Sign in with
Sign up | Sign in
Your question

Where Do These Come From..

Tags:
  • Spybot
  • Microsoft
  • Windows XP
Last response: in Windows XP
Share
July 31, 2005 7:30:26 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap

I had an occasion yesterday when I found that a password to a website
had been cancelled as the site said it had been used too many
times,including in Japan and Germany .I got it reset altho' I hadnt
been responsible as I am the only person using the PC.
I found that using Spybot S+D several instances of Smitfraud-C but
Spybot wasn't able to delete them so i printed out the log..
I went in to Regedit and found a load of folders mainly with porn
related url's under the above key and deleted them all.I ran Spybot
again and they were definitely gone.
I take it that there is a connection betwen the two things.the
password useage and the Smitfraud-C instance.
i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
Spyspotter.

tia
Stuart






--

Shift THELEVER to reply.

More about : question

July 31, 2005 7:30:27 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Stuart wrote:
>
HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Micro
soft\Windows\CurrentVersion\Internet
> Settings\ZoneMap
>
> I had an occasion yesterday when I found that a password to a website
> had been cancelled as the site said it had been used too many
> times,including in Japan and Germany .I got it reset altho' I hadnt
> been responsible as I am the only person using the PC.
> I found that using Spybot S+D several instances of Smitfraud-C but
> Spybot wasn't able to delete them so i printed out the log..
> I went in to Regedit and found a load of folders mainly with porn
> related url's under the above key and deleted them all.I ran Spybot
> again and they were definitely gone.
> I take it that there is a connection betwen the two things.the
> password useage and the Smitfraud-C instance.
> i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
> Spyspotter.
>
> tia
> Stuart

First thing to do is to uninstall SpySpotter! Look Here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

After that rescan with Spybot and Ad-Aware
Ad-Aware SE - http://majorgeeks.com/Ad-Aware_SE_Personal_d506.html

Smitfraud-C is a trojan used to steal info,like the website password you
mentioned.
http://www.windowsecurity.com/trojanscan/






--
Mike Pawlak
Anonymous
July 31, 2005 7:30:27 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

The Smitfraud-C is not completely removed by deleting the reg entry's only.
I have manual delete instructions if you want me to post them. The
Smitfraud-C makes a lot of changes to the infected system.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Stuart" <stuart@xpozureTHELEVER4u.plus.com> wrote in message
news:bmnpe19r4bs2ej7n2tsmsb86boo4dtplri@4ax.com...
> HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap
>
> I had an occasion yesterday when I found that a password to a website
> had been cancelled as the site said it had been used too many
> times,including in Japan and Germany .I got it reset altho' I hadnt
> been responsible as I am the only person using the PC.
> I found that using Spybot S+D several instances of Smitfraud-C but
> Spybot wasn't able to delete them so i printed out the log..
> I went in to Regedit and found a load of folders mainly with porn
> related url's under the above key and deleted them all.I ran Spybot
> again and they were definitely gone.
> I take it that there is a connection betwen the two things.the
> password useage and the Smitfraud-C instance.
> i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
> Spyspotter.
>
> tia
> Stuart
>
>
>
>
>
>
> --
>
> Shift THELEVER to reply.
July 31, 2005 7:30:27 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"Stuart" <stuart@xpozureTHELEVER4u.plus.com> wrote in message
news:bmnpe19r4bs2ej7n2tsmsb86boo4dtplri@4ax.com...
> HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap
>
> I had an occasion yesterday when I found that a password to a website
> had been cancelled as the site said it had been used too many
> times,including in Japan and Germany .I got it reset altho' I hadnt
> been responsible as I am the only person using the PC.
> I found that using Spybot S+D several instances of Smitfraud-C but
> Spybot wasn't able to delete them so i printed out the log..
> I went in to Regedit and found a load of folders mainly with porn
> related url's under the above key and deleted them all.I ran Spybot
> again and they were definitely gone.
> I take it that there is a connection betwen the two things.the
> password useage and the Smitfraud-C instance.
> i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
> Spyspotter.


Spybot's Immunize and also SpywareBlaster have options to let you add
their list of "bad" sites to the Restricted Sites security zone (and
also optionally to block cookies from "bad" domains). So if you used
those features then that is why all those bad sites were listed in that
security zone: you put them there.

I'm not familiar with SmitFraud and would have to perform the same
Googling as yourself to get info on it, how it behaves, and what files
and registry entries it injects. I've seen plenty of users asking about
it so I'm sure the anti-pestware makers have it in their databases by
now. The first place I checked, CA's virus/spyware databases, had some
info on it; see
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45....

--
____________________________________________________________
For e-mail, remove "NIX" and add "#LAH" passcode to Subject.
____________________________________________________________
!