMCTL32.dll: -

    ( 0 exports )

    CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=14c7769875b49d20a0af1d7c571617fb' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=14c7769875b49d20a0af1d7c571617fb</a>

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    I will ask a detective to take a look at this thread Monday.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello, thanks for reporting, this appears to be a false positive and will be corrected with the next update scheduled for Wednesday
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •