Where Do These Come From..

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Stuart wrote:
>
HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Micro
soft\Windows\CurrentVersion\Internet
> Settings\ZoneMap
>
> I had an occasion yesterday when I found that a password to a website
> had been cancelled as the site said it had been used too many
> times,including in Japan and Germany .I got it reset altho' I hadnt
> been responsible as I am the only person using the PC.
> I found that using Spybot S+D several instances of Smitfraud-C but
> Spybot wasn't able to delete them so i printed out the log..
> I went in to Regedit and found a load of folders mainly with porn
> related url's under the above key and deleted them all.I ran Spybot
> again and they were definitely gone.
> I take it that there is a connection betwen the two things.the
> password useage and the Smitfraud-C instance.
> i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
> Spyspotter.
>
> tia
> Stuart

First thing to do is to uninstall SpySpotter! Look Here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

After that rescan with Spybot and Ad-Aware
Ad-Aware SE - http://majorgeeks.com/Ad-Aware_SE_Personal_d506.html

Smitfraud-C is a trojan used to steal info,like the website password you
mentioned.
http://www.windowsecurity.com/trojanscan/






--
Mike Pawlak

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"Stuart" <stuart@xpozureTHELEVER4u.plus.com> wrote in message
news:bmnpe19r4bs2ej7n2tsmsb86boo4dtplri@4ax.com...
> HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap
>
> I had an occasion yesterday when I found that a password to a website
> had been cancelled as the site said it had been used too many
> times,including in Japan and Germany .I got it reset altho' I hadnt
> been responsible as I am the only person using the PC.
> I found that using Spybot S+D several instances of Smitfraud-C but
> Spybot wasn't able to delete them so i printed out the log..
> I went in to Regedit and found a load of folders mainly with porn
> related url's under the above key and deleted them all.I ran Spybot
> again and they were definitely gone.
> I take it that there is a connection betwen the two things.the
> password useage and the Smitfraud-C instance.
> i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
> Spyspotter.


Spybot's Immunize and also SpywareBlaster have options to let you add
their list of "bad" sites to the Restricted Sites security zone (and
also optionally to block cookies from "bad" domains). So if you used
those features then that is why all those bad sites were listed in that
security zone: you put them there.

I'm not familiar with SmitFraud and would have to perform the same
Googling as yourself to get info on it, how it behaves, and what files
and registry entries it injects. I've seen plenty of users asking about
it so I'm sure the anti-pestware makers have it in their databases by
now. The first place I checked, CA's virus/spyware databases, had some
info on it; see
http://www3.ca.com/securityadvisor [...] 453094215.

--
____________________________________________________________
For e-mail, remove "NIX" and add "#LAH" passcode to Subject.
____________________________________________________________