Smitfraud-C False Positive?

**GargantulaKon** · 2007-11-10, 05:41

I would like to know if this is a false positive. If it is, then I will fulfill the requirements made in the top sticky thread. I searched around the forum but I did not find anyone having Spybot report Smitfraud-C in the same location that it was found on my computer.

It was found in the registry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Value name: {a4029063-4fe3-422c-ac72-12905c09642a}

Value data: clinke

Side Note: What does the "Ignore parameters" check box do for the SDHelper dialog box? I checked the help file and nothing came up.

**Yodama** · 2007-11-12, 09:08

hi,

the value appears to match a Smitfraud-C. value but it is unusual for it to appear alone. So it may be a false positive, to determine this please attach a Spybot S&D log as described in the Sticky.

What does the "Ignore parameters" check box do for the SDHelper dialog box? I checked the help file and nothing came up.

The parameters in this context refer to URL paramters, if they are not ignored, the SDHelper will ask for each request with different paramters made to the website. For instance:

Code:

www.website.bad/parameter1

if you set a SDHelper behaviour for this with "ignore parameters" disabled, the SDHelper will ask you again for this

Code:

www.website.bad/parameter2

or any other different from

Code:

www.website.bad/parameter1

**GargantulaKon** · 2007-11-13, 19:14

Thank you for explaining. I had to disable SD helper since it came up often for the same Web site and for the same detection even though I selected an option to not ask me again.

Operating System: Windows XP Professional vSP2
Browser and Version: Internet Explorer v7.0.5730.13
Version of Spybot S&D and Date of the latest update: v1.5.1.15 - 11-7-2007
Where did the false positive occur: After scanning for problems

Log File:

--- Report generated: 2007-11-09 23:31 ---

Smitfraud-C.: [SBI $6B531046] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a4029063-4fe3-422c-ac72-12905c09642a}

DoubleClick: [SBI $2D4720C9] Tracking cookie (Firefox: default) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-07-13 unins000.exe (51.41.0.0)
2007-11-09 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-07 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

**Yodama** · 2007-11-14, 07:50

hello,

I actually wanted to see the full log including BHO, Systemstart, Winlogon , Processes and Services so we could see if there is anything else related to Smitfraud-C. that is not detected yet.
Please attach another log file containig the items above, so we can be sure if it is a false positive or not.

For now, I will remove the detection on this.

**GargantulaKon** · 2007-11-15, 01:21

OK, I am a bit of a novice.

Pardon, is the full log where every check box is checked under full report? That last log I fetched was made by Spybot.

I tried to attach a zip file, but it was too big for the attachment size limit. I could not post it here either since it was too big.

**Yodama** · 2007-11-15, 07:09

yes, a full log is where all check boxes are marked.

you can send the report to detections-at-spybot.info (replace -at- with @), if you send the mail please refer to this thread.

**GargantulaKon** · 2007-11-16, 08:06

Will do!

**Yodama** · 2007-11-16, 12:36

received your log,

as suspected it was a false positive.

**mikko4443** · 2007-12-25, 23:44

I also have this false pos reported but for a totally different file . see pic

I have notified support so theres no need to do all that again but im worried people might go deleting MS files in error, so word needs to get out .

Thread: Smitfraud-C False Positive?

Thread Tools

Display

Smitfraud-C False Positive?

Posting Permissions