spybot detects smitfraud, nothing else does

ok after not using my computer for approx 2 mths + therefore not updating anything I used it again yesterday without updating 1st. Stupid I know.
As I was surfing the net I got a prompt out of the blue from spybot asking if I wanted to allow a registry change but with the option to deny faded.
I chose not to allow it and ignored it until I switched the computer off.
I then updated all programs and tested to see if I had anything.
Spybot detected Smitfraud-c but was unable to remove it even when checked immediately at startup and in safe mode.
However adaware,ewido ,avg ,spysweeper don't detect anything. Firewall detects no outgoing program attempts.
Question is: Is this a false positive by spybot or is there something potentially nasty lurking on the computer?
BTW there have been no problems ie blue screen,error messages etc on my comp and I have read other threads pertaining to smitf.

Thx for the help/comments!

[Bubba]

Quote:

Originally Posted by burns

Spybot detected Smitfraud-c

Do you recall if the below key was mentioned ?

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=dword:0

If you do not remember....you can view your latest report via the program.

Do you recall if the below key was mentioned ?

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=dword:0

No , I don't see that key anywhere.

[Bubba]

Ok....maybe it will help if we can see the latest report after your last scan.

Open Spybot....if you are not using Advanced Mode....select Mode\Advanced Mode\Tools\View Report....then select View previous report. A box should come up with selections of .log and .txt files. Select the latest .txt file....Checks.050726-XXXX. The X's will be numbers also....just select the .txt that has the highest number. That will show that report and you highlight all that info and copy\paste that info into your next post Please.

I found the report you were talking about with your directions and within the long list is:

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858986063-2084001222-467287963-1000\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

I am assuming that Smitf made registry changes but didn't get as far as it would like to have done and therefore no damage/probs with computer system. Is that right?

Thx again.

[Close_Hauled]

Quote:

Originally Posted by burns

I found the report you were talking about with your directions and within the long list is:

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858986063-2084001222-467287963-1000\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

I am assuming that Smitf made registry changes but didn't get as far as it would like to have done and therefore no damage/probs with computer system. Is that right?

Thx again.

It appears to me that something added makechoice.com to your "Restricted sites" zones list. Check your restricted zones list and see if it is there. Also make sure that your restricted zones is set to High.


INTERESTING SIDE NOTE: I Google'd smitfraud makechoice and only 2 domains have that occurance:

aaaxsw.com
aaazaq.com

I went to DNSstuff.com and got this from their WhoIs:


------------------------------------------
Registrant:
Michal Nowak

Registered through: GoDaddy.com
Domain Name: AAAXSW.COM

Domain servers in listed order:
TREX.JEFFREY.IN
TRIX.MXBL.COM.RU

For complete domain details go to:
http://whois.godaddy.com

------------------------------------------

Registrant:
Michal Nowak

Registered through: GoDaddy.com
Domain Name: AAAZAQ.COM

Domain servers in listed order:
TREX.JEFFREY.IN
TRIX.MXBL.COM.RU

For complete domain details go to:
http://whois.godaddy.com

------------------------------------------

Registrant:
Webstasy

Registered through: GoDaddy.com
Domain Name: MAKECHOICE.COM

Domain servers in listed order:
NS1.MAKECHOICE.COM
NS2.MAKECHOICE.COM

For complete domain details go to:
http://whois.godaddy.com

You're right it's in the restricted zone...where everything is disabled.
Just wondering why spyware would add its address to the restricted zone instead of trusted zone?

[Bubba]

Quote:

Originally Posted by burns

You're right it's in the restricted zone...where everything is disabled.

When you had Spybot fix it....it placed it in the Restricted Zone.

Quote:

Originally Posted by Close_Hauled

It appears to me that something added makechoice.com to your "Restricted sites" zones list

With Spybot....when it finds an item....it displays the registry location and the value that it recommends the data value should be set to. In this case....it is suggesting....rightly so....that makechoice.com should be in the Restricted Zone....0x00000004....when in fact it found it in the Trusted Zone....0x00000002.

I have makechoice.com in my Restricted Zone and Spybot did not have a problem. After changing makechoice.com to the Trusted Zone....Spybot did find a problem.

I would definetly consider doing some online scans just to be sure.

http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com
http://www.kaspersky.com/service?chapter=161739400
http://www.bitdefender.com/scan/license.php
http://uk.trendmicro-europe.com/ente...all_launch.php

Just want to say thanks to Bubba and C_H for helping with this problem.
I really appreciate it.

[Close_Hauled]

Quote:

Originally Posted by burns

Just want to say thanks to Bubba and C_H for helping with this problem.
I really appreciate it.

You are welcome. I know that I can speak for Bubba when I say that we are more than happy to help. Please keep us informed.

[electric]

sorry moved to other message

[cheater87]

mine found smitfraud and deleted it is your version fully updated??