Spybot 1.4 Smitfraud-C False Positive?

C

* * Chas

I'm running Spybot 1.4 on a Win98SE system. It started reporting
Smitfraud-C the other day.

Here's the Spybot message:

Smitfraud-C.: Settings (Registry change)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer\NoActiveDesktopChanges!=dword:0

Aside from this Registry entry, there are no other symptoms or changes.
AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
TweakUI 1.33 and Active Desktop disabled. I think that it's a false
positive.

Here a description of Smitfraud.c

Trojan-Spy.HTML.Smitfraud.c Other versions: .a

Aliases
Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
 
A

Adam Piggott

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* * Chas said:
I'm running Spybot 1.4 on a Win98SE system. It started reporting
Smitfraud-C the other day.

Here's the Spybot message:

Smitfraud-C.: Settings (Registry change)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer\NoActiveDesktopChanges!=dword:0
Click to expand...

Just tried a scan on my PC and with a Virtual PC with older S&D
definitions, and with the 17/06 definitions this was not reported. Current
defs report it as you've found.

The registry value in question is legitimate (not spyware) in-line with
it's name "NoActiveDesktopChanges", which one can change in a more friendly
manner using Microsoft's TweakUI.

I've got in contact with the developers to let them know about the false
positive.

Cheers
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC64Ys7uRVdtPsXDkRAvA3AJ9wXSuM6FpC9DD2C3DObAMhptVnIgCZAT52
ASBVwaRfknfJrr40JYSAw90=
=h3Oq
-----END PGP SIGNATURE-----
 
D

David H. Lipman

From: "* * Chas" <[email protected]>

| I'm running Spybot 1.4 on a Win98SE system. It started reporting
| Smitfraud-C the other day.
|
| Here's the Spybot message:
|
| Smitfraud-C.: Settings (Registry change)
|
| HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| xplorer\NoActiveDesktopChanges!=dword:0
|
| Aside from this Registry entry, there are no other symptoms or changes.
| AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
| TweakUI 1.33 and Active Desktop disabled. I think that it's a false
| positive.
|
| Here a description of Smitfraud.c
|
| Trojan-Spy.HTML.Smitfraud.c Other versions: .a
|
| Aliases
| Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
| Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
| Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
| Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
|

You may want to examine the following URL...

http://www.bleepingcomputer.com/for...itfraud_Quicknavigate_VirtualMaid-t17258.html
 
G

Gabriele Neukam

On that special day, * * Chas, ([email protected]) said...
Smitfraud-C.: Settings (Registry change)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer\NoActiveDesktopChanges!=dword:0
Click to expand...

This is an active change of the registry, which is typically done by
smitfraud. The only other reason for this entry is, if the computer is
a corporate machine, which is supposed to show the company logo, and
nothing else (especially no bathing suit girls).


Gabriele Neukam

(e-mail address removed)
 
A

Adam Piggott

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gabriele said:
On that special day, * * Chas, ([email protected]) said...




This is an active change of the registry, which is typically done by
smitfraud. The only other reason for this entry is, if the computer is
a corporate machine, which is supposed to show the company logo, and
nothing else (especially no bathing suit girls).
Click to expand...

I use that registry setting because I don't use Active Desktop, and don't
want the "Active Desktop" entry when I right-click the Desktop, so consider
it a false positive. Maybe if other signatures found that the Smitfraud was
found one should consider removing the registry setting?

Regards
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC65re7uRVdtPsXDkRAoZbAKCb6favVAdoWNuO8q0/OwGTQ3KIPACff8dH
wHtprLUlfX4tP5PmaEp6tOc=
=fCA5
-----END PGP SIGNATURE-----
 
C

* * Chas

| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| * * Chas wrote:
| > I'm running Spybot 1.4 on a Win98SE system. It started reporting
| > Smitfraud-C the other day.
| >
| > Here's the Spybot message:
| >
| > Smitfraud-C.: Settings (Registry change)
| >
| >
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| > xplorer\NoActiveDesktopChanges!=dword:0
|
| Just tried a scan on my PC and with a Virtual PC with older S&D
| definitions, and with the 17/06 definitions this was not reported.
Current
| defs report it as you've found.
|
| The registry value in question is legitimate (not spyware) in-line
with
| it's name "NoActiveDesktopChanges", which one can change in a more
friendly
| manner using Microsoft's TweakUI.
|
| I've got in contact with the developers to let them know about the
false
| positive.
|
| Cheers
| - --
| Adam Piggott, Proprietor, Proactive Services (Computing).
| http://www.proactiveservices.co.uk/
|

Thanks, I used TweakUI to configure my Desktop and Start Menu settings
so there are a number of Binary Values set in the Policies Key in the
Registry along with "NoActiveDesktopChanges".

Chas.
 
C

* * Chas

| From: "* * Chas" <[email protected]>
|
| | I'm running Spybot 1.4 on a Win98SE system. It started reporting
| | Smitfraud-C the other day.
| |
| | Here's the Spybot message:
| |
| | Smitfraud-C.: Settings (Registry change)
| |
| |
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| | xplorer\NoActiveDesktopChanges!=dword:0
| |
| | Aside from this Registry entry, there are no other symptoms or
changes.
| | AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
| | TweakUI 1.33 and Active Desktop disabled. I think that it's a false
| | positive.
| |
| | Here a description of Smitfraud.c
| |
| | Trojan-Spy.HTML.Smitfraud.c Other versions: .a
| |
| | Aliases
| | Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
| | Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
| | Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
| | Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)
| |
|
| You may want to examine the following URL...
|
|
http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_Quick
navigate_VirtualMaid-t17258.html
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm

Thanks, as soon as I saw the SpyBot entry, I started Googling. I've used
the Smith Barney web site recently to check on some AMD stock that I
bought through them a number of years ago so I was really paranoid
(stock tanked a few months after I bought it and is only worth about 25%
of what I paid).

Aside from that Spybot entry I couldn't find anything else on my system
so I suspected that it my be a false positive.

Chas.
 
C

* * Chas

message | On that special day, * * Chas, ([email protected]) said...
|
| >
| > Smitfraud-C.: Settings (Registry change)
| >
| >
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| > xplorer\NoActiveDesktopChanges!=dword:0
|
| This is an active change of the registry, which is typically done by
| smitfraud. The only other reason for this entry is, if the computer is
| a corporate machine, which is supposed to show the company logo, and
| nothing else (especially no bathing suit girls).
|
|
| Gabriele Neukam
|

Thanks Gabriele,

Smitfraud-C changes NoActiveDesktopChanges dword from 0 to 1. The
corporate setting would be (especially no bathing suit girls) especially
without bathing suits!

Chas.
 
C

* * Chas

| I'm running Spybot 1.4 on a Win98SE system. It started reporting
| Smitfraud-C the other day.
|
| Here's the Spybot message:
|
| Smitfraud-C.: Settings (Registry change)
|
|
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\E
| xplorer\NoActiveDesktopChanges!=dword:0
|
| Aside from this Registry entry, there are no other symptoms or
changes.
| AdAware 1.06, NOD32 and F-Prot didn't find anything. I'm running MS
| TweakUI 1.33 and Active Desktop disabled. I think that it's a false
| positive.
|
| Here a description of Smitfraud.c
|
| Trojan-Spy.HTML.Smitfraud.c Other versions: .a
|
| Aliases
| Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as:
| Phish-BankFraud.eml.a (McAfee), Trojan Horse (Symantec),
| Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV),
| Trj/Citifraud.A (Panda), HTML/Smithfraud.gen (Eset)

The latest SpyBot update 07-30-05 seems to have fixed the Smitfraud.c
problem. Just D/L'd them and ran a scan - no problems.

I was REAL paranoid because I was checking some stuff on the Smith
Barney web site this week.

Chas.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Trojan.Downloader.AdMSI -- False Positive ? 3

Top