Hello, I am in Windows XP SP2 and after today update, SD finds this:

PC Tools Spyware Doctor
Date Status
15/11/2007 11:56:33:687 Analyse démarrée
Type d'analyse - Analyse complète

15/11/2007 12:36:05:546 Une infection a été détectée sur cet ordinateur
Nom de la menace - RogueAntiSpyware.SystemDefender
Type - File
Degré de risque - Grave
Infection - C:\WINDOWS\SYSTEM32\swsc.exe

15/11/2007 12:37:13:109 Analyse terminée
Type d'analyse - Analyse complète
Eléments traités - 221831
Menaces détectées - 1
Infections détectées - 1
Infections ignorées - 0

My SD version: 5.1.0.273 Database 5.8580 Intelli-signatures: 628250
Yesterday with database 5.8570 the scan was clean. No emails and no download since then!
So is it a false positive?
Regards,
Jérôme (from Paris, France!)

Some more precisions:
"SystemDefender": never heard about it!
But I had a look on Google about this swsc.exe and it seems to have something to do with a software called "SmitfraudFix".
A long time a go I have downloaded it, and uninstalled it the same day.
Maybe this swsc.exe remained in C:\WINDOWS\SYSTEM32\
"Virus Total" does not find anything, neither A2 free, my McAfee, Spybot S§D, AdAware...
So:
1.Is my explanation good?
2. Can I fix it without any problem for my system?
Regards,
Jérôme

Hi
SmitFraudFix would not be highlighted in such a way. It would be described as a "Risktool" not Rogue. It is probably a file detected by SmitFraudFix. I would download and run SmitFraudFix just to be sure there arent any other files/changes lying around.
Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

hi mjq,

i am also facing these issue as well. below are the log of my pc.

SmitFraudFix v2.253

Scan done at 0:11:47.81, 2007-11-16
Run from C:\Documents and Settings\MSI\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\CY_BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MSI


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MSI\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MSI\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3407CC7-28E1-46A4-B53C-5B8ED734D9F6}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B3407CC7-28E1-46A4-B53C-5B8ED734D9F6}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3407CC7-28E1-46A4-B53C-5B8ED734D9F6}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Hi
msi please stick to posting in the MalwareRemoval forum (I know you haven't had a reply yet, but as you can probably see, that forum is quite busy!). However, your SmitfraudFix log looks clean.

Hello again,
If you look here you will see that swsc.exe seems to be a component of SmitfraudFix installation...

http://www.google.fr/search?hl=fr&q=swsc.exe&btnG=Recherche+Google&meta=

So I wonder if it is a false positive or if SD wants we fix it?
And if I am true, must I fix it? (without any problem for the system?)
Thanks...

Hi
Yeah, looks like you are right. This is most likely a false positive. So I suggest you report this to the MRC team by sending an email to support@pctools.com with the subject "False Positive" (attach the scan logs). I suggest you also delete your copy of SmitFraudFix as it is constantly updated so you might as well download it as and when you need it!

Hello,
I have sent the email.
But, as I explained upper, I have no more SmitfraudFix in my computer: I un-installed it on the same day I downloaded it !!!
But traces remain, I think.
Regards,
Jérôme.

Hello,
nothing new with this morning update (database: 5.8590).
Same detection.
No news from PC TOOLS here... No answer to my email...
What else?
Regards,
Jérôme

Hi
It may take time for the Malware Research Team to sort through all the requests, while still finding new malware. I imagine this maybe resolved Monday or Tuesday of next week.
Hope that helps

Hello, I am in Windows XP SP2 and after today update, SD finds this:

PC Tools Spyware Doctor
Date Status
15/11/2007 11:56:33:687 Analyse démarrée
Type d'analyse - Analyse complète

15/11/2007 12:36:05:546 Une infection a été détectée sur cet ordinateur
Nom de la menace - RogueAntiSpyware.SystemDefender
Type - File
Degré de risque - Grave
Infection - C:\WINDOWS\SYSTEM32\swsc.exe

15/11/2007 12:37:13:109 Analyse terminée
Type d'analyse - Analyse complète
Eléments traités - 221831
Menaces détectées - 1
Infections détectées - 1
Infections ignorées - 0

My SD version: 5.1.0.273 Database 5.8580 Intelli-signatures: 628250
Yesterday with database 5.8570 the scan was clean. No emails and no download since then!
So is it a false positive?
Regards,
Jérôme (from Paris, France!)

Hi Jérôme

I had the same massage but for me RogueAntiSpyware.SystemDefender was not located under C:\WINDOWS\SYSTEM32\swsc.exe, but instead it was located under my WINRAR. I do not have the adress 'cause I deleted it.

After deleted it, Spyware Doctor do not detect it. And it seem like WINRAR still works.

Hello everyone,

I ran a search on this topic but found no previous results.

I just ran a Spyware Doctor sweep of my system, and it detected the following app dll as Spyware:

"c:\Applications\HeadAc3he\azid.dll - RogueAntiSpyware.SystemDefender

RogueAntiSpyware.SystemDefender is a rogue antispyware program. When installed, it detects false positives and asks the user to purchase the product before cleaning the machine."

I've used this version of HeadAc3he for audio transcoding for years with no problems whatsoever. The file azid.dll is 42k in size and has never previously popped up as a Spyware Doctor blip (until today). I Googled azid.dll and found it to be a regular component of HeadAc3he (audio conversion codec), so it appears to be legitemate. However, SD keeps flagging it as malware.

Any advice?

I'm getting this FP as well. In my case associated with a file of size 35KB: hardly likely to be a 'rogue anti-spyware program'! LOL!

PCTools - Hopefully people are not deleting important bits of their OS here. I've added it to the Global Action List to allow but I would look into this and find out why this is flagging up innocent files.
:-)

Hi Everyone,

We are currently investigating this. I'll get back to you shortly :)

Hi Guys,

This will be resolved in the next update release :D ie, 3.08610. Its currently on 3.08600 at the moment.

Is this a false positive? Should I ignore it?

Hi
What database are you using?

Is this a false positive? Should I ignore it?

Please make sure you have the latest DB as this problem should be resolved :)