Where Do These Come From..

[Stuart]

HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap

I had an occasion yesterday when I found that a password to a website
had been cancelled as the site said it had been used too many
times,including in Japan and Germany .I got it reset altho' I hadnt
been responsible as I am the only person using the PC.
I found that using Spybot S+D several instances of Smitfraud-C but
Spybot wasn't able to delete them so i printed out the log..
I went in to Regedit and found a load of folders mainly with porn
related url's under the above key and deleted them all.I ran Spybot
again and they were definitely gone.
I take it that there is a connection betwen the two things.the
password useage and the Smitfraud-C instance.
i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
Spyspotter.

tia
Stuart

 

[MAP]

HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Micro
soft\Windows\CurrentVersion\Internet
Settings\ZoneMap

I had an occasion yesterday when I found that a password to a website
had been cancelled as the site said it had been used too many
times,including in Japan and Germany .I got it reset altho' I hadnt
been responsible as I am the only person using the PC.
I found that using Spybot S+D several instances of Smitfraud-C but
Spybot wasn't able to delete them so i printed out the log..
I went in to Regedit and found a load of folders mainly with porn
related url's under the above key and deleted them all.I ran Spybot
again and they were definitely gone.
I take it that there is a connection betwen the two things.the
password useage and the Smitfraud-C instance.
i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
Spyspotter.

tia
Stuart

First thing to do is to uninstall SpySpotter! Look Here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

After that rescan with Spybot and Ad-Aware
Ad-Aware SE - http://majorgeeks.com/Ad-Aware_SE_Personal_d506.html

Smitfraud-C is a trojan used to steal info,like the website password you
mentioned.
http://www.windowsecurity.com/trojanscan/

 

[pcbutts1]

The Smitfraud-C is not completely removed by deleting the reg entry's only.
I have manual delete instructions if you want me to post them. The
Smitfraud-C makes a lot of changes to the infected system.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Vanguard]

HKEY_USERS\S-1-5-21-602162358-813497703-725345543-500_Classes\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap

I had an occasion yesterday when I found that a password to a website
had been cancelled as the site said it had been used too many
times,including in Japan and Germany .I got it reset altho' I hadnt
been responsible as I am the only person using the PC.
I found that using Spybot S+D several instances of Smitfraud-C but
Spybot wasn't able to delete them so i printed out the log..
I went in to Regedit and found a load of folders mainly with porn
related url's under the above key and deleted them all.I ran Spybot
again and they were definitely gone.
I take it that there is a connection betwen the two things.the
password useage and the Smitfraud-C instance.
i also use Norton Ant-Virus Internet Security/AdAware/Spybot and
Spyspotter.

Spybot's Immunize and also SpywareBlaster have options to let you add
their list of "bad" sites to the Restricted Sites security zone (and
also optionally to block cookies from "bad" domains). So if you used
those features then that is why all those bad sites were listed in that
security zone: you put them there.

I'm not familiar with SmitFraud and would have to perform the same
Googling as yourself to get info on it, how it behaves, and what files
and registry entries it injects. I've seen plenty of users asking about
it so I'm sure the anti-pestware makers have it in their databases by
now. The first place I checked, CA's virus/spyware databases, had some
info on it; see
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094215.