|
Posted by * * Chas on July 29, 2005, 11:23 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I'm running Spybot 1.4 on a Win98SE system. It started reporting
Smitfraud-C the other day.
Here's the Spybot message:
Smitfraud-C.: Settings (Registry change)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer\NoActiveDesktopChanges!=dword:0
Aside from this Registry entry, there are no other symptoms or changes.
AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
TweakUI 1.33 and Active Desktop disabled. I think that it's a false
positive.
Here a description of Smitfraud.c
Trojan-Spy.HTML.Smitfraud.c Other versions: .a
Aliases
Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
|
|
Posted by * * Chas on July 30, 2005, 11:38 am
If you were Registered and logged in, you could reply and use other advanced thread options
| I'm running Spybot 1.4 on a Win98SE system. It started reporting
| Smitfraud-C the other day.
|
| Here's the Spybot message:
|
| Smitfraud-C.: Settings (Registry change)
|
|
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| xplorer\NoActiveDesktopChanges!=dword:0
|
| Aside from this Registry entry, there are no other symptoms or
changes.
| AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
| TweakUI 1.33 and Active Desktop disabled. I think that it's a false
| positive.
|
| Here a description of Smitfraud.c
|
| Trojan-Spy.HTML.Smitfraud.c Other versions: .a
|
| Aliases
| Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
| Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
| Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
| Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
The latest SpyBot update 07-30-05 seems to have fixed the Smitfraud.c
problem. Just D/L'd them and ran a scan - no problems.
I was REAL paranoid because I was checking some stuff on the Smith
Barney web site this week.
Chas.
|
|
Posted by David H. Lipman on July 30, 2005, 2:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I'm running Spybot 1.4 on a Win98SE system. It started reporting
| Smitfraud-C the other day.
|
| Here's the Spybot message:
|
| Smitfraud-C.: Settings (Registry change)
|
| HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| xplorer\NoActiveDesktopChanges!=dword:0
|
| Aside from this Registry entry, there are no other symptoms or changes.
| AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
| TweakUI 1.33 and Active Desktop disabled. I think that it's a false
| positive.
|
| Here a description of Smitfraud.c
|
| Trojan-Spy.HTML.Smitfraud.c Other versions: .a
|
| Aliases
| Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
| Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
| Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
| Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
|
You may want to examine the following URL...
http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_Quicknavigate_VirtualMaid-t17258.html
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by * * Chas on July 30, 2005, 10:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
|
| | I'm running Spybot 1.4 on a Win98SE system. It started reporting
| | Smitfraud-C the other day.
| |
| | Here's the Spybot message:
| |
| | Smitfraud-C.: Settings (Registry change)
| |
| |
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| | xplorer\NoActiveDesktopChanges!=dword:0
| |
| | Aside from this Registry entry, there are no other symptoms or
changes.
| | AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
| | TweakUI 1.33 and Active Desktop disabled. I think that it's a false
| | positive.
| |
| | Here a description of Smitfraud.c
| |
| | Trojan-Spy.HTML.Smitfraud.c Other versions: .a
| |
| | Aliases
| | Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
| | Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
| | Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
| | Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
| |
|
| You may want to examine the following URL...
|
|
http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_Quick
navigate_VirtualMaid-t17258.html
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
Thanks, as soon as I saw the SpyBot entry, I started Googling. I've used
the Smith Barney web site recently to check on some AMD stock that I
bought through them a number of years ago so I was really paranoid
(stock tanked a few months after I bought it and is only worth about 25%
of what I paid).
Aside from that Spybot entry I couldn't find anything else on my system
so I suspected that it my be a false positive.
Chas.
|
|
Posted by Adam Piggott on July 30, 2005, 2:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hash: SHA1
* * Chas wrote:
> I'm running Spybot 1.4 on a Win98SE system. It started reporting
> Smitfraud-C the other day.
>
> Here's the Spybot message:
>
> Smitfraud-C.: Settings (Registry change)
>
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
> xplorer\NoActiveDesktopChanges!=dword:0
Just tried a scan on my PC and with a Virtual PC with older S&D
definitions, and with the 17/06 definitions this was not reported. Current
defs report it as you've found.
The registry value in question is legitimate (not spyware) in-line with
it's name "NoActiveDesktopChanges", which one can change in a more friendly
manner using Microsoft's TweakUI.
I've got in contact with the developers to let them know about the false
positive.
Cheers
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFC64Ys7uRVdtPsXDkRAvA3AJ9wXSuM6FpC9DD2C3DObAMhptVnIgCZAT52
ASBVwaRfknfJrr40JYSAw90=
=h3Oq
-----END PGP SIGNATURE-----
|
| Similar Threads | Posted | | False Positive? | September 10, 2005, 8:22 am |
| False positive? | April 8, 2007, 4:28 pm |
| False Positive on Keylogger??? | June 10, 2006, 11:38 am |
| Malwarebytes false positive | July 14, 2008, 10:22 am |
| False Positive, Posssible / Likely? | July 24, 2008, 1:20 pm |
| Is this a trojan or a false positive ? | November 24, 2008, 3:43 pm |
| New False Positive from Spyware Doctor? | February 1, 2007, 8:41 pm |
| Win32:Mhtplo-10 - False positive? | November 30, 2007, 3:27 pm |
| PCANDIS5.sys Trojan or False Positive? | June 28, 2008, 5:04 am |
| AVG false positive reported on user32.dll | November 19, 2008, 1:01 am |
|
XML site map