PDA

View Full Version : Smitfraud Registry Key Appearing, but only when checked from limited accounts



nrshapiro
2007-06-18, 23:43
This could be a false positive, or else Spybot doesn't work well across user accounts. I had some spyware on our family shared machine, which I've cleaned using various utilities and my own knowledge of windows. Adaware and avg antivirus and antispyware report the machine clean.

Spybot reports it clean under my user account, or after a safe mode boot either on the default admin account or my admin account.

But when I look under my son's account, whos a limited user under Windows XP home SP2, spybot SD keeps coming back and reporting

--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1416163055-3445941883-4294521060-1013\Software\Microsoft\aldd


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

I have seen the registry key it's reporting in place; and perhaps something keeps putting it back there. But why isn't this caught when I scan from my admin account? Do you have to run from each account, or will spybot check all the hives and user data each time?

And how does this key alone, in the absence of finding any other files or infections related to smitfraud, mean I am infected? Where is the key coming from?

md usa spybot fan
2007-06-19, 07:42
... why isn't this caught when I scan from my admin account?
If HKEY_USERS\S-1-5-21-1416163055-3445941883-4294521060-1013 is the limited accounts registry hive and it is not load when you scan from the computer administrator account then Spybot can't see it.

Try logging on to limited account then quick switch to the computer administrator account. Scan again and see if you get the detection.


Do you have to run from each account, or will spybot check all the hives and user data each time?
If a user's registry hive is not loaded in the system then Spybot can't check it. Also due to restrictions in the Microsoft APIs (Application Program Interfaces) used by Spybot, the scan from one account does not include the Internet cache, cookies and some other user specific entries of other accounts.

nrshapiro
2007-06-19, 17:16
I was afraid of that--so on a four user machine, to properly scan, an "admin" has to go onto all four accounts and scan under each? Worse than that, unless I make them admins, some of the checks, and fixes won't work.

But where does smitfraud reside; the only thing spybot finds is the key; no other utility finds it, including adaware and avg spyware. The system is running at a pretty minimal level in terms of number of processes and services.

I'll assume it's still infected, though the system seems to be at a pretty clean level, since the key keeps coming back under the limited accounts. I'll post in the malware and see if anyone sees anything in the hijack logs that I don't see.

Yodama
2007-06-20, 08:45
hi,

as I said in the other thread this may be a false positive, but to confirm we need to have a look at your Spybot report file. A hijackthis log is good for quick analyisis but it does not cover the winlogon which is cruicial for some Smitfraud-C.Toolbar888 infections.
To create a Spybot S&D log you need to switch Spybot into advanced mode.
Then go to tools - view report - there check all boxes , then click view report.
You can export the report and attach it to your next post.