TechSpot

False positive?

By plasma dragon00
Jan 12, 2008
  1. Hello Techspot. I believe AVG AV may have found a false-positive while doing a virus scan. Im not sure, however. look at this picture:

    [​IMG]

    Full path of the file is - C:\Program Files\Free Download Manager\SmitfraudFix\SmiUpdate.exe

    the problem is that I dont download to that folder. i download files with free download manager to C:\Downloads

    unless its a very old download from when you guys helped me before, but even at that should it still show up as a trojan? im going to check right now when the folder was created...

    hmm. i think it could be a virus, it says it was created Dec 6, 2007. i know for a fact that i havent had any problems with my computer since then and havent come here for help since i havent had any problems.

    interesting, one of the programs in the smitfraudfix folder is called reboot.exe, with the description "Reboot Utility - Option^Explicit Software

    any info would be greatly appreciated :)

    thanks

    EDIT: now its finding it in a lot of my system restore files...
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Doesn't appear to be a false positive to us.
    SmitFraud can be an extremely troublesome trojan infestation.
    Images are targets, because removal is very difficult.
    Run another free scan by Symantec, Panda, Computer Associates, or one of the many others.
    But take this discovery of AVG seriously.
     
  3. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    thank you for the response :)

    what steps exactly should i take to make ure my system is clean?

    i quarentined the 2 restore points avg found it in, deleted the folder the trojan was in also. is there anything else i should do? besides running anti spyware scans, im doing that right now.

    EDIT: not saying that the one that was shown before isnt a virus, but i do have a question. i went to check it, and i downloaded the one thats linked to in your viruses/spyware/malware preliminary removal instructions. downloaded tool 1 (smitfraudfix.exe). ran it, and it made a folder on my desktop. inside that folder were the same contents as the one that the virus was being detected in. i scanned the folder and avg found the same file to be the same trojan.

    so... maybe avg was wrong? cuz now im really confused. like i said i downloaded the one that you guys have linked to, the website looked the same as it always does, as far as i remember. so does the smitfraudfix.exe file.
     
  4. raybay

    raybay TS Evangelist Posts: 7,241   +9

    After your initial scans, immediately reboot into Safe Mode (pressing <F8> repeatedly once per second as soon as you depress the ON button) then run again in Safe Mode, reboot, and run again in SAFE MODE.
    Then try other scans.
     
  5. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    will do, but why do you think avg is picking it up as a trojan when the smitfraudfix.exe program is creating it? and also, i scanned the smitfraudfix.exe file and it is detected twice, as infected - embedded and infected - archived
     
  6. jhmed

    jhmed TS Rookie Posts: 18

    I am having the same issues... I run a NAV Corp v10, with scheduled updates/full scans every night at 3:30am and 4:00am respectively. I have a copy of SmitFraud in a directory on a USB HDD. It's been there since I repaired a couple PCs back in November (using the guide on this site, and downloaded only from the link provided here). The USB drive is always on, and always connected. Always. No exceptions.

    I haven't left my PC on overnight for the past couple days, so according to the scan history log, the last completed full scan was 1/20/07 at 4am.

    This morning's scan at 4am revealed a Trojan in the smitfraudfix folder in the file process.exe -- and it was successfully quarantined...

    This has not appeared before...

    I have seen a few instances (in a quick Google search of this issue) where AV programs are tagging smitfraud files as trojans but most people are speaking about the update file Plasma Dragon 00 was refering to.

    Again, could this be the case? Could AV programs be giving a false positive to these Smitfraud applications?
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It may or may not be a false positive, if the smitfraudfix only picks up process.exe then it is probably a false positive

    process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/processutil/processutil.htm


    Download and install smitfraudfix by S!Ri
    http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please attach that report into your next reply.

    You also need to follow raybays advice and run an online scan. If it finds more files other than process.exe you are most likely infected.

    Trend Micro Housecall Free Online Scanner

    • It`s one of the very few online scanners that will actually disinfect viruses etc.
    • First Open Internet Explorer
    • Go to Trend Micro's Housecall website which can be found HERE
    • Click on the link that says "Scan now. It's Free"
    • A new tab will open where you will have to tick a box to agree to the terms of service.
    • Click "Launch House Call"
    • Follow any additional on screen instructions
     
  8. jhmed

    jhmed TS Rookie Posts: 18

    I find that unwise, being that the process.exe file is run during the launch of the application. Or am I just being too paranoid?


    I wasn't so much concerned with the false positive per se, I've seen small utils from trusted sources make my NAV go nuts from time to time but I'm more concerned with the sudden appearance of it... Over 80 days+ of the same scan produces nothing, until this morning.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...