Smitfraud-C False Positive?

G

GargantulaKon

New member
I would like to know if this is a false positive. If it is, then I will fulfill the requirements made in the top sticky thread. I searched around the forum but I did not find anyone having Spybot report Smitfraud-C in the same location that it was found on my computer.

It was found in the registry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Value name: {a4029063-4fe3-422c-ac72-12905c09642a}

Value data: clinke

Side Note: What does the "Ignore parameters" check box do for the SDHelper dialog box? I checked the help file and nothing came up.
 
Last edited:
hi,

the value appears to match a Smitfraud-C. value but it is unusual for it to appear alone. So it may be a false positive, to determine this please attach a Spybot S&D log as described in the Sticky.


What does the "Ignore parameters" check box do for the SDHelper dialog box? I checked the help file and nothing came up.
Click to expand...
The parameters in this context refer to URL paramters, if they are not ignored, the SDHelper will ask for each request with different paramters made to the website. For instance:
Code: 
www.website.bad/parameter1
if you set a SDHelper behaviour for this with "ignore parameters" disabled, the SDHelper will ask you again for this
Code: 
www.website.bad/parameter2
or any other different from
Code: 
www.website.bad/parameter1
 
Thank you for explaining. I had to disable SD helper since it came up often for the same Web site and for the same detection even though I selected an option to not ask me again.

Operating System: Windows XP Professional vSP2
Browser and Version: Internet Explorer v7.0.5730.13
Version of Spybot S&D and Date of the latest update: v1.5.1.15 - 11-7-2007
Where did the false positive occur: After scanning for problems

Log File:

--- Report generated: 2007-11-09 23:31 ---

Smitfraud-C.: [SBI $6B531046] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a4029063-4fe3-422c-ac72-12905c09642a}

DoubleClick: [SBI $2D4720C9] Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-07-13 unins000.exe (51.41.0.0)
2007-11-09 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-07 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
 
Last edited:
hello,

I actually wanted to see the full log including BHO, Systemstart, Winlogon , Processes and Services so we could see if there is anything else related to Smitfraud-C. that is not detected yet.
Please attach another log file containig the items above, so we can be sure if it is a false positive or not.

For now, I will remove the detection on this.
 
OK, I am a bit of a novice. :laugh: Pardon, is the full log where every check box is checked under full report? That last log I fetched was made by Spybot.

I tried to attach a zip file, but it was too big for the attachment size limit. I could not post it here either since it was too big.
 
yes, a full log is where all check boxes are marked.

you can send the report to detections-at-spybot.info (replace -at- with @), if you send the mail please refer to this thread.
 
I also have this false pos reported but for a totally different file . see pic

I have notified support so theres no need to do all that again but im worried people might go deleting MS files in error, so word needs to get out .
 
You must log in or register to reply here.
Back
Top