spybot detects smitfraud, nothing else does

Discussion in 'other anti-malware software' started by burns, Jul 26, 2005.

Thread Status:
Not open for further replies.
  1. burns

    burns Guest

    ok after not using my computer for approx 2 mths + therefore not updating anything I used it again yesterday without updating 1st. Stupid I know.
    As I was surfing the net I got a prompt out of the blue from spybot asking if I wanted to allow a registry change but with the option to deny faded.
    I chose not to allow it and ignored it until I switched the computer off.
    I then updated all programs and tested to see if I had anything.
    Spybot detected Smitfraud-c but was unable to remove it even when checked immediately at startup and in safe mode.
    However adaware,ewido ,avg ,spysweeper don't detect anything. Firewall detects no outgoing program attempts.
    Question is: Is this a false positive by spybot or is there something potentially nasty lurking on the computer?
    BTW there have been no problems ie blue screen,error messages etc on my comp and I have read other threads pertaining to smitf.

    Thx for the help/comments!
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Do you recall if the below key was mentioned ?

    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=dword:0

    If you do not remember....you can view your latest report via the program.
     
  3. burns

    burns Guest

    Do you recall if the below key was mentioned ?

    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=dword:0

    No , I don't see that key anywhere.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Ok....maybe it will help if we can see the latest report after your last scan.

    Open Spybot....if you are not using Advanced Mode....select Mode\Advanced Mode\Tools\View Report....then select View previous report. A box should come up with selections of .log and .txt files. Select the latest .txt file....Checks.050726-XXXX. The X's will be numbers also....just select the .txt that has the highest number. That will show that report and you highlight all that info and copy\paste that info into your next post Please.
     

    Attached Files:

  5. burns

    burns Guest

    I found the report you were talking about with your directions and within the long list is:

    Smitfraud-C.: User settings (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-858986063-2084001222-467287963-1000\
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

    I am assuming that Smitf made registry changes but didn't get as far as it would like to have done and therefore no damage/probs with computer system. Is that right?

    Thx again.
     
  6. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California


    It appears to me that something added makechoice.com to your "Restricted sites" zones list. Check your restricted zones list and see if it is there. Also make sure that your restricted zones is set to High.


    INTERESTING SIDE NOTE: I Google'd smitfraud makechoice and only 2 domains have that occurance:

    aaaxsw.com
    aaazaq.com

    I went to DNSstuff.com and got this from their WhoIs:


    ------------------------------------------
    Registrant:
    Michal Nowak

    Registered through: GoDaddy.com
    Domain Name: AAAXSW.COM

    Domain servers in listed order:
    TREX.JEFFREY.IN
    TRIX.MXBL.COM.RU

    For complete domain details go to:
    http://whois.godaddy.com

    ------------------------------------------

    Registrant:
    Michal Nowak

    Registered through: GoDaddy.com
    Domain Name: AAAZAQ.COM

    Domain servers in listed order:
    TREX.JEFFREY.IN
    TRIX.MXBL.COM.RU

    For complete domain details go to:
    http://whois.godaddy.com

    ------------------------------------------

    Registrant:
    Webstasy

    Registered through: GoDaddy.com
    Domain Name: MAKECHOICE.COM

    Domain servers in listed order:
    NS1.MAKECHOICE.COM
    NS2.MAKECHOICE.COM

    For complete domain details go to:
    http://whois.godaddy.com

     
    Last edited: Jul 26, 2005
  7. burns

    burns Guest

    You're right it's in the restricted zone...where everything is disabled.
    Just wondering why spyware would add its address to the restricted zone instead of trusted zone?
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    When you had Spybot fix it....it placed it in the Restricted Zone.
    With Spybot....when it finds an item....it displays the registry location and the value that it recommends the data value should be set to. In this case....it is suggesting....rightly so....that makechoice.com should be in the Restricted Zone....0x00000004....when in fact it found it in the Trusted Zone....0x00000002.

    I have makechoice.com in my Restricted Zone and Spybot did not have a problem. After changing makechoice.com to the Trusted Zone....Spybot did find a problem.

    I would definetly consider doing some online scans just to be sure.

    http://www.pandasoftware.com/activescan/
    http://housecall.trendmicro.com
    http://www.kaspersky.com/service?chapter=161739400
    http://www.bitdefender.com/scan/license.php
    http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php
     
  9. burns

    burns Guest

    Just want to say thanks to Bubba and C_H for helping with this problem.
    I really appreciate it.
     
  10. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    You are welcome. I know that I can speak for Bubba when I say that we are more than happy to help. Please keep us informed.
     
  11. electric

    electric Registered Member

    Joined:
    Oct 26, 2005
    Posts:
    2
    sorry moved to other message
     
  12. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    mine found smitfraud and deleted it is your version fully updated??
     
Loading...
Thread Status:
Not open for further replies.