Global injection triggers Bitdefender antivirus (Gen:Adware.SMSHoax.4)

So this is my first time ever using this program. I was going to use it for Saints Row: The Third Remastered, or at least see if I could use it for that game. Anyways, following instructions on the mod page, I was told to start the global injection. Whenever I do though, Bitdefender (my antivirus) says this: “Injection detected as Gen:Adware.SMSHoax.4 was preformed by C:\Windows\SysWOW64\rundll32.exe and was blocked. Your device is safe.” I’ve never had this issue before with anything. I looked up this SMSHoax.4 and couldn’t find much. I did find something about SMSHoax.3 though, and it looks just like your average adware. I don’t know if this is packaged with SpecialK or if it’s somewhere else on my computer, but it only gets detected while using the SpecialK global injection. I’m probably just not gonna use this program, but figured I’d let you know.

Thanks for the report. Which download of Special K was it that you used? And what file was being flagged? We sorta need to know that to know what specific file we need to report as a false positive to BitDefender :slight_smile:

Eventually Special K will start to be signed using a code signing certificate which hopefully should minimize or prevent these mistakes from happening.


If you want to know more about why it was reported:

Anti-malware suites work through various methods, one of which is by detecting code segments shared between different malicious objects. Sadly, however, many times whatever virus signature the anti-malware suite have detected to be used by malicious items is or may also be used by legitimately safe items.

This is particular common within PC gaming, where trainers based on or making use of the Cheat Engine tool is seen as “malicious”, or mods such as 21:9 ultra-widescreen fixes or FOV fixes applied using binary patching tools is detected as malicious because they happen to share some few common characteristics with actual malicious items. It’s so bad that the WideScreen Gaming Forum (WSGF) was impacted a few years ago by a site-wide/domain-wide block from Google because many of their community-created widescreen patches and fixes were incorrectly detected as malicious.

The seemingly complete disregard for anti-malware suites of the PC gaming market is one of the annoyances that plague those creating or providing mods and fixes within the PC gaming space. I’m also a staff member of the PCGamingWiki site and we sadly see these sorts of reports weekly from users, where a perfectly fine mod or fix created by longtime contributors or modders randomly starts to get flagged weeks, months, or sometimes years later after its creation.


None the less, thank you for your time to report the issue to us. If we learn exactly which file BitDefender flagged we should be able to report it as a false positive to the AV vendor, which will after a couple of days result in the whitelist of the file in question.

Uh, frankly I don’t know how to find an answer to either of those questions… All I can say is I just went to the download button and it automatically started downloading. So probably the latest, right? V 21.04.04? As for the file that triggered it, the only information Bitdefender gave me was “Injection detected as Gen:Adware.SMSHoax.4 was preformed by C:\Windows\SysWOW64\rundll32.exe and was blocked. Your device is safe.” So probably this “C:\Windows\SysWOW64\rundll32.exe” Which made me think it was a file on my end that had nothing to do with SpecialK, but it only gets triggered when using the global injection tool in SpecialK. So really, I have no clue. Sorry I’m not of much help. If you can guide me at all to finding the file, that would be great. But Bitdefender won’t tell me much, so I guess I’ll just need to do some research for now. I’ll let you know if I find anything.

Edit: I think I found my problem, but I don’t know what to do about it. “Rundll32.exe is a program used to run program code in DLL files which is part of Windows components. There are viruses that uses this name also that’s why it’s commonly mistaken as a real virus. There are also times that the file gets replaced with a malware infected one.” So I’m gonna try to figure out a safe way to reinstall/clean up the file. I’ll try again afterwards and let you know what happens.

Please don’t!

rundll32.exe (this is a system file of Windows) is what’s used to run the global injection service of Special K. That BitDefender was triggered on the SysWOW64\rundll32.exe means it was triggered by SpecialK32.dll which was loaded by rundll32.exe to run the 32-bit global injector.

No need for you to do anything, really. I’ll report the false positive to BitDefender.

Don’t worry. Figured out real quick that there’s no fixing it. I’m just hoping that it is indeed a false positive and not an infected file. Anyways, thanks for looking into this. I’ll try this again in a week or so, give it time to get whitelisted.

It’s a false positive. These are the VirusTotal reports for the relevant files:

Archive: VirusTotal

SpecialK32: VirusTotal

1 Like

Ah… wtf… Can you upload a screenshot of the BitDefender event generated? Apparently that’s required when reporting a false positive to them :expressionless:

(the page they link to is this one: https://www.bitdefender.com/consumer/support/answer/1864/)

image_2021-05-31_120121

1 Like