A friend just discovered two trojans on his system - alerted by Spybot:
1) smitfraud-c.gp and 2) ctfmun.exe (win32.agent.cs).
Strange thing is that Norton AV 2006 did not notice anything.

I suggested downloading the good doctor on a usb and perhaps Superantispyware and run these. I am wondering if there is any way to check what malware the good doctor can deal with? Is there a comprehensive list you can check against the two alerts above?

-{ Quote: "A friend just discovered two trojans on his system - alerted by Spybot:
1) smitfraud-c.gp and 2) ctfmun.exe (win32.agent.cs).
Strange thing is that Norton AV 2006 did not notice anything.

I suggested downloading the good doctor on a usb and perhaps Superantispyware and run these. I am wondering if there is any way to check what malware the good doctor can deal with? Is there a comprehensive list you can check against the two alerts above?" }-
I guess you can check it here -> http://updates.drweb.com/ (http://updates.drweb.com/)

The problem is that every anti-malware program uses different names to identify a threat, so you probably won't find anything :(

-{ Quote: "
Strange thing is that Norton AV 2006 did not notice anything.
" }-

Yeah, strange::)

Anyway, if you are not sure whether Dr.Web detects the threats, you can try uploading to virustotal to see if it detects them. If it doesn't, check if Ewido detects them, so if it does you can use the portable Ewido Micro Scanner to remove the threats.

You can also use VGREP:
http://vgrep.viruspool.net/virus.cms

make sure you write down the norton license code before you go any further.
uninstall norton 2006 run the symantec removal tool link (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039)
norton 2008 is out and will accept your current license code.
it wont have the same technology that norton 2008 has.
download the 15 day trial link (http://shop.symantecstore.com/store/symnahho/en_US/ContentTheme/ThemeID.106300/pbPage.Trialware_en_US)
and put in your license details.

thanks guys - we now ran scans with cure it and SuperAntispyware and neither found anything but tracking cookies and old trojans in norton quarantine. At this point I can't help but suspect that Spybot is throwing a hissy fit and there is not really anything wrong. Will have a look at their forum to see if anybody else is getting any FP

I noticed today that in Spybot's updates there were some False positive fixes, try to update and run a scan again with spybot.

I just checked the forum and can't find anything specific there yet but further googling discovered this from F-Secure -{ Quote: "Crypt.O is a very intrusive adware that we classify as a trojan. It is quite similar to another intrusive adware that we detect as 'Trojan.Win32.Agent.cs'.

The trojan's file is a DLL that is designed to be loaded at Windows startup using the 'Winlogon\Notify' Registry key. As a result the trojan is loaded as the component of one of Windows's system processes and its removal or modification is impossible when Windows is active. Moreover, the trojan blocks access to its own file, monitors changes to its Registry keys and restores them if they are modified or deleted" }-
Spybot is referencing this in their scan as win32.agent.cs and includes it under definitions since 7. May. Since F-Secure detects this since 2005 :P , I still find it hard to believe that it not only passed undetected by Norton but even now gets by Norton, Cureit and Superantispyware.

According to this virustotal scan, Symantec doesn't find the threat indeed

~Link to VirusTotal results removed per Policy. (http://www.wilderssecurity.com/showthread.php?t=180057) - Ron~

You'd better submit the sample if you want it added to their database.

-{ Quote: "A friend just discovered two trojans on his system - alerted by Spybot:
1) smitfraud-c.gp and 2) ctfmun.exe (win32.agent.cs).
Strange thing is that Norton AV 2006 did not notice anything.

I suggested downloading the good doctor on a usb and perhaps Superantispyware and run these. I am wondering if there is any way to check what malware the good doctor can deal with? Is there a comprehensive list you can check against the two alerts above?" }-

Can you send these files to samples AT superantispyware.com (and submit to other vendors) so we can process them and update our database?

spybot is useless, i wouldn't trust any detection by that.

~snip~

@ Nick - I emailed the samples from the Spybot recovery folder.

@ CSJ - what took you so long to respond :D

See the link on how to report a possible false postive by Spybot. http://forums.spybot.info/showpost.php?p=190563&postcount=2

thanks Ronjor - just did it. Still in doubt as I have found various files in the sp recovery folder some with the reference to win32.agent and some smitfraud

-{ Quote: "spybot is useless, i wouldn't trust any detection by that.

~snip~" }-


I'm not sure why you say that spybot is useless?

There is no basis for a "useless" statement like that. Opinions are just opinions unless backed up with verifiable statistics.

At any rate, it is off topic for the thread and I would suggest a personal message to posters that make such statements for further discussion.

-{ Quote: "@ Nick - I emailed the samples from the Spybot recovery folder.

@ CSJ - what took you so long to respond :D" }-

Can you PM me the passwords to the .ZIP files?