Results 1 to 7 of 7

Thread: Fraud.Virus Doctor

  1. #1
    Junior Member
    Join Date
    Feb 2009
    Posts
    1

    Exclamation Fraud.Virus Doctor

    I was informed of CLIStart.exe being Fraud.VirusDoctor today upon boot. This file is part of my ATI graphics driver which I downloaded from Dell several months ago. I found ran a context menu scan on it from Windows Explorer and found that the detection was not based on signatures but heuristics.

    If it helps to note my AV is avast! Professional. From Resident.log
    Code:
    3/28/2009 9:32:50 AM Allowed (based on user decision) value "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}" (new data: "") added in Browser Helper Object!
    3/28/2009 9:32:56 AM Allowed (based on user decision) value "AirShare" (new data: ""C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe" 0;1;1;1.6.65;C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\;") added in System Startup global entry!
    3/28/2009 9:33:19 AM Allowed (based on user decision) value "AirShare" (new data: "") deleted in System Startup global entry!
    3/29/2009 11:48:45 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
    3/29/2009 11:48:56 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "C:\Windows\system32\AvastSS.scr") added in Desktop settings!
    4/3/2009 11:33:38 AM Encountered and terminated Fraud.VirusDoctor in C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe!
    I most recently updated Spybot late last night and I got the TeaTimer update March 13 according to the log. I will send an email with the detected file and full logs shortly.

  2. #2
    Junior Member
    Join Date
    Apr 2009
    Posts
    2

    Exclamation Fraud.Virus Doctor

    OS - Windows XP Pro - SP3
    Graphics Card - ATI All-In-Wonder 9600 XT
    Catalyst V 08.12
    Spybot V 1.6.2.46 - last update Apr 1, 2009 (no I'm not kidding!)
    This has nothing to do with my browsers.

    I was looking at some of my video settings using the Catalyst Control Center video settings for Presets, Basic Color, and Basic Quality and received the following error:


    Spybot Search & Destroy has encountered and terminated a process that is listed as part of a malicious software.

    Spybot terminated the program (MMACEPrev.exe!) but I didn't allow the file to be deleted because I've been using ATI's Catalyst and the software for several years without any warnings or errors coming up. This is a first. I have scanned repeatedly with various security software before my reinstall and a couple of times since then and have received no errors at all. I've done 2 complete XP reinstalls over the last 3 or 4 years without any errors involving ATI software.

    This has to be a false positive so I'm going to tell Spybot to let the process run unless someone knows something that I don't.

    Anybody out there have anything that would shed some light on this?

    Thx,
    C

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,483

    Default

    Hi cindy5663,

    I left a note for our detectives attention Monday.

    Thank you for reporting.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    the false positive on Fraud.VirusDoctor is a detection false positive and will be corrected with the next detection update
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Senior Member
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,263

    Default

    Hello,

    Thank you for reporting this issue. This is a false positive.

    Corrections to the detection database will be released with the next update.

    Best regards
    Sandra
    Team Spybot

  6. #6
    Junior Member
    Join Date
    Aug 2008
    Posts
    1

    Default

    After starting my computer this a.m. Was greeted w/message from Spybot that it had detected Fraud.VirusDoctor in the pppeuser.exe file. That file is from my backup battery (Cyber Power).
    I unchecked the delete file from the spy-bot pop up but left the inform me button highlighted if it encounters again.
    I've attached the report.

    OS is windows xp sp2 and my last spybot update was 04/04/09.

    Is there anything else you need?

  7. #7
    Junior Member
    Join Date
    Apr 2009
    Location
    Germany DAH
    Posts
    1

    Default find the "Fraud.VirusDoctor"

    Hi,

    SD-Resident detectet: "Fraud.VirusDoctor" I hav deletet over the Botton in Checkbox.
    My Work in this Time, Configuration in the ATI-CCC,Avivo,Presets.

    OS WIN XP/Home SP3
    SpybotSD V 1.6.246 last Update 01.04.09
    Catalyst V: 9.3 Driver V: 8.591...ATI
    Avira premium V:9.0.0421 Vir-def.7.01.03.27 date 07.04.09

    I think this is not Danger, and hope this Report help for the next Update in SD.
    Result for CCC, not Image/Video in Avivo-Presets, thats all.

    by GL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •