Smitfraud-C False Positive

Oppressed

New member
My computer is deemed to be clean so I am also reporting the following.

My computer is running Windows XP and when I scan with Spybot I get the following Smitfraud-C False Positive that can't be fixed:

User settings

HKEY_USERS\S-1-5-21-3631192919-4047014472-3028651874-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\ *!=W=4

Registry change
 
Although your "computer is deemed to be clean" that may not be a false positive.

Please go into Internet Explorer > Tools > Internet Options … > Security tab. One at a time click on each of the following buttons:
  • Internet
  • Local Internet
  • Trusted sites
  • Restricted sites
While in each of those buttons, click the Sites button and inspect the lists for:
  • *.free-spy-cam.net
Under which of the four buttons did you find the entry?

Note: Hopefully you can find the entry because the detection is for a registry hive other than the current user hive.
 
Last edited:
Hello md usa spybot fan,

Thank you for replying to my post.

This is what I found by following your instructions.

I have NO Sites listed for:

Internet *
Local Intranet
Trusted sites


Under Restricted sites I have these which are similar:

http:// *.free-spy-cam.net
https:// *.free-spy-cam.net

* Edit: I guess it should be noted that while the Internet description reads "This zone contains all Web sites you haven't placed in other zones" the button is inaccessible, as is the "Default Level" button. Could this be because of other Security Software?
 
Last edited:
Oppressed and Spybot Helpers,

I have the exact same problem as Oppressed. I was infected by Spyaxe. By running the smitrem.exe, many files were deleted and my PC became stable.

I run Spyware Doctor, and Mcaffee and the report shows no virus or trojans. However, Spybot shows that I still have the Smithfraud trojan, and Spybot can not remove it. The detail of the Spybot is as follows:

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-3834227258-2264835413-2960356022-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

I also have the two websites listed in my Restricted Zone:

http:// *.free-spy-cam.net
https:// *.free-spy-cam.net
 
thanks for reporting,

the issue has been found and corrected, and will be available with the next update scheduled for the end of the week.
 
I have just reformatted my laptop and then I installed spybot, ad aware pro and symantec.

I get clear results on both ad aware and symantec but spybot is returning "Smithfraud-C." It shows as 3 entries but will delete all but 1, then upon start up there is 2 or more entries.

I have checked for the mentioned files in I.E and did not find them. The values are in the registry under "netsh.exe"

Any ideas?
 
Its jan 07 and ive updated spybot and i still have smitfraud showing when i run sb and it want remove it
 
Smitfraud-C Reg Entry...False or not??

Hi, Can someone please tell me if the Spybot result showing Smitfraud-C Toolbar888 as a Reg entry HKEY_USERS\S-1-5-21-4190550987-2138113849-4060233106-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}, is in fact a false positive or not? It has a 'value not set' in Reg Editor, and I have never had any pop-ups, page redirections, slow downs or virus. I have win XP Home and Zone Alarm Internet Security Suite.

Thanks
 
False positive to Smitfraud?

A scan of my Windows XP pc with Spybot shows the following entry:

Smitfraud.C-Toolbar888
executable
C:\Documents and Settings\User Name\Local Settings\Temp\removalfile.bat

I use Spybot 1.4 and have downloaded the lastest updates (as of January 21, 2007)

Am I infected or is this also a false positive??? Thanks so much in advance for any assitance.... this is my first post in here - :red:
 
Smitfraud.C-Toolbar888
executable
C:\Documents and Settings\User Name\Local Settings\Temp\removalfile.bat

this is not a false positive, it is a part of Smitfraud-C.Toolbar888.
It is used by Smitfraud-C.Toolbar888 to remove some of its files.

You will most likely need to get help in the malware removal section of the forums.
 
Fix

So I found a fix for this problem. Least wise with XP OS. If you remove everything you can with spybot then do a system restore to an earlier point, "say two days before", the bug is gone. Hope this helps everyone out.
 
Hello Proampedprocessor,

System restore is not an option to ensure a computer is clean. If files are infected and not removed by security software they will still be present, however perhaps made more difficult to find.

Also, everyone please note:
Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Cheers.
 
okay
still doing some research but it seems like Smitfraud-C.gp was found by SSnD in an exe called autorun.exe that installs Diskeeper. I downloaded this copy of DK from the official website. This is the only instance found and DK is of course installed on my computer. Lets hope this is actually a false :) I don't really wanna deal with removal and password changes :/
 
Back
Top