Please help! Am I infected?

Discussion in 'malware problems & news' started by AWorriedPerson, Jan 31, 2007.

Thread Status:
Not open for further replies.
  1. AWorriedPerson

    AWorriedPerson Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    30
    I scanned with Spyware Doctor trial version and it found this.

    Spyware Doctor Activity Report
    Generated on 1/31/2007 4:34:37 PM Spyware Doctor Homepage PC Tools Homepage Technical Support


    Scans (basic information only):

    Scan Results:
    scan start: 1/31/2007 4:36:44 PM
    scan stop: 1/31/2007 4:49:12 PM
    scanned items: 103172
    found items: 6
    found and ignored: 0
    tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



    Infection Name Location Risk
    SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com High
    SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com## High
    SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com##* High
    SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com\www High
    SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com\www## High
    SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com\www##* High

    SexVideoPro Dialer (SGrunt
    Dialer.Sfonditalia [Symantec]
    Dial/Chivio-G [Sophos]
    Trojan.Win32.Dialer.hh
    Trojan.Win32.Dialer.nv [Kaspersky])

    Threat Level: High

    Author: Free Connect Ltd.

    Description: SexVideoPro Dialer will access pornographic websites by dialing a high-cost phone number using the modem. It will also hijack your Internet Explorer start page to www.realarea.biz. This dialer will also generate pop-ups even if Internet Explorer is not running.

    So I used Regedit.exe and deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com

    There where a lot of bad things. When I scanned with Spyware Doctor again, it didn't find anything. So is it the place where Spybot Search & Destroy's immunization puts it's bad things and Spyware Doctor gave a false alarm? Please help me.
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi AWorriedPerson, this is one registry key where you or malware can add sites to zones by adding values to the registry key for example in the trusted zone.
    You could check to see if any of your protection has that entry.
    If your still unsure run your antivirus and/or an online antivirus, same with any antispyware and online antispyware here and here. (activeX, ie)
     
    Last edited: Jan 31, 2007
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Looks like a false positive to me, but you should be able to check. Just re-immunize with Spybot (or SpywareBlaster) and then re-scan. If it comes back you know it is likely to be a fp.

    The HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains Key contains sites placed in the Restricted or Trusted Zones etc. You manage these sites by going to Internet Explorer / Tools / Internet Options / Security and clicking the 'Sites' button in the Zone in question (eg Restricted Zone).

    The various settings for these Zones are stored on the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones Key (Zone 4 being for Restricted sites).

    If the Domain in question has been placed in the Restricted Zone, then that should be OK; but if it appears in your Trusted Zone you want to get rid of it from there.
     
  4. AWorriedPerson

    AWorriedPerson Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    30
    Thank you very much for your help.

    By the way I re-immunized with Spybot and re-scanned. It didn't come back. But AdAware SE Personal, Spybot Search & Destroy, AVG Antispyware trial version, a-squared Free 2.1, a-squared Anti-dialer didn't found it so I think it was false positive.

    Thank you again for your help.
     
    Last edited: Feb 5, 2007
Loading...
Thread Status:
Not open for further replies.