Results 1 to 5 of 5

Thread: Q3 and smitfraud-c

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Location
    Belize
    Posts
    3

    Question Q3 and smitfraud-c

    Smitfraud-C False Positive?


    Earlier tonight I got my first ever TeaTimer popup notification regarding a detected spyware. The exact log info is below:

    10/31/2005 8:39:27 PM Encountered and terminated Smitfraud-C. in D:\fps\Quake III Arena\quake3.exe!

    The 1st popup displayed a spyware alert message and blocked the program. Subsequently, I can launch and play the game without receiving an alert message but a new entry is added each time to TeaTimer's log.

    I've been playing Quake 3 for 5 years and using Spybot for at least 2 years without issue. So I would like to take this seriously but I'm not sure if I should.

    Neither my router firewall or McAfee Enterprise FW yield anything suspicious in the logs or permissions. I've checked my WinXP processes and services without detecting anything.

    A complete scan with the latest updated version of Ad-Aware also did not find anything. In addition, I use Spyware Blaster, only use FireFox 1.07, and a complete scan with the latest updated Spybot SD yielded only the results below:

    ----------
    Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

    Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

    Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-06-09 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-10-28 Includes\Cookies.sbi (*)
    2005-10-28 Includes\Dialer.sbi (*)
    2005-10-28 Includes\Hijackers.sbi (*)
    2005-10-28 Includes\Keyloggers.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2005-10-28 Includes\Malware.sbi (*)
    2005-10-28 Includes\PUPS.sbi (*)
    2005-10-28 Includes\Revision.sbi (*)
    2005-10-28 Includes\Security.sbi (*)
    2005-10-28 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-10-28 Includes\Trojans.sbi (*)
    ----------

    Ignore the Windows Security Center items as I use far better replacement products (McAfee AV 8.0i anf McAfee FW 8.5 Enterprise editions).

    No mention about quake3.exe or Smitfraud-C. How is this possible that TeaTimer says it's an issue but Spybot SD indicates no problem?

    Consequently, I plan to ignore TeaTimer at this time but watch any further development closely. However, if this is a confirmed false positive, it would be nice if it could be corrected so that TeaTimer doesn't log it.

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello Killer,

    this definitely looks like a false positive, if possible please submit the file to us, so that we can find out why the quake3.exe is being identified by our teatimer as smitfraud-c

    Teatimer and Spybot use some different criteria for detection.
    Spybot uses Spywaresignatures edited by our detectives and only detects during scan , while Teatimer works actively and also checks processes and looks for criteria like filesize and checksum.
    In case of Quake3 this means, that it is not found by Spybot because we do not consider it to be malicious and thus did not add quake files and paths to our detection rules :D . And Teatimer detects it because it appears to match a malicious process from Smitfraud in some way.
    So it would help us if you could submit the file, so we can find out wich criteria was responsible for this false positive.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Location
    Belize
    Posts
    3

    Thumbs up File submission

    Quote Originally Posted by Yodama
    hello Killer,

    this definitely looks like a false positive, if possible please submit the file to us, so that we can find out why the quake3.exe is being identified by our teatimer as smitfraud-c...
    Sure thing Yodama, but I can't attach it to this post (> 39.1kb limit) and I didn't see an option in Spybot to send suspect files for inspection. So, I'm sending it zipped to your email.

    Thanks.

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    thank you for submitting the file Killer
    we will check it up and find out why it is being detected by teatimer

    I will keep you updated as soon as a result comes up
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Junior Member
    Join Date
    Nov 2005
    Location
    Belize
    Posts
    3

    Smile Issue Resolved

    Hello all,

    Last week Yodama contacted me regarding changes to TeaTimer's identification of Smitfraud-C. Since the last update, TeaTimer no longer logs that it detects this signature in Quake 3.

    Yodama, thank you for your time and effort.


    Killer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •